Splunk FTW... when it's the right fit
June 22, 2022

Splunk FTW... when it's the right fit

Anonymous | TrustRadius Reviewer
Score 9 out of 10
Vetted Review

Overall Satisfaction with Splunk Enterprise Security (ES)

We implement ES for banks, government orgs, and enterprises globally. We have specialised in the banking domains and have customised many use cases for banking specific use cases in our projects.
  • Extending capabilities to 3rd-party integrations.
  • Customisation of use cases.
  • Bringing in custom log sources and integrating these into security use cases.
  • High performance, enterprise-grade, security analytics at high volumes.
  • ES on the cloud (SaaS) has too many limitations with platform administration.
  • Supported integrations are not always on par with enterprise support especially when dependent on 3rd-party proprietary APIs.
  • In later versions, unforeseen glitches seem to show up that have no resolution except version upgrade. This used to not be the case in prior versions which were very stable.
  • We have a 100% success rate on all our ES implementations due to the amazing documentation and Splunk enablement on the subject.
  • Our Splunk ES business has grown 100% YoY for the last 3 years.
  • In terms of long term management and maintenance, ES has been highly stable and predictable, reducing our overhead on costly services team for ad hoc maintenance work.
Overall scalability of Splunk ES is par excellence. We have implemented solutions in on-prem, cloud, and hybrid mode and have had success in all. There is plenty of room for improvement in the Splunk SaaS offering for ES and this needs to be addressed before things become difficult for Splunk SaaS customers. Migration from Splunk on-prem to Splunk SaaS is documented and straightforward, however there is a gap in documentation and SOP for migration from self-hosted cloud deployments to Splunk SaaS for ES.
Securonix does not nearly meet the scale, extensibility, and maturity that Splunk ES offers. However, when looking at the MSP architecture options, Securonix is a much more flexible platform for multi-tenanting. So, Splunk ES for captive SOC platforms and Securonix for MSP/multi-tenant platform is the go-to approach. QRadar is an excellent option for low-budget, standard SIEM use case customers. However, it cannot match up to the extensibility and customisation that Splunk ES provides especially for advanced use cases and non-standard data sources.

Do you think Splunk Enterprise Security (ES) delivers good value for the price?

Yes

Are you happy with Splunk Enterprise Security (ES)'s feature set?

Yes

Did Splunk Enterprise Security (ES) live up to sales and marketing promises?

Yes

Did implementation of Splunk Enterprise Security (ES) go as expected?

Yes

Would you buy Splunk Enterprise Security (ES) again?

Yes

  1. ES is best suited when the customer has matured out of the older standard SIEM requirement. It is not the most effective tool for a 1st time SIEM requirement (e.g. in organisations where any generic security use cases can be implemented just for compliance check box)
  2. In extremely complex, multi-site clustering, management of SH clustering for ES has come to light recently. Customers with mature DC-DR multi site requirements and processes need to set a good SOP for recovery. That said, this is still the best product at scale.

Splunk Enterprise Security (ES) Feature Ratings

Centralized event and log data collection
10
Correlation
10
Event and log normalization/management
8
Deployment flexibility
8
Integration with Identity and Access Management Tools
9
Custom dashboards and workspaces
10
Host and network-based intrusion detection
8
Log retention
10
Data integration/API management
10
Behavioral analytics and baselining
7
Rules-based and algorithmic detection thresholds
10
Response orchestration and automation
9
Reporting and compliance management
10
Incident indexing/searching
10