Splunk Cloud

I have experience with Splunk Cloud Platform . We use it for log monitoring, debugging, and various other purposes.

Since I joined as a software developer, I have been working with Splunk Cloud Platform  for around two years. It is the main tool we use during production issues. We monitor it not only in production issues, but also when we move code to UAT, QA, or XPT environments. We first monitor and check Splunk logs to ensure everything is functioning correctly and to identify what is going wrong.

Splunk Cloud Platform helps in analyzing logs from different services, not just one service, and identifying errors. Especially during production issues, it is our primary platform for understanding where everything goes wrong and determining the root cause. The main feature I appreciate is the Search and Processing Language, which we call SPL. It allows us to query and filter logs efficiently. We can filter by time, whether for a few minutes or hours, and we can filter by various other parameters, such as which user has made the most requests, user-wise breakdowns, specific error patterns, exceptions, or failures. We can use time-based filtering and keyword searches to narrow down on the relevant logs we wish to see at any particular point in time.

I use the alerting mechanisms present in Splunk Cloud Platform. Without Splunk, we would have to manually go to production logs and search for various things manually, which could be very time-consuming. When we use Splunk, these mechanisms are automated. We only need to change the query sometimes because we search for different mnemonics and different teams. If we adjust the region or the team and then provide the particular keyword we are searching for, this helps us change the logs and see what we really need.

Splunk Cloud Platform helps in analyzing logs from different services, not just one service, and identifying errors. Especially during production issues, it is our primary platform for understanding where everything goes wrong and determining the root cause. The main feature I appreciate is the Search and Processing Language, which we call SPL. It allows us to query and filter logs efficiently. We can filter by time, whether for a few minutes or hours, and we can filter by various other parameters, such as which user has made the most requests, user-wise breakdowns, specific error patterns, exceptions, or failures. We can use time-based filtering and keyword searches to narrow down on the relevant logs we wish to see at any particular point in time.

I use the alerting mechanisms present in Splunk Cloud Platform. Without Splunk, we would have to manually go to production logs and search for various things manually, which could be very time-consuming. When we use Splunk, these mechanisms are automated. We only need to change the query sometimes because we search for different mnemonics and different teams. If we adjust the region or the team and then provide the particular keyword we are searching for, this helps us change the logs and see what we really need.

One unique feature with Splunk Cloud Platform is that it can be used not only for log creation but also for creating dashboards. I have created one dashboard myself for visually representing data. This dashboard checks various clients and services to see how many hits we have seen. I made it as a pie chart, and when we click on one of those sections, we are able to see how many hits that service has received. For that particular service, we can check how many users have contributed to that hit. When we send that visualization to higher management, they make decisions based on what service to focus more on. The decisions matter and vary according to management priorities.

The Search Processing Language of Splunk Cloud Platform has a steep learning curve. To extract the correct amount of logs needed, you must understand the exact mnemonics. Writing efficient SPL queries requires time to become accustomed to the language. Only after you have a good grasp of the basics of Splunk Cloud Platform and understand how to trace logs will you be able to use it perfectly.

Handling a large volume of logs requires proper filtering strategies. Logs keep coming in very large quantities, but you need to know how to properly filter them. Proper filtering strategies must be understood and implemented.

The setup and configuration for Splunk Cloud Platform is complex, especially from a developer perspective. Although it was relatively easy for me, the setup and configuration were handled by the platform team, which had to deal with the complexity in the initial phases.

The initial onboarding process when I first started using Splunk Cloud Platform was not very complex. When Splunk was initially onboarded to the company, I understand that was a complex process. Since I joined, the process has been fairly simple. We just had to submit an access request for a particular mnemonic or for a particular team and we are able to check the logs for that mnemonic once we get access. The approval process is a bit tedious in our organization. We have an approval process for every tool, not only Splunk Cloud Platform. Once you receive approval, you should be good. However, we can only check for that particular team or mnemonic. If we wish to check for other services, we have to submit a request form again, and that goes through several layers of approvals before we are able to see the logs.

Splunk Cloud Platform does not require any maintenance on my end as a developer. We only use it for checking logs. Maintenance is handled by the platform team. Sometimes Splunk experiences downtime for a few minutes, which we are notified about via email, sometimes during weekends. I am not certain what happens during those phases, but as developers, we are unable to use it for that short period of time, sometimes around half an hour during midnight hours on weekends. Otherwise, it functions well.

I have been using this solution for two years.

Splunk Cloud Platform has fairly good stability. However, I have noticed that the Show Source feature, which displays detailed versions of logs, sometimes takes a little time. Whenever the system needs to show 100 lines or 1,000 lines, that takes some time usually. When a large number of logs sometimes enter the system, we sometimes see lag. Especially during the Show Source function, when checking the detailed logs of any particular log, I have seen this issue sometimes. Otherwise, everything is fine.

Splunk Cloud Platform is quite scalable. All services and event-based streaming, such as Kafka, have all logs flowing through Splunk Cloud Platform. We have seen that it handles this well and is great at scaling to meet our needs.

I have not contacted the technical support of Splunk Cloud Platform yet. Even when we are unable to get something resolved, we have our seniors and experts in our team and adjacent teams who help us understand where we are going wrong with the queries and other issues. I have not personally contacted the technical support yet.

The initial onboarding process when I first started using Splunk Cloud Platform was not very complex. When Splunk was initially onboarded to the company, I understand that was a complex process. Since I joined, the process has been fairly simple. We just had to submit an access request for a particular mnemonic or for a particular team and we are able to check the logs for that mnemonic once we get access. The approval process is a bit tedious in our organization. We have an approval process for every tool, not only Splunk Cloud Platform. Once you receive approval, you should be good. However, we can only check for that particular team or mnemonic. If we wish to check for other services, we have to submit a request form again, and that goes through several layers of approvals before we are able to see the logs.

I have not used any alternatives to Splunk Cloud Platform since I joined my organization. We have been using Splunk only for observability and tracking and monitoring. So far there are no other alternatives that we have tried out in our organization.

From a developer perspective, I am involved in coding, checking logs, monitoring, observability, and other related tasks. The platform team takes care of the setup and configurations, which is complex initially. The pricing aspect is handled by management and not something I am directly involved in. I would rate this product a 9 out of 10.

I use Splunk Cloud Platform  to check logs. As a product developer, whenever I try to make a transaction to see whether it has proceeded smoothly, we check the logs. In logs, we can see from the payload how the message gets generated, which is very useful for us.

I work as a product developer for Guidewire, an insurance tool, where we mostly face payment-related issues. It follows a check lifecycle where it starts from awaiting submission, requesting, requested, issued, cleared, pending stop, stopped, and everything. We have various check lifecycles. Suppose if a lifecycle is missed and the user is trying to proceed with a transaction starting from awaiting submission and moving directly to issued instead of requesting to issued, we face an illegal state change exception. Without Splunk Cloud Platform  logs, we wouldn't know what type of exception we are facing. We help the user after checking the logs as well.

Recently we faced an issue where we use another software called One-Ink, where most of our process checks get updated to our database. From there, they were doing IP whitelisting where most of the payment-related features were done. IP whitelisting means giving out an IP address only for certain individuals where they can do payment-related changes. When they were doing that, they missed two or three of the IP addresses that were needed to be processed, and we had a global outage for check-related issues. We checked logs to know whether the issue was or how the issue got generated. We had to create a new payload and check it from Splunk Cloud Platform to see whether the payload got generated and the affected claims were resolved.

Generally, when we face a certain issue, if a check-related transaction will have a public ID generated, for that public ID, we don't have it in the UI. We have to query the database to get the public ID. Public IDs are primary keys and using those primary keys as a substitute, you have to search through our logs.

Logs can ask which type of log you need to give it, such as a claims pay logger or a state change logger or any other logger as a filter. Then you need to give that public ID and it would give you all the fields that were changed in that specific criteria that you were searching.

For me, with Splunk Cloud Platform, if you don't give the necessary filtration values, it has its own querying type. If you do not give a proper query or anything for the log to be generated on a primary key, it won't give you the values. It takes too much time and it checks a large number of values. Sometimes it goes more than a million, so that takes a lot of time. However, if you use proper filtration, it takes much less time. It saves our time and we could also pause the values, we could pause the search fields, we could resume the certain fields, we could skip a few fields, and we could check right from the payload whether which messages were generated and how the transaction was proceeded.

Splunk Cloud Platform holds only three months' worth of data. If you try to search for more than three months or prior to three months, it wouldn't store the values because the data stores a large number of data. I believe that's the limit for us. I believe having flexible memory would ease us because whenever we face an incident, if we want to look for this occurrence or root cause, if it is prior to three months, we wouldn't have proper logs to check.

I wish it would take a little less time and not search through unnecessary things. Of course, querying depends on the developer's knowledge, but storage is also an issue because I feel memory is not flexible enough. If we try to increase our memory, it will charge us a considerable amount of money.

I have been using Splunk Cloud Platform for around one year and three months.

We face occasional downtime issues where when we try to scale up, we face a considerable amount of challenges. If we consider one month, we would face around two to three days of downtime issues.

Scalability is a little issue for us because it's not currently adapting to our rightful needs. I believe they should upgrade on their side to match our tempo.

I never really reached the customer support, but they provide proper documentation, so all that was required. Mostly our support team takes care of any needs that were needed by us.

I did not use any solution prior to this because in this project, this was the tool that was working when I started.

We picked this tool because it was on top of a line in the market and it suited our specific criteria. We are developers, so it suited and matched our tempo.

I would say initially, to read Splunk Cloud Platform logs, it would prove very difficult because it is definitely not beginner-friendly. It will take around 15 days to one month to just adapt to what is a log and where you need to find the error because a payload and every logger is a complex form where line by line it will be written, but what that line is, they won't show that. It is definitely not a beginner-friendly tool, but it is definitely the best tool that is available in the market for insurance-related products.

Related to the pricing factor, I think it is slightly on the costlier side, but I wouldn't know much because I'm not on the management side. My organization divides developers and management, so we wouldn't know the price for it.

Generally, at our morning call, we go through our incident team-wise and assign incidents based on what we can do. Before we can do that, we check whether this is doable or not. We go through the logs and find if any check-related issues or claim-related issues that we face. We go through the logs and first check where the problem is because most of the problems that we faced were related to permission issues, where the user might not have permission and tries to make a few changes when that person doesn't have permission. They face a few errors or issues and cannot log in through certain sites or anything. Splunk Cloud Platform helps us reduce the time and effort through checking the logs. If we didn't have this, we would have checked the history loggers, where it checks and tracks even the person who viewed that particular claim. It would take a considerable amount of time.

Initially, we were a team of 300 people where our project started with three different teams. Before having this, prior to Splunk Cloud Platform logs, we used to depend mostly on the history loggers where it tracks our history or movement. Any small changes would be tracked down there, but we wouldn't have any sort of search criteria where we cannot search. We would have to manually go through step by step, one column after another, to see who has done what changes. That would prove an issue. After Splunk Cloud Platform was introduced to us, we saved a considerable amount of time. Time is a major factor for us developers.

Our team started off with 300, and now we are 30 people. We saved a considerable amount of money and resources that are required to hire more people. We started off with a team of more than 300 people and require less than 30 people right now. I think it's over a five year duration where we came to this number, but I think fewer employees are needed because of this, and we spend little effort because logs track everything. It helps us in our day-to-day task.

Storage is the major issue that we face occasionally because whenever we are trying to solve a root cause issue that is a PRB, we would require a lot of history loggers which would not be available for us. The second issue would be that it is not that scalable. I don't think increasing our storage would cost us a less amount, but it would cost us more. I would rate this product an 8 out of 10.

We have an internal solution and we are working for our own enterprise solution. I'm working in Principal Financial Group where we have our in-house security operations center, so we do not have any clients; we are conducting our security monitoring for our own infrastructure.

Our major focus is on User Behavior Analytics , UBA . We are focusing on integration of all security controls that we have, meaning the log collection from all the security controls and all the servers. The use cases we are focusing on are MITRE framework, phishing, and User Behavior Analytics, UBA.

UBA is a great application within Splunk Cloud Platform .

That feature gives us behavioral analytics within the logs, so we do not need to write complex queries. By using UBA, we achieve threat detection without needing complex correlation rules; UBA gives us a perfect output from it.

The log ingestion is very good, and the visualization part is also very good. I can create multiple dashboards from the logs we are receiving; it is similar to other SIEM  solutions.

Splunk Cloud Platform  is good, but sometimes it lags. When I run a very simple query with a perfectly created query in the search bar, it gives a good result, but if I create a very simple query without index and source types, it takes too much time to draw the visuals.

It is somewhat complex because Splunk Cloud Platform has multiple components like heavy forwarders and indexers. There are multiple integration approaches that we use, for example, syslog and for Windows, it is WMI. For most of the applications, we are using API integration, which is very good, but for syslog and other WMI kind of configurations, first, I need to integrate them so they start sending logs to the heavy forwarders. On heavy forwarders, I have to configure syslog-ng , and there are multiple configuration files that I have to configure for each data source.

The improvement part is that I have worked on multiple SIEM  solutions, starting with RSA NetWitness, QRadar, ArcSight, and Splunk Cloud Platform. All SIEM solutions have the same issues; at the time of POC, the vendors tell us that they have many features, but at the time of implementation, we find minor issues everywhere, from integration to querying logs and deploying configuration files. There are minor issues that need fixing for more operational efficiency.

I have been working with Splunk Cloud Platform for around one and a half years.

Splunk Cloud Platform is stable and reliable with no issues, though sometimes minor issues happen; it is not as though the system goes down or anything.

The more I scale, the more I have to pay for Splunk Cloud Platform. I have to properly fine-tune the logs, filtering them for what I want to take into Splunk Cloud Platform for security monitoring. Only the logs required for security monitoring should be taken into Splunk Cloud Platform; if we have compliance requirements to just store logs, then Splunk Cloud Platform is not the right platform.

I am not that happy, but they provide timely responses. They are available at the time of need; however, there are a few things like issues with log parsing that they will not cover in normal support calls. I needed to create an ODS, On-Demand Service, for those kinds of issues.

Pricing is too high for Splunk Cloud Platform. Nowadays, people are using Cribl  solution that we host just before Splunk Cloud Platform. From a heavy forwarder, logs go to Cribl , and there is a filter mechanism available in Cribl, so we can only send the events of interest to Splunk Cloud Platform, which reduces our pricing heavily. Otherwise, when collecting logs from devices such as Linux, Windows, and firewalls, we get debug logs as well, and Splunk Cloud Platform charges based on the ingestion—how much data we ingested into Splunk Cloud Platform.

We are currently working with Splunk Cloud Platform only. We are exploring machine learning tools, but they are not deployed yet, so there is currently a POC going on.

Splunk Cloud Platform does what it has to do but nothing extraordinary; it is a simple dashboard application like other SIEM solutions.

There are multiple support cases because we have a very large architecture of Splunk Cloud Platform. We have eight heavy forwarders and thousands of log sources integrated with Splunk Cloud Platform, so from time to time, I observe issues related to integration, applications, and the internal workings of Splunk Cloud Platform. Thus, we need to raise support cases to troubleshoot those.

Overall, I would rate this review a 7 out of 10.

I use Splunk Cloud Platform  as our overall tool to gain insight from our platform, for our security use cases, and to build a framework that shows what is happening in our organization or what is happening in our applications, the current status, or if we are facing any issues with our systems. I ingest various types of logs from different systems to Splunk Cloud from our forwarders and build dashboards and alerts on top of that. My primary use case is to understand our architecture or our overall environment, including what is happening and whether there are any vulnerabilities, or to conduct analysis on our applications. If there are any performance issues, I can learn about them from the dashboards that we have built and can optimize our architecture or overall application performance.

What I like about Splunk Cloud Platform  is that it gives me flexibility and freedom in that I do not need to worry about the actual architecture of Splunk. I do not need to install it anywhere manually, and I only need to worry about what data I need to ingest and how I will create a dashboard on top of that. It provides support so I do not need to worry about the platform. It functions as Software as a Service, so I can directly use it and if I am facing any issue, Splunk support is available to help me anytime.

I do not have any limitations with Splunk Cloud Platform. I can access it from my own private network or anywhere, and I can access it from the public network as it is on a cloud. That is also a plus point for me.

In terms of assessing the effectiveness of Splunk Cloud Platform's search capabilities in uncovering operational insights, its storage capability is excellent. Previously, we were managing it at an enterprise level, but it was costly to us because of data redundancy and the availability zones. With Splunk Cloud Platform, we do not need to worry about data backup, which is a very good point.

The alerts have helped us in proactive issue resolution. If we are currently getting any error, we will get notified in the next 15 minutes or 30 minutes according to the schedule of the search.

Splunk Cloud Platform's ingest and visualization features have helped improve our data reporting, truly the best available in terms of customizability. We have two options, classic and Dashboard Studio for dashboard purposes. In classic, we get options to build custom dashboards using custom JavaScript. We can insert our own graphics to provide better visuals where insights to our management team will not be dependent on the numerical base. We have charts to showcase our current situation, which will be really great for management.

In terms of benefits, if we were needing two persons for SAP to analyze if we have any issues, now we just need one person doing multiple tasks. We have built an automation system, or a dashboard, which gives us insight so that we do not need to go and look up every service. Splunk Cloud Platform really impacted our workflow and increased our productivity.

In Splunk Cloud Platform particularly, there is nothing specific that I would like to see improved or enhanced, but the cost is currently very high. If that part could get a little bit cheaper, then that would be really great.

In terms of enhancement for Splunk Cloud Platform, I would say if we could create add-ons or if we get the capability to build add-ons directly through cloud, not talking about the add-on builder framework, but something editor-like where we will directly edit our conf files from any specific app or TA provided by Splunk Cloud Platform itself. If we get that feature, it will be really beneficial. Instead of doing configuration from the UI, we would prefer to get access to back-end conf files and do it manually because when we were using enterprise, we had pretty much hands-on experience with that.

I have been using Splunk Cloud Platform for around two years.

I would evaluate customer service and technical support of Splunk as really good. They provide on-call support and they reply to cases that we open, so the support is really good and collaborative.

We have not previously used a different product. We have tried other tools, but they were very limited to the use cases that we are trying to capture. I chose to go with Splunk Cloud Platform because it has vast capabilities.

The initial setup with Splunk Cloud Platform was really straightforward because, as it is a cloud platform, Splunk provided us the complete package where we do not need to worry about our infrastructure or configuration. If we need any help, they are always available, so it was very straightforward.

The implementation was done by the Splunk team.

We evaluated products like Dynatrace  or DataDog, which were very specific. They were providing us only observability-specific tasks. However, we have some VML logs or firewall logs for which we would not get that much analysis from those products. That is why we chose to go with Splunk Cloud Platform.

We use Splunk default alert actions and we have installed third-party integrations, such as ServiceNow  integration, where we are creating ServiceNow  incidents or ServiceNow tickets from our alerts.

The impact of Splunk Cloud Platform's integrations with third-party tools on our daily operations is very helpful for our overall infrastructure monitoring. We have third-party integrations, such as SAP or Dell Boomi . To ensure that our SAP and site integration are running smoothly and none of its API is getting high or something unusual, we can easily detect that instead of going into SAP and analyzing.

We have our own machine learning logic where we are creating alerts based on our machine learning algorithm. If we are missing any data from the forwarders, then we have a built-in threshold mechanism where if the data from the last seven days is coming around 80 GB, then the next day it should be getting related to that. If we are not getting that, then we will get alerts. I have not particularly used Splunk ML Toolkit.

From the features perspective, I would say if we were getting calls from back two or three months, I was waiting for the Otel feature in Splunk Cloud Platform. Now we have support of Otel in the current latest Splunk version, so we are planning to upgrade Splunk Cloud Platform to the latest. The feature that I was looking for is now currently available, so I do not have anything specific at the moment.

In terms of pricing, the cost is high, but we are getting pretty much value out of what we are paying and what should be available to us in the market. In terms of that, it is really good with no question on that.

My advice to other organizations considering Splunk Cloud Platform is to make sure you use it as much as you can. There is a really big community of Splunk that you can explore to see what data you can ingest. There is a possibility you are already using other services from which you can get logs into Splunk and build analysis on top of that. Do not limit yourself to any specific use cases. I have seen some organizations only ingest specific logs, such as firewall logs or DNS logs. But they have different types of machines and applications running for their infrastructure. They can ingest logs from those as well and build analysis on top of that. There are pre-built add-ons that provide that functionality to them and they do not need to worry about development. So use it as extensively as possible. Overall, I would rate this product a nine out of ten.