A honest Splunk ES review from a system integrator.
February 22, 2022

A honest Splunk ES review from a system integrator.

ranjit abraham | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Overall Satisfaction with Splunk Enterprise Security (ES)

We are a system integrator for Splunk. We introduce Splunk enterprise security to our customers as a complete SIEM tool. A kind of tool that can address the modern SOC requirements. We try to address the overall security posture of the customer's environment as the business requirement. We also encourage our customers to bring in all kinds of data into Splunk ranging from security data to business data and actively try to get them signed up for training so that they know how to use the product.
  • Splunk ES comes out with a few correlation searches which cover a lot of data sets. The benefit of using ES to other security tools is the customers can enable a few correlation searches to get maximum coverage.
  • Splunk ES comes with its own built-in investigation tool. This helps the customers drive their SOC workflow end to end. i.e You can ingest your data, run correlations, run investigations, and also integrate it with third-party tools like SNOW from a single application.
  • Splunk ES introduced a concept called risk-based scores which is a very interesting concept that allows the SOC team to investigate the highest-priority alerts. This helps in keeping alert fatigue to a minimum.
  • Splunk Enterprise Security relies heavily on data model Acceleration for running their correlation searches. It is a very good concept but for new customers, it is quite confusing. It would be nice if there are step by step guidelines on how to enable and fine-tune these data models inside the app. For instance, recommend which all indexes have to be integrated into each data model. Identify which all are data sets are tagged correctly etc. For example, if the customer wants to have authentication data, Step 1: Collect data from Authentication data sources => check. Step 2: are the tags working correctly => check. Step 3=> give recommendations of the ES correlation searches=> check . Step 4: Enable all the correlation searches and the data models => check. So if there is a workflow like this present new customers would find a lot of tasks much more easy to achieve instead of relying on professional services.
  • It would be great if ES had a much more polished version of the miter coverage dashboard out of the box. So we don't need to rely on the Security essentials app for finding where we stand on the miter framework.
  • Splunk Enterprise security is a unique product that allows you as the organization to run simply out-of-the-box correlation searches on a large number of data sets and help you with detecting incidents with ease. The setup is not very complicated and with assistance from the sales team and professional services, you would be able to set up your own SOC team from scratch.
  • Splunk Security team is very well versed in the security field and they can provide you with training opportunities and suggestions on how to run your SOC environment and keep you updated with the latest security trends.
  • Splunk Security team also conducts their own investigation into major security breaches and vulnerabilities that come out worldwide and they release correlation searches and suggestions on a regular basis which can be implemented in your environment free of cost.
Splunk ES with its well-thought Risk-based dashboards has removed the pressure off the SOC teams who were regularly getting alert fatigue going after every other notable event that was being generated. The implementation of the Risk-based alerting gives the team a good feel of their environment and will help them go after the biggest threats to their environment.
Splunk ES on-premise can be scaled up to meet very large customer requirements. For instance, if the customer has 200+ use cases it can be enabled easily on-premise using SH Clustering. Currently, ES on the cloud does not have an SH cluster option and it has a limitation of less than 200 for Victoria and less than 60 for Classic cloud stacks. Splunk cloud ES may not be the best answer for all the customers. Before pushing Cloud ES to the customer a very detailed and in-depth study is required whether it's viable pushing Splunk ES cloud for the customer.
I personally felt that It is easier to onboard structured data to IBM radar compared to Splunk. But when onboarding unstructured data or unknown data Splunk is king.

Do you think Splunk Enterprise Security (ES) delivers good value for the price?


Are you happy with Splunk Enterprise Security (ES)'s feature set?


Did Splunk Enterprise Security (ES) live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Splunk Enterprise Security (ES) go as expected?


Would you buy Splunk Enterprise Security (ES) again?


It is well suited if you have very large data sets that your organization is working with. If you have a SOC team in place. If you have staff that is willing to attend training and are open to gaining knowledge about the practices. It is not well suited if Your organization is very small and you have only a few data sources as this is an expensive product and you cannot push the product without a lot of data sources.

Splunk Enterprise Security (ES) Feature Ratings

Centralized event and log data collection
Event and log normalization/management
Deployment flexibility
Integration with Identity and Access Management Tools
Custom dashboards and workspaces
Host and network-based intrusion detection
Log retention
Data integration/API management
Behavioral analytics and baselining
Rules-based and algorithmic detection thresholds
Response orchestration and automation
Reporting and compliance management
Incident indexing/searching