We pull in information from cloud resources like AWS and Azure, and we just recently got into GCP. Just pulling data directly from there was a little bit easier than trying to do it from on-prem. We can now do that a little easily.

We have a lot of cases where business units that were not even in Splunk got compromised for whatever reason. We could get security logs from those and import them directly, more quickly, and easily with Splunk Cloud. We have had several use cases directly with that. In our company, we do not monitor logs from laptops. We have had issues with users getting compromised on our laptops. We could get the data logs from there.

I also use it to monitor my universal forwarders so that I can see what versions they are on. We had CVEs coming out on the universal forwarders. We had to replace them. I have dashboards to keep track of our progress as we are migrating and upgrading all those agents.

The biggest, heaviest use of Splunk Cloud Platform for us right now is people going and looking at our firewall logs to find the denies and to find out which firewall is being blocked. We are a medium-sized company. We are so segmented with all the PCI and SOC 2 compliance audits that we have. We have segmented everything. We have so many firewalls that there is always another firewall down the line that is blocking. The firewall team is in there every day and all day long, and then we have other teams that go in there to see if the issue that they are having with their app is a firewall issue or not.

I have done health checks several times now, and those have been very valuable in getting more information about what is going on in my platform. There are also recommendations on what is going on in my environment. Sometimes when it says something, I already know that, and when I explain why, it knows that I am aware of it. It knows that it has to be that way for compliance reasons or there are certain break glass accounts that we have to have in case our Okta is offline. It points out things like that.

One of the things we had to do was find out how much Splunk on-prem was costing us because we had so many different groups. We had the storage group, and then we had the hardware team. The indexers and the search heads were physicals. That was being handled by the data center teams, which bought all the hardware, and then we had the virtual servers. Everything else was virtual. That was still owned by us, which is fine, but then we had storage, so we did not know the full cost. As I am trying to migrate from one data center to another, the teams do not want to buy. They do not want to migrate hardware. They want to buy new hardware, which, of course, is a cost to their department. They are a group but not our group, so we wanted to go to Splunk Cloud. We had to first find out how much the total cost of Splunk was for our company so that we could show that moving to Splunk Cloud was going to save the company money, which it did. It saved at least a million dollars a year. We are oversized in some areas, and we are running pretty close in the other areas. It is saving us money in the long term.

We monitor multiple cloud environments. We have data in multiple clouds. We have AWS, Azure, and GCP, as well as our own on-premise that is technically a cloud or our own personal private cloud. We are a cloud customer for our clients. We are in four different environments. It has been fairly simple to monitor multiple cloud environments using Splunk Cloud Platform. The documentation and the TAs have been updated and tell you which piece is what. You see no difference between a client ID, tenant ID, a secret, a key, and the tokens. That has been very handy. We had an incident where there was an S3 bucket somewhere, and one of our teams was unable to communicate with the Cloud Infrastructure team. It was set up as a file share only instead of another type, which was not available in the TA. That was not an option, so that became a challenge. We had to work with them, and they basically had to rebuild that bucket because you cannot just add it as a function to that bucket. They made a whole new bucket and put the logs in there. That was a challenge, but other than that, it has been very smooth and easy. We have had teams that had incidents. They took all the data and put it into an S3 bucket, and it took that right in.

Splunk Cloud Platform has helped reduce our mean time to resolve because they can get the data in faster. I have even automated things. We have a Python script. I can take CSV files and send them to the endpoint and just pop them with all the data they need to do their evaluations, such as if they went to bad sites. They can see all that information. I can get that in quickly. With on-prem, I could do that, but it had to run through so many hoops because of the PCI requirements that our company has. It is still PCI-compliant, but it is just so much easier to work with. I know we have had mean times of 60 days. We are reducing it to one or two weeks now, so it is getting a lot better.

Splunk Cloud Platform has helped improve our organization’s business resilience. That was something with which I have had issues with the on-prem. I have had issues with an index. It could be a hardware issue, a software issue, or an OS issue. By having Splunk Cloud Platform, everything has been a lot more stable. I do not have as many worries or problems there. I have fewer things. I can even troubleshoot on my side if it is a heavy forwarder. That is on me, but there are a whole lot fewer things to look at and worry about. It took away a lot of headaches.

In terms of Splunk’s ability to predict, identify, and solve problems in real-time, real-time is a touchy word because being real-time means you are indexing directly. There are a few people in my company who have or are allowed real-time access, but it is pretty close. It is pretty much within seconds. You have access to all that data, so it has been handy. I had to explain to the teams how searches work in the background. If you are running a search every 5 minutes, it sounds great, but if there is any kind of delay in the data, you can miss something, so 15 minutes is a little better, but still, you are seeing things within minutes and getting alert about them. We connect to Microsoft Teams and Slack. We are sending things to ServiceNow for the monitoring team. It is 24/7, so if they need something to watch 24/7, there is a group. They are now tied into ServiceNow, so they can get all that data right there in one place for that team, pulling it from different monitoring tools besides Splunk. It is handy to be able to just pop it all in there quickly.

The firewall stuff is huge. Everybody is in there. All day long, people are hitting that dashboard searching for firewall blocks or denies. Sometimes, they access it just to see if it is connecting because we do drop a lot of data. A great thing about Splunk is that we can drop some of the data if we need to when it is ingesting. We do not keep all the connects, but we can see whenever a connection is closed. We can see that the connection had been made successfully and then closed. We are able to see that one way or the other. We can see whether things are being blocked or it is able to connect. That information is handy now. We have a complex network, and there are times when we have routing issues. We can see that there is no route in the logs and say that it is a routing issue. They then bring the network team. The firewall is the front point for all that, but the network team has to work closely.

Just the fact that it is cloud-based is valuable. We are still on the classic one. I am waiting for the VE to come to the GCP. That is where our stack is. It is in GCP. They say it is coming somewhat soon. We will see when that is.

There is the flexibility of not having to manage all the indexes and searches myself. I was doing that with on-prem before. That was quite a bit of work. When you have an issue with an upgrade, you have to upgrade all of that. They are handling that on the backend now. I still have to do my heavy forwarders and my deployment servers, but it is a much lighter load for me on my end as an admin.

For one of the areas I am working on right now, they did an update this week which gave me back something. It was a feature that I have been using, but they took it away last conference. They just gave it back to me now, and I had to go through the setup again to make it work with our Okta. We have had issues with the maintenance windows. Sometimes I get informed about those at the last minute. They are getting better about informing us when they are going to do maintenance, but there were times when they did maintenance, and then I came in the next day and something was broken. They have gotten a lot better about that. I am still working on a couple of issues. They have cases open for them, so they know about them. They are working on them. The communication is getting better. That was an area that had a lot of feedback. I can see that they are accepting the feedback and taking it to heart, which is great.

Some of the Victoria Experience that was rolled out is not yet fully everywhere.

The AI assistant is going to be good, but we are on GCP, so I am worried about how fast it is going to get rolled out and if it is going to be nine months late for the GCP customers or not. That would be a bad thing because that would put a black eye on the whole marketing part of that. The same thing is with the Victoria Experience. They already have a black eye on that one. It has been two years since it came out and they still do not have it on GCP, so they need to get that fixed up. I would like to see the AI assistant feature as it rolls out. That helps with me wanting to roll out ITSI and the O11y suite with them bringing that AI assistant over there. I have teams right now that hit me up. They have been using some kind of AI assistant. We have Microsoft CoPilot. It is allowed in our company now. They tell us not to use ChatGPT right now because it is not approved for whatever reason. I have had some of our people hit me up who are not Splunk users but they have access to some dashboards and want to do a little bit of searching. If they use generic AI to find out how to do a generic Splunk search, it is not going to work in my environment at all. They will wonder why this is not working. That is because the AI does not know our environment. It will be handy to have an AI assistant that knows our environment.

I have been using Splunk Cloud Platform for a year and a half.

It has been quite stable. The fact that we are on GCP has been causing some pain. That is the only thing.

That has been very nice. When we renewed our last contract, we had seen that our long-term storage or archive storage was not enough, so we had increased it. It is nice to have enough visibility. It tells you that you are getting close to over or you are over, so you can see where you are. The new improved monitoring console that just came out has more information in there for that. That to me is even more valuable, so I am happy to see the new console they have released.

For the most part, their technical support has been pretty handy. Sometimes you get someone a little bit newer, and they may ask some basic questions because they do not know our knowledge level. If we are putting a case in, we have already tested steps a, b, and c. We have already tested all those, and we already know. We would not put the case in otherwise. However, in some of the cases, you get in there, and they immediately bump it up to the next level. They can recognize and see quickly that it is a problem, and they are able to bump it up. I like the fact that they are able to do that somewhat quickly and escalate things a little faster than in the past when we were on-prem. With us being on Splunk Cloud, they are able to see the issues faster and verify them faster. I would rate their technical support an eight out of ten. They are doing pretty well.

When it comes to customer service, the only issue we have seen is that they changed the sales team three times in the last two years. That has been frustrating. I meet them all at Splunk conferences, and I feel like half the Splunk people there know who I am because they have been our support team for some reason or another. Their teams are great, but it takes time. There is a transition time for them to get everything moved from one person to another because they have to finish up the team that they were with while adding in the new team that they are moving to. I understand that it takes time, but it is getting frustrating on our side. They can give us at least a year before they switch the team again.

We had used Enterprise Security before, but one team was using Splunk core with their own built-up dashboards and other things. They were not using the Enterprise Security pieces and parts specific to that, so we decided to not use that temporarily, but it might return because whatever they have switched to is not particularly helpful. It is not as helpful as we were hoping.

We worked with a third-party provider. We were in a bit of a hurry to get it done. We were able to do it quickly.

Because we were getting GCP, we were getting help from Google, and they ended up paying for the service provider who was helping us migrate. We paid for it upfront, but then Google paid it back to us as a part of the contract we had with them. The good news was that we were able to get it done quickly, but it was quite a rush to do that. It went fairly smoothly. There were a few blocks, but we were able to migrate.

It took us a full six months to move from on-prem to cloud. Moving the data took me a couple of days, but getting everything fully migrated and tested and making sure that all the teams were fully in there took a full six months, which for our company was pretty much lightning speed. It normally takes two to three years or something like that.

We had a Splunk partner called TekStream.

We are seeing cost efficiencies with the move from on-prem to the cloud. We found out how much on-prem was costing us. It is not just the cost of the storage or the hardware. There is also the cost of the time of those people who do the setups of all that. We definitely saved quite a bit of money.

We have greatly seen an ROI. We have been able to add more and more data that we were dropping before because we did not have the license. We started opening that up. We have some more events from Windows event logs and some more things related to the firewall. We do not have to drop all that. We can bring some of that in now.

We were on ingest. We were on-prem, and when we switched to the cloud, we went to an SVC model, and that has been a huge help. We are now able to ingest more data than before. I was known as Doctor No because I had to say no so many times because we were on an ingest model and we were maxed out. I am not that way anymore. A lot of times, our use cases are one-shot because security needs the data. With our SVC model, we do not worry about it as much. I know that it is saving us huge amounts of money because of the SVC model.

Unfortunately, we did not evaluate any other tools, and that was the issue. We were handed down a tool to use, and that is something that our team did not like, and we have made that very clear. That is why we say that Enterprise Security might come back. We will see.

End-to-end visibility is something that we are working on. I have talked with the Gigamon vendor. We have Gigamon to do packet captures, but we want the metadata from that to come into Splunk so that we have longer retention times at least on some of that metadata. We do not necessarily have the package, and that is okay, but we can at least see the trending of some of the things a little bit longer than we are currently. It gives more visibility to more teams. I have 350 users in my Splunk Cloud Platform. On the network side, we have the network teams with 20 to 30 people looking at things over there, so it gives visibility into more of the organization. That is one of the big benefits. We can see the network layer and then all the way up to the App layer. When we want to get the O11y suite, we already have AppDynamics. We will be integrating that pretty soon. It will probably be the next month when we get that integrated in. The other piece is going to be getting the network cleared up. We are also seeing issues with GCP with some applications that we have migrated there. We will be able to see whether it is a slowdown in the cloud provider or not. Having this visibility and the end-to-end data and being able to correlate it is pretty helpful.

Splunk's unified platform can help consolidate networking, security, and IT observability tools. That is what we are working towards, and that is exactly what we are hoping for. I am hoping to bring in ITSI and the O11y suite. We already have AppDynamics. We are going to be able to pull that in which will start helping with that full visibility, but to fully integrate that, I am going to bring the O11y suite as well because eventually, I see AppDynamics moving in that direction.

I would rate Splunk Cloud Platform a nine out of ten because it is very good. It is pretty stable.

We are onboarding everything on it. We have infrastructure, applications, and network-related things on it.

The availability has improved. There is the ease of upgrades. We are able to show value quicker with some of our add-ons and things like that because of the stability in the base.

It is extremely important to me that Splunk Cloud Platform has end-to-end visibility into our cloud-native environment.

Splunk Cloud Platform has definitely helped reduce our mean time to resolve. It is a little hard to measure. It has at least saved 3% of our time.

Splunk's unified platform has helped consolidate networking, security, and IT observability tools. There is ease on resources.

There is definitely the ease of the infrastructure administration. It frees up a lot of time.

I would love to be able to manage my own apps.

I have been using Splunk Cloud Platform for two years.

Stability and scalability have been the main benefits of this solution.

We have had some confusion around some of our requests, but I understand. We have to work through and get proper responses.

We were using on-prem Splunk.

There was a professional service involved. I came into the team right at the time of the cutover. They were pushed into the cloud because things had gotten so out of control on-prem, so we had to clean that up first, and then finish the migration. It was kind of bumpy, but we got through.

We are using AWS. It is managed by Splunk.

We had Aquila as our partner for help with implementation.

We are definitely starting to see an ROI. We have been focused on metrics because we are trying to get very comprehensive and overall monitoring of the environment both from the security standpoint and the infrastructure standpoint.

We have not yet seen any cost efficiencies by switching to Splunk Cloud Platform. We are still maturing it out.

As far as the pricing goes, it was what was expected. It is a premium product. There were no surprises there.

We did not evaluate other solutions. We have always been with Splunk.

We are not monitoring multiple cloud environments, but it seems it would be easy to monitor them.

Overall, I would rate Splunk Cloud Platform an eight out of ten. There is always room for improvement, but it has been good.

We use the Splunk Cloud Platform for phishing correlations, sifting through data loss prevention information in P2, and threat reporting.

The Splunk Cloud Platform has improved our observability. We can see a lot more information both good and bad, but at least we have the information.

It is important that Splunk Cloud Platform has visibility into our cloud-native environments. It comes to observability. And with the visibility, we're able to link, especially with our cloud environment, with Azure the correlations for threat reporting, correlations for account breaches, and correlations for compromised data ex-filtration that's going in and out.

Splunk Cloud Platform has improved our mean time to resolution. It stepped down our investigation times. An investigation that used to take ten minutes is now down to five or six minutes per incident.

It offers real-time threat detection by continuously analyzing incoming logs and correlations. These trigger pre-defined alerts, and any suspicious activity will be reported within five or six minutes.

Splunk Cloud has saved costs through time savings. I can focus that time on other tasks improving productivity.

We saw time to value within the first month of implementing the Splunk Cloud Platform.

Splunk Unified Platform helps consolidate networking, security, and IT observability tools. We're primarily focusing on the security area and building out the correlations. We haven't moved to the infrastructure side yet. That is something we have on our company roadmap.

The most valuable feature is the SPL because without it we wouldn't be able to correlate and build our use cases and manage what we have for our data inside Splunk.

The Splunk Cloud Platform deployment process could be improved to reduce the time required.

I have been using Splunk Cloud Platform for three years.

I have not experienced any downtime with the Splunk Cloud Platform.

Splunk Cloud Platform is highly scalable.

The customer support is quick and helpful.

We had an old SIEM through our MSSP Trustwave and through them, we migrated to Splunk.

We made the switch to Splunk because of the usability, and observability. We can build out the product a lot better. We're able to customize it and mold it to our environment.

The deployment took 30 days to complete.

Trustwave and Splunk helped us implement the Splunk Cloud Platform. I was highly satisfied with Trustwave. They were the ones that sold us on Splunk initially.

We have seen ROI through metrics, data points, observability, and time saved. The observability provides visibility into our environment, allowing us to see real-time events and threats in our network and act on them faster.

The pricing was negotiated through Trustwave and for our first contract in three years, we got a good deal.

I would rate the Splunk Cloud Platform ten out of ten. I'm satisfied with what Splunk offers and where it's going, I see the growth path and am happy with that. Splunk answered a lot of what I would like to see in the platform and shortly they will be implementing those things. The platform is stable, can be accessed from anywhere, is easy to use, provides the information we need, and is super powerful.

We use it for security investigations and alerting.

The most valuable features are reliability and logging. It's in the cloud so it has more stability and easy maintenance.

The support from the Splunk team is generally good, but sometimes, there's a lack of coordination between our account reps and the hands-on technical people. This misalignment can lead to issues with getting what we need done and what is happening.

I have been using it for about two years.

From what I've seen so far, stability has been great.

The actual technical reps we've had have been fair. I'd rate them a seven on a scale from one to ten.

We previously used LogRhythm. We switched to Splunk. It was an on-prem setup, so it was tough to maintain. It wasn't very reliable, and we always had to deal with hardware issues.

I haven't been hands-on with the deployment, but Splunk's deployment has been smooth. We also have Enterprise Security, which has been a little more difficult.

We have not calculated in dollars, but it has definitely saved us time.

We evaluated other options. I wasn't directly involved in all the decision-making processes, but from a user standpoint, it was the cost and the future possibilities of adding SOAR that made Splunk Cloud Platform seem like the best option for us.

I would rate it an eight out of ten, mainly due to the difficulty we've had with the Enterprise Security side.

Our Splunk Cloud Platform centralizes logs from all OT assets, allowing OT business units to request various insights. These insights can include how often assets cycle down, memory storage usage, or data consumption over time. They can then configure dashboards to receive alerts based on these specific metrics.

The biggest benefit I have seen using the platform is the alerts because most of our sites are remote in the middle-of-nowhere deserts. If something goes down, they don't have direct eyes on them. Thanks to Splunk's automated alert that notifies us if something is down, we can quickly respond to it before it affects any other systems.

We do have several cloud environments that we're using because we got the Splunk Cloud Platform last month. We are integrating them all into one location, so we are still determining the ease of monitoring all the cloud environments using the Splunk Cloud Platform. Before having Splunk, it was a huge issue because we had to go to different locations. Having it all in one location under Splunk will make it much better for us.

It is important, especially for our cloud team to have end-to-end visibility into our cloud-native environments through Splunk Cloud Platform. The more visibility we have the better it is.

Splunk Cloud Platform has significantly reduced our mean time to resolve because instead of us having to go out to the site or having somebody on the site tell us a few hours later there is an issue, it could be within minutes now that we can resolve the issue. After all, as soon as it goes down, we get the logs, we get notified, and then we can immediately go in and check it out. So it is a significant amount of time that Splunk is helping us reduce for resolution.

Splunk Cloud Platform's ability to predict, identify, and resolve problems in real time has been huge, especially because our business units are operational technologies. They generate revenue for us. That's how our business stays afloat because we're in the energy sector. So If something goes down or if they want a quick dashboard, the biggest thing we're to be using as well besides the alerts is the dashboards showing how quickly we're remediating vulnerabilities and showing where they are vulnerable. That's going to be huge for the business side and will help us a lot.

Splunk Cloud Platform helps consolidate network security and IT observability tools. The cyber group gets all the alerts, but we can direct it to which person we want to send the alert to. That's good because they can go to IT, which is where we're at, Cyber, which can potentially help fix the problem, and then networking too in case something goes down. That is one of the requests is if an on-site asset goes down, the network team can see why it's off the network. So it's good that it spreads out everywhere, and whoever can help fix it can be on top of it.

Alerts are a huge benefit because we can customize them to each business unit's needs. Splunk automates the process and sends email notifications directly, which saves me time.

The AI features will be a huge improvement for Splunk. Using basic natural language in English instead of writing a regex expression will be helpful. For example, I can tell Splunk AI that I need to get the logs from last week between eight AM and ten PM on a specific asset. Instead of me going in, doing the regex expression, and then having to Google what it is because it's super hard to do sometimes. That is the biggest area for improvement. Hopefully, it will be released soon because that will simplify things for me and non-technical people.

I have been using the Splunk Cloud Platform for one month.

Splunk Cloud Platform is stable.

Splunk Cloud Platform can handle terabytes of data.

The support has always been great for the few times I have used it.

The deployment is super easy. We deployed the Splunk Forwarder file and from there, we have a batch file, a PowerShell file, and it runs in the background. The users don't even know it's being installed.

The implementation was completed in-house.

In regards to a return on investment, the metrics are the biggest thing. Data is everything. The business units enjoy the dashboards that Splunk Cloud presents. And it is quick to present them.

Splunk Cloud Platform fell within our budget so we pulled the trigger and implemented it.

I would rate Splunk Cloud Platform ten out of ten. All the applications I need are readily available in a user-friendly dropdown menu. Exploring them is a breeze, and the platform's speed is impressive.

It's a better pricing model. The main aspect is that we don't have to manage our infrastructure. Since we migrated, we've found we don't have as many outages.

This allows our admins to focus more on the day-to-day onboarding instead of wasting time dealing with outages.

Our organization monitors multiple cloud environments. We monitor AWS. We have other logging platforms that monitor our infrastructure as well.

It's very important for our organization that Splunk Cloud Platform has end-to-end visibility into our cloud-native provider environments. With the increasing changes in technology, being able to consistently get insights into those new data sources in a quick amount of time is everything.

Moreover, we have seen a reduction in our mean lead time to resolve (MTTR). Our enterprise has some of those dashboards for incidents. Splunk is mainly used to resolve those incidents and identify what's wrong. Over year over year, these times are lower. And Splunk has helped with that. There's other operational things that are probably helping too, Splunk plays a big part, so it is helpful.

I like the Splunk Monitor console. I like how Splunk continually updates it with new features. We don't have to do anything on our end, we just get access to that.

Splunk has some good dashboards that show us search or user search activity. There are some things that could cause the environment to go awry, like skip searches or searches that are more intensive.

By being able to identify those, we could reach out to those customers and work with them on improving their standard practice. Since moving to SaaS, we're able to focus more on that.

There's one specific use case I work with. I work with some Splunk experts, and it lacks workload management rules.

It can identify specific dashboards e.g., or all-time searches. When I try to track back to the user, I don't have additional information within those logs to help me know, "This is the dashboard this guy accessed."

Instead of relying on those particular workload management logs, I have to do an investigation that takes time. It takes too much time when it shouldn't.

It's only been a full year so far. We migrated recently.

Stability has been so far, so good. Data is growing, not just for us but for everyone. From what we've seen, it looks like it's handling it accordingly.

We frequently engage with support now since we have a lot of incidents. They consistently ask for feedback on our support cases. We recently had something that was very urgent. Splunk was able to escalate it accordingly and get back to us with a solution. It means a lot to my management.

We've been with Splunk for several years now.

For the cloud, the deployment is easy.

We just have the standard. We download our packages, upload them via the cloud, upload our apps, and use the App Inspect.

Before on-prem, we had some CI/CD pipelines to deploy on-prem. Those change calls lasted up to an hour and a half just to verify the change was successful and that everything was coming in as expected.

Cloud is just uploaded and deployed in a matter of minutes. That's a big plus. It saves us time and a lot of hassle.

We use our valuable time and do not waste effort. We just work on more important things like onboarding new data sources as log data continues to grow.

By being able to have more time to onboard data sources with customers, we provide our company more visibility and value into our entire environment.

I have no major gripes other than some detailed grievances, so I would rate it an eight out of ten.