Splunk Enterprise logo

    Splunk Enterprise

    Sold by
    The Splunk Enterprise AMI accelerates the speed at which organizations deploy Splunk Enterprise in AWS..

    Ratings and reviews

    4.3
    497 ratings
    27 AWS reviews
    |
    470 external reviews
    External reviews are from G2  and PeerSpot .

    Filters

    Review type

    AWS Marketplace reviews
    External reviews
    Reviews (497)
    Anveshpudi Anveshpudi

    Centralized monitoring has reduced incident resolution time and improves operational visibility

    Reviewed on Jul 15, 2026
    Review provided by PeerSpot

    What is our primary use case?

    My main use case for Splunk Enterprise Platform is to monitor and troubleshoot, perform incident analysis, and search and analyze applications and system logs to identify the root cause of issues. I create dashboards to monitor key metrics, configure alerts for critical events, and generate reports for the operation systems.

    A specific example of how I used Splunk Enterprise Platform to solve a problem occurred when users reported intermittent application failures in production. I used Splunk Enterprise Platform to search and correlate application and server logs using SPL. By filtering the logs based on timestamps and error codes, I identified repeated timeout exceptions that were caused by backend services. I created a dashboard to monitor these errors and configured an alert to notify the support team whenever the error count exceeded a threshold. This helped the team detect similar issues proactively and reduce troubleshooting time significantly.

    In addition to troubleshooting and log analysis, I use Splunk Enterprise Platform for real-time monitoring of application and infrastructure, creating dashboards for operational visibility, configuring alerts for critical events, and generating reports for stakeholders. I use SPL to analyze trends, identify recurring issues, and support root cause analysis. Overall, Splunk Enterprise Platform helps me monitor system health, reduce incident resolution time, and improve operational efficiency.

    What is most valuable?

    Splunk Enterprise Platform offers numerous powerful features including powerful log search using SPL, real-time monitoring and alerting, interactive dashboards and visualizations, data indexing and fast search, centralized log management, role-based access control, scalability, and integrations with various data sources. These features help our organization monitor and troubleshoot our systems.

    Out of those features, I find the combination of real-time monitoring and SPL search capabilities the most valuable in my day-to-day work. Real-time monitoring helps me identify issues as soon as they occur, while SPL allows me to quickly filter and analyze large volumes of logs to pinpoint the root cause. This significantly reduces the troubleshooting time. I also rely heavily on dashboards because they provide a clear view of application health, error trends, and system performance in one place. Centralized log management is another key advantage as it brings logs from multiple sources and servers together, eliminating the need to check each system individually. Overall, these features help me resolve incidents faster, improve system reliability, and reduce downtime.

    An additional feature I truly appreciate is the flexibility of Splunk Enterprise Platform. It can ingest data from a wide variety of sources, such as application servers, operating systems, and network devices, and correlate all the information in a single platform.

    What needs improvement?

    In order to improve Splunk Enterprise Platform, there are a few areas that need improvement. The licensing model is based on data ingestion volume and can become expensive as organizations grow. The initial setup and configuration can also be complex for new users.

    I would rate Splunk Enterprise Platform an eight because it is a powerful and reliable platform for centralized log management and real-time monitoring. It significantly improves our troubleshooting times. I did not give it a ten because the licensing costs can be high, the initial setup and administration can be complex, and there is a learning curve for SPL and advanced configurations.

    For how long have I used the solution?

    I have been using Splunk Enterprise Platform for about two years.

    What do I think about the stability of the solution?

    Splunk Enterprise Platform is stable.

    What do I think about the scalability of the solution?

    Splunk Enterprise Platform is highly scalable. It can handle increasing volumes of machine data by scaling horizontally, such as adding more indexes, search heads, and forwarders as an environment grows. This allows organizations to support more users, onboard additional data sources, and process large amounts of data.

    I do not have direct experience managing Splunk Enterprise Platform at petabyte scale. However, based on my understanding, Splunk Enterprise Platform is designed to scale horizontally by adding indexes and search heads, which allows it to handle very large data volumes. For data sovereignty, it supports role-based access controls, encryption, and various deployment options.

    How are customer service and support?

    My experience with customer support was great.

    Which solution did I use previously and why did I switch?

    I have not previously used a different solution before Splunk Enterprise Platform; we directly adopted Splunk Enterprise Platform.

    How was the initial setup?

    The initial setup and administration can be complex, and there is a learning curve for SPL and advanced configurations.

    What about the implementation team?

    The setup was performed by our in-house team who are highly skilled in working with Splunk Enterprise Platform.

    What was our ROI?

    I definitely see the return on investment. Splunk Enterprise Platform improved our reliability, and the time to investment ratio has been excellent because the time we are spending solving incidents through Splunk Enterprise Platform has been great.

    What's my experience with pricing, setup cost, and licensing?

    My experience with pricing, setup cost, and licensing indicates that the initial setup cost, and when the organization grows, the setup cost might increase significantly. The main costs considering Splunk Enterprise Platform are licensing, infrastructure, and setup. Since licensing is based on data ingestion volume, costs can increase as the organization generates more log data.

    Which other solutions did I evaluate?

    We did not evaluate other options before choosing Splunk Enterprise Platform; we directly chose Splunk Enterprise Platform as our first option.

    What other advice do I have?

    My advice to others looking into using Splunk Enterprise Platform is that if there is an organization which is about to scale to large numbers, I would highly suggest Splunk Enterprise Platform. However, I would ask them to carefully check and ingest valuable data only for cost efficiency. I would rate this recommendation an eight out of ten.

    Koyena Paul

    Centralized security monitoring has transformed our threat detection and incident response

    Reviewed on Jul 15, 2026
    Review from a verified AWS customer

    What is our primary use case?

    My team and I use Splunk Enterprise Platform for security monitoring, including collecting logs from firewalls, endpoints, servers, and cloud platforms, then compliance reporting, such as generating compliance reports for PCI DSS, SOC 2, and GDPR, log management including centralized logs from thousands of devices, infrastructure monitoring which includes monitoring CPU usage, memory utilization, disk space, and application monitoring including tracking application errors and response times, and various other purposes that arise day to day.

    The most critical use case for Splunk Enterprise Platform is security monitoring and threat detection because we can detect cyberattacks in real-time, correlate logs from multiple sources including firewalls, EDR, IDS, IPS, and Active Directory, which enables SOC analysts to identify suspicious activity quickly. For example, about one week ago, an attacker tried to exploit a SharePoint vulnerability where Splunk Enterprise Platform detected multiple POST requests to suspicious SharePoint endpoints, then execution of powershell.exe by the SharePoint service, then the creation of unknown DLL files. We detected that potential SharePoint exploit affecting the server SP Web 01, with indicators including suspicious PowerShell execution, web shell creation, and multiple failed authentication attempts.

    Every day, we use Splunk Enterprise Platform to check security dashboards by logging into the platform and reviewing SOC dashboards for critical alerts, failed login trends, and malware detections, then monitor real-time alerts by continuously watching for alerts such as multiple failed login attempts, privilege escalation, or data exfiltration. When an alert is triggered, we investigate it by searching logs and identifying the affected user or device, and we follow up by reviewing authentication logs and correlating events. Instead of looking at one log source, we correlate multiple sources including VPN logs, DNS logs, and CrowdStrike EDR. We also conduct threat hunting by proactively searching for suspicious behavior when there are no alerts, respond to incidents by creating or updating an incident ticket, inform the incident response team, isolate the affected endpoint, and continue monitoring and generating reports as part of our day-to-day workflow.

    Splunk Enterprise Platform handles massive petabyte-scale environments well, but asserting strict data sovereignty such as complying with localized regulations that prohibit data from crossing borders requires deliberate architectural planning. The strengths I can mention include decoupled storage, and by leveraging smart store, we can separate our high-compute indexer nodes from our storage tier to allow us to scale to multi-petabyte levels without inflating our compute costs and ensures our cold data resides within our approved geographic borders. There is also distributed search, allowing us to query vast quantities of historical data stored in different geographic nodes or sites without needing to centralize all the raw data into one massive physical repository. The challenges we face include the complexity of cross-border queries; while we can keep data locally sovereign, querying datasets across international or inter-regional boundaries can strain bandwidth and increase search latency while relying on distributed federated searches.

    The use of Splunk's Federated Search has evolved from a troubleshooting fix into a deliberate architectural strategy for reducing ingestion costs and managing compliance constraints. Initially, it served as a way to occasionally bridge distinct geographical Splunk Enterprise Platform clusters, but today it acts as an active data fabric layer that queries multi-cloud data lakes and external remote environments in place without moving raw data.

    My experiences with maintaining granular control over data using a trusted control plane within Splunk Enterprise Platform reflect a major architectural shift, moving data governance from a retrospective cleanup activity to an in-flight policy enforcer. In-flight governance at the edge uses a centralized cloud control plane executed locally on-premises or within region-specific infrastructure which allows us to control data before it leaves our boundaries, employing granular filtering, masking, and smart in-flight routing. My experience with provider-level access control for Federated Search involves using granular control to manage data sovereignty; Splunk Enterprise Platform's introduction of provider-level role-based access control enhances our experience and data management capabilities.

    In consideration of new use cases including agentic AI architectures, Splunk Enterprise Platform's governance and RBAC transition from a passive security checklist into active execution guardrails. The crucial role they play in managing access to operational data for these use cases involves limiting the blast radius. An agent utilizes the permissions of the service accounts assigned to it. Strict RBAC ensures an agent designed for network troubleshooting cannot access sensitive HR logs or financial transactions. Governance structures prevent LLMs from scanning unvetted data sources, stopping attackers from using prompt injection to trick an agent into exposing restricted system data. Access to operational data is managed through least privileged service accounts, whereby agents are assigned to highly specialized Splunk Enterprise Platform roles mapped to narrow indexes and limited data models. Real-time data masking using Splunk Enterprise Platform algorithms or ingest-time transformations strips PII and credentials before data hits the index, ensuring agents cannot interact with forbidden raw strings.

    What is most valuable?

    Among the best features that Splunk Enterprise Platform offers are real-time incident monitoring, real-time threat detection, the ability to investigate endpoints, a powerful Search Processing Language (SPL) which allows analysts to search and investigate huge amounts of data quickly, real-time alerts, dashboards, and data visualizations that greatly convert raw logs into graphs, charts, and reports. It also supports scalability, handling terabytes to petabytes of daily log data. It provides role-based access control which restricts data access based on user roles. It also features a machine learning toolkit that allows users to perform anomaly detection and predictive analytics. These features are critical for SOC analysts.

    The most important feature for Splunk Enterprise Platform is SPL, which is the Search Processing Language, because it helps us search billions of events within seconds. It powers threat hunting and forensic investigations. It is used to create dashboards, alerts, and reports and almost every advanced feature relies on SPL. Strong SPL skills are among the most sought-after abilities for Splunk Enterprise Platform administrators and SOC analysts. For example, when a user reports that their account is compromised, with SPL we can quickly find all login events for that user, check failed login attempts, identify source IP addresses, see which systems were accessed, correlate activity with firewall, VPN, and endpoint logs, and build a timeline for the incident. A single SPL query can answer questions that would otherwise require checking multiple systems manually.

    There are some useful features that Splunk Enterprise Platform users sometimes overlook, including data model acceleration which speeds up searches on large datasets, and this is very useful for SOC teams that need quick investigation results. There are also scheduled searches and automated reports which automatically run searches at set intervals and deliver reports to stakeholders without manual effort. Scalability is also important; whether we ingest a few GB or several TB of logs per day, Splunk Enterprise Platform's distributed architecture allows it to scale with enterprise needs. Role-based access control allows different teams to access only the data they need, which improves both security and compliance. These features highlight the capabilities that distinguish Splunk Enterprise Platform from basic log management tools and show its practical value in enterprise environments.

    Splunk Enterprise Platform has had some of the biggest positive impacts on our organization, including improvements in incident response time. Before using Splunk Enterprise Platform, analysts needed to manually search logs across multiple systems, but with Splunk Enterprise Platform, we can centralize logs with real-time alerts and dashboards which improved our incident response times to be 50 to 80% faster in many SOC environments. In terms of threat detection, before using Splunk Enterprise Platform, threats were detected after a significant delay, but Splunk Enterprise Platform helps us continuously monitor and correlate rules detecting attacks within minutes which impacts earlier containment and reduces business impact. In terms of efficiency, we used multiple tools and manual log collection before Splunk Enterprise Platform, but with Splunk Enterprise Platform we have a single platform we can use for searching, monitoring, and investigations, allowing us to investigate more incidents with less effort. For compliance and auditing metrics, before using Splunk Enterprise Platform we needed to manually collect evidence and compile auditing reports, but with Splunk Enterprise Platform we can automate reports for compliance frameworks which save hours of manual work and improve audit readiness. These are the key improvements we have seen with using Splunk Enterprise Platform.

    What needs improvement?

    While Splunk Enterprise Platform is widely regarded as a powerful SIEM and observability platform, users across enterprises commonly report recurring challenges including licensing and data ingestion costs. Splunk Enterprise Platform's licensing is often based on the volume of data ingested, and as our organization grows, costs can increase significantly, and our teams may need to carefully decide which logs to ingest, which can limit visibility. A suggested improvement would be more flexible licensing options, better built-in recommendations for optimizing data ingestion, and smarter data compression or tiered pricing. There is also a steep learning curve where beginners can find SPL difficult. A suggested improvement would be more AI-assisted SPL generation, interactive tutorials, and guided dashboard creation with additional pre-built templates for common SOC use cases. These are the main areas for improvement that I can see: licensing flexibility, reducing the learning curve for new users, simplifying development, improving performance for very large datasets, and providing more AI-assisted features to reduce manual effort.

    In terms of adding more improvements, there are frequently discussed areas including easier third-party integrations. While Splunk Enterprise Platform supports many integrations, onboarding new security tools sometimes requires custom configurations or add-ons. A suggested improvement would be more plug-and-play integrations, faster support for new vendors, and then simplified administration. Administrators often manage indexes, forwarders, user roles, and cluster health, so a suggested improvement would be easier administration dashboards and automated health checks. These are suggestions that acknowledge Splunk Enterprise Platform's strengths while highlighting areas where many enterprise users see opportunities for further improvement.

    The primary areas for improvement that I see are licensing flexibility, simplifying administration, expanding plug-and-play integrations, and adding more AI-driven assistance for searches and investigations. These improvements would significantly simplify our tasks and help us solve more incidents in a lesser amount of time, making it flexible even for beginners.

    For how long have I used the solution?

    I have been working for about 15 to 16 months in my current role, in the same project, in the same security domain only.

    What do I think about the stability of the solution?

    In my experience, Splunk Enterprise Platform has been a stable and reliable platform for day-to-day security monitoring and log analysis. It has consistently handled large volumes of data. The dashboards, searches, and alerting capabilities have performed reliably, though occasional issues such as slow searches or delays during peak data ingestion can occur. Overall, the platform has been dependable for security operations.

    What do I think about the scalability of the solution?

    Splunk Enterprise Platform is highly scalable in my experience, efficiently handling increasing volumes of log data, users, and security events by scaling horizontally with additional indexers and search heads. As our environment grows, the platform continues to perform well with the right infrastructure configuration, but scaling requires proper planning for storage, compute resources, and licensing to maintain optimal performance.

    How are customer service and support?

    I have not needed to contact Splunk Enterprise Platform support directly as the platform has been stable in our day-to-day operations. Most routine issues are handled internally by our team using Splunk Enterprise Platform's documentation and knowledge resources. Based on my current experience, I have not encountered major problems that required escalation to Splunk Enterprise Platform support.

    What was our ROI?

    Splunk Enterprise Platform delivers a measurable ROI by reducing manual effort, minimizing downtime, and improving security operations. When it comes to time saved, security analysts spend significantly less time searching logs and investigating incidents. In terms of employee productivity, the same SOC team can handle more alerts due to automation, dashboards, and correlation searches. Money saved includes faster incident detection and response, reducing the cost of security breaches, data outages, and compliance failures. For our enterprise, the key impact areas are generally time saved in investigations, higher analyst productivity, lowered costs of security incidents due to faster detection and response, and reduced manual reporting effort.

    What's my experience with pricing, setup cost, and licensing?

    Regarding my experience with Splunk Enterprise Platform's pricing, it is a powerful but premium platform requiring deliberate optimization to manage high upfront costs, including high initial setup costs and then complex shifting licensing. While unit costs are high, the platform's ability to consolidate siloed tools into a single pane of glass provides immense value justifying the premium cost if the architecture is tightly managed.

    What other advice do I have?

    I would recommend others to highly use Splunk Enterprise Platform because of its day-to-day usability, alert investigation capabilities, the time saved, and its highly accurate, scalable, and reliable support in day-to-day SOC operations. Splunk Enterprise Platform has greatly assisted in our day-to-day activities, and I would like to thank the Splunk Enterprise Platform team for providing us with a highly accurate and reliable platform that facilitates the maintenance of our day-to-day SOC operations. I would rate my overall experience with Splunk Enterprise Platform as a nine out of ten.

    Yashwant Shinde

    Unified monitoring has improved alert investigations and reduced response time for security events

    Reviewed on Jul 14, 2026
    Review provided by PeerSpot

    What is our primary use case?

    I mostly use Splunk Enterprise Platform for monitoring and investigating alerts in the Infoblox environment.

    When I receive an alert for excessive failed login attempts, I assign that alert to myself and start looking at the logs through drill-down searches where I check who the user is, what the failure reason is, and their event codes such as 4624 and 4625. I analyze those details.

    Most of the time I monitor the environment and use the search capability of Splunk Enterprise Platform for log analysis.

    What is most valuable?

    The best features for my use case are query changes and searches, through which we can detect multiple suspicious activities in the environment. There is risk-based alerting and Threat Intelligence Frameworks that Splunk Enterprise Platform provides, as well as MITRE ATT&CK mapping.

    I mostly use the Threat Intelligence Frameworks, which match known malicious IOCs including IPs, URLs, domains, and file hashes while correlating the alert.

    Risk-based alerting is also a strong feature that Splunk Enterprise Platform provides because it assigns a risk score to the particular user or system instead of triggering alerts on every suspicious event, which reduces alert fatigue.

    I have worked on ArcSight in the past, but ArcSight has different components such as the logger and the ESM. Splunk Enterprise Platform provides everything in one single platform. We do not have to log in to two different environments repeatedly. It also provides a centralized log management system where we can put all logs for faster threat detection. This reduces the mean time to detect and respond to alerts in the environment. Additionally, we use the log management capacity of Splunk Enterprise Platform for compliance purposes including HIPAA and PCI DSS.

    We mostly use Splunk Enterprise Platform scheduled correlation rules, which we run on a scheduled basis rather than in real-time, which reduces the load on the system. It also provides a good amount of time to respond to alerts. Analysts can investigate alerts faster using the single platform.

    What needs improvement?

    One area for improvement is the high licensing cost that Splunk charges.

    For how long have I used the solution?

    I have been working in this field for 2.7 years.

    What do I think about the stability of the solution?

    Splunk Enterprise Platform is very stable.

    What do I think about the scalability of the solution?

    I give it a rating of 10 because it is really scalable and provides great capability for scaling.

    How are customer service and support?

    The customer service is really good. I received the solution within 24 hours.

    Which solution did I use previously and why did I switch?

    I did not particularly switch from another solution, but I found my previous platform complicated. I was working on a project where we were using ArcSight, but it is more complicated because it has a different ESM tool and different logger. We have to access those in different environments and log in two times when accessing them. Splunk Enterprise Platform provides everything in one place.

    What's my experience with pricing, setup cost, and licensing?

    Licensing relates to indexing the data that is ingested on a daily basis. The setup cost depends on the platform being acquired and the logs being ingested.

    What other advice do I have?

    I would advise that Splunk Enterprise Platform is really user-friendly and provides many functionalities. It is also integrating AI, which is helpful. I give this review a rating of 9 out of 10.

    Jagveer Singh

    Security monitoring has become more effective and handles large log volumes with detailed analysis

    Reviewed on Jul 11, 2026
    Review provided by PeerSpot

    What is our primary use case?

    My main use case for Splunk Enterprise Platform is using it for security monitoring.

    In security monitoring, we are using Splunk Enterprise Platform for multiple log sources which come from different devices including Active Directory, VPN, Defender, and EDR. We are receiving these logs from these devices and onboarding them on Splunk Enterprise Platform. We have written many alerts, and we are getting those alerts on Splunk Enterprise Platform and performing analysis on that.

    Regarding my main use case with Splunk Enterprise Platform, we have written numerous security alerts and monitoring rules according to the log source requirements. We have obtained different alerts from Azure security, cloud security, and EDR, and we perform analysis on many alerts, closing them on Splunk Enterprise Platform after the analysis. We have integrated Splunk Enterprise Platform with ServiceNow, utilizing automation, and we use SOAR Phantom with Splunk ES. All these generate alerts and send them to Phantom, where we have written many playbooks to take actions based on those playbooks.

    What is most valuable?

    In my experience, the best feature of Splunk Enterprise Platform is its excellent data searching capability. Whenever we want to search long data or export heavy logs, we can easily export them from Splunk Enterprise Platform. Other tools do not offer this level of functionality; they have limited capabilities.

    The searching feature in Splunk Enterprise Platform stands out because, for example, if I want to export multiple GB of logs, we can easily do so. In other tools, we do not have much functionality; they impose limitations on exporting large log sources. Splunk Enterprise Platform has a very good functionality called lookup, which allows us to add many elements into the lookup and expand it significantly, unlike other tools that have restrictions affecting formatting upon updates.

    I find the visualization feature in Splunk Enterprise Platform to be very good, as well as reporting and dashboards, which we can customize based on SPL queries to see more detail in visualization. Additionally, the log ingestion and exporting capabilities are much better than other tools.

    Splunk Enterprise Platform has positively impacted our organization by improving our security posture, and our team performs good analyses since there is no need to select any log source; we just input the necessary fields and obtain the details.

    As for specific outcomes, we also achieve a good reduction in false positives because we can create lookups and assign permissions to our analysts based on requirements. We have many custom permissions we can add.

    What needs improvement?

    One area for improvement in Splunk Enterprise Platform is the issue we face when writing Regex; it would be beneficial to have a tool that can automatically generate Regex.

    For how long have I used the solution?

    I have been using Splunk Enterprise Platform for eight years.

    What do I think about the stability of the solution?

    I find Splunk Enterprise Platform to be steady.

    What do I think about the scalability of the solution?

    The scalability of Splunk Enterprise Platform is good.

    How are customer service and support?

    Customer support is good. I rate customer support a 10.

    Which solution did I use previously and why did I switch?

    We used a different solution previously, though those decisions were made by higher management rather than by me.

    What's my experience with pricing, setup cost, and licensing?

    I find the pricing, setup cost, and licensing of Splunk Enterprise Platform to be fine based on our usage and integrations.

    Which other solutions did I evaluate?

    Before choosing Splunk Enterprise Platform, we evaluated QRadar and found that its licensing cost was higher than that of Splunk Enterprise Platform.

    What other advice do I have?

    I rate Splunk Enterprise Platform a 10 based on my experience with multiple tools.

    I choose to rate it 10 because Splunk Enterprise Platform helps ingest many logs, and we can perform extensive searches and large data exports easily.

    Regarding Splunk Enterprise Platform's AI capabilities, I find its governance and capability to be good, with many apps available that we can integrate with Splunk ES to obtain results.

    We can manage data sovereignty at a petabyte scale within our environment easily.

    My experience in maintaining granular control over data using the trusted control plane within Splunk Enterprise Platform is good.

    As my organization considers new use cases including Agentic AI, Splunk Enterprise Platform's governance and role-based access controls help us onboard Agentic AI logs on Splunk Enterprise Platform and write rules based on requirements.

    My advice for others considering Splunk Enterprise Platform is that it works very well for handling long data and very large datasets. My overall rating for Splunk Enterprise Platform is 10.

    Chirag Singhtalwar

    Centralized logging has transformed security monitoring and incident response efficiency

    Reviewed on Jul 10, 2026
    Review provided by PeerSpot

    What is our primary use case?

    My main use case for Splunk Enterprise Platform is security monitoring and incident detection. I use Splunk Enterprise Platform to collect and analyze logs from servers, endpoints, firewalls, and network devices. I monitor security events, investigate alerts, troubleshoot issues, and support incident response through dashboards and log search.

    One example of how I have used Splunk Enterprise Platform for security monitoring and incident detection was when Splunk Enterprise Platform generated multiple failed login alerts for a privileged account from different IP addresses in a short period. I used SPL to review the authentication logs, correlating them with firewall and Windows Event Logs. I confirmed it was a password spraying attempt rather than normal user activity. I escalated the incident, the account was secured, and the source IPs were blocked.

    In addition to security monitoring, I use Splunk Enterprise Platform for operational monitoring and troubleshooting. It helps me quickly search logs from Windows and Linux servers, network devices, and security tools to identify the root cause of issues. I have also used dashboards to monitor system health and create alerts for critical events, which improves response time and reduces manual log analysis.

    What is most valuable?

    The best features Splunk Enterprise Platform offers are its log analysis and its powerful log search capabilities using SPL. Centralized log collection, real-time monitoring, alerting, customizable dashboards, fast troubleshooting, and the ability to correlate events from multiple data sources are all valuable. It also scales well for large environments and integrates with many security and IT tools, making incident investigation much more efficient.

    Splunk Enterprise Platform has improved visibility across the environment by centralizing logs from multiple systems. It has reduced the time needed to detect, investigate, and respond to security incidents, streamlined troubleshooting, and helped my team respond to issues more quickly. Overall, it has improved operational efficiency and reduced downtime.

    What needs improvement?

    One area for improvement for Splunk Enterprise Platform is the learning curve. Splunk Enterprise Platform and SPL can take time for new users to master. Licensing and data ingestion costs can also become expensive as log volumes grow. Additionally, simplifying the initial deployment and providing more out-of-the-box dashboards and use cases would help organizations get value more quickly.

    For how long have I used the solution?

    I have been working for three or more years in my current field.

    What other advice do I have?

    The feature I rely on the most day-to-day is SPL, Search Processing Language. It allows me to quickly search and filter large volumes of logs, investigate alerts, and troubleshoot issues instead of manually checking logs on multiple systems. I can correlate events from different sources in one place, identify root causes faster, and respond to incidents more efficiently.

    One thing I particularly appreciate about the features is the flexibility of Splunk Enterprise Platform dashboards and alerts. They can be customized for different teams and prioritized, making it easier to monitor critical events without constantly searching through logs. That saves time and helps focus on the most important issues.

    Although we have not measured exact KPIs, Splunk Enterprise Platform helped reduce the time required to investigate incidents. Instead of manually checking logs across multiple systems, we could quickly search centralized logs and identify the root cause much faster. For many incidents, the initial investigation time was reduced from around 30 to 45 minutes to approximately 10 to 15 minutes, which improved our overall response time.

    Regarding Splunk Enterprise Platform's AI capabilities, from my experience, it provides strong governance and security through role-based access control, audit logging, encryption, and integration with enterprise identity providers. These features help ensure that access to data and AI-assisted capabilities is controlled and traceable. As AI capabilities continue to evolve, I would appreciate seeing even more transparency around AI-generated results and more granular governance controls.

    From my experience, Splunk Enterprise Platform's AI-assisted capabilities are generally accurate and can help in prioritizing alerts, summarizing information, and speeding up the investigation. However, I do not treat the output as definitive. I always validate AI-generated insights against the underlying logs and other evidence before making a decision. Overall, I would describe the accuracy and reliability as good, but human verification is still important.

    My advice for those looking into using Splunk Enterprise Platform is to clearly define your logging and security monitoring objectives before deployment. Start with your most critical data sources. Invest time in learning SPL and build dashboards and alerts that align with your operational needs. Additionally, plan your data ingestion carefully to manage licensing costs and get the best value from the platform. I rate this product a nine out of ten.

    Mahendra Rathal

    Centralized log analytics has improved incident investigations and simplifies real-time monitoring

    Reviewed on Jul 09, 2026
    Review from a verified AWS customer

    What is our primary use case?

    Splunk Enterprise Platform serves as our primary solution for centralized log management and security monitoring. We collect logs from multiple systems and security devices into a single platform to investigate incidents, troubleshoot issues, monitor suspicious activity, and create dashboards and alerts for better operational visibility. The platform also helps us correlate events from different log sources, making investigation faster and more efficient.

    For example, an organization received an alert about suspicious PowerShell activity on a Windows endpoint. Using Splunk Enterprise Platform, the analyst searches for the affected hostname and username, then correlates Windows Event Log, Active Directory authentication log, firewall log, and endpoint security log. The timeline shows that the user logged in from an unusual IP address or executed a PowerShell command and then attempted a connection to multiple internal servers. Because all relevant logs are available in one place and can be correlated by timestamp, username, and host, the analyst can quickly understand the sequence of events and determine the scope of the incident without manually checking multiple systems.

    What is most valuable?

    Splunk Enterprise Platform's Search Processing Language, real-time search and alerting, and customizable dashboards are the most valuable features I have found. The Search Processing Language makes it easy to search and analyze large volumes of log data to quickly identify issues or security events. The real-time alerting capability has helped us detect critical events as they occur, allowing for faster response. I appreciate the flexibility of dashboards, which can be customized to display key metrics and operational insights for different teams. Additionally, Splunk Enterprise Platform's ability to ingest data from a wide range of sources and correlate events across multiple systems provides a comprehensive view of the environment, making troubleshooting and incident investigation much more efficient.

    The Search Processing Language is the feature I rely on the most in Splunk Enterprise Platform. It allows me to quickly search and analyze large volumes of log data, filter relevant events, and identify the root cause of issues much faster than manually reviewing logs. Whether I am investigating a security alert or troubleshooting an operational problem, the Search Processing Language helps me pinpoint relevant information efficiently, making it the most valuable feature in my day-to-day work.

    Overall, the feature set of Splunk Enterprise Platform is comprehensive and flexible. The combination of centralized log management, powerful search capability, customizable dashboards, and real-time alerting enables teams to monitor their environment, investigate incidents, and troubleshoot issues from a single platform. The extensive integration support also makes it easy to bring together data from different systems, providing better visibility across IT and security infrastructure.

    Organizations commonly report that Splunk Enterprise Platform improves visibility across their IT and security environments by centralizing logs from multiple systems. This can help security and operations teams investigate incidents more quickly, reduce the time spent troubleshooting issues, and identify potential problems through real-time monitoring and alerting. Many organizations also use dashboards and reporting to gain operational insights, support compliance activities, and make more informed decisions based on machine data.

    What needs improvement?

    One area where Splunk Enterprise Platform could be improved is its licensing model, as costs can increase significantly with higher data ingestion volumes. The initial deployment and data onboarding process can also be complex, especially for large environments. Additionally, there is a learning curve for new users when working with the Search Processing Language and building advanced dashboards. Simplifying administration, improving the onboarding experience, and providing more built-in templates and guided analytics would make the platform easier to adopt and manage.

    Another area of improvement would be performance optimization in very large environments where complex searches can take longer to execute if they are not properly optimized. It would also be beneficial to have more artificial intelligence-driven analytics, automated recommendations for search optimization, and pre-built dashboards and use cases.

    For how long have I used the solution?

    I have been working in this field for approximately four and a half years.

    What do I think about the stability of the solution?

    Splunk Enterprise Platform is highly stable.

    What do I think about the scalability of the solution?

    Splunk Enterprise Platform is highly scalable and is designed to support organizations ranging from small deployments to large enterprise environments. It can ingest and analyze increasing volumes of data by adding indexers, search heads, and other components as requirements grow. The distributed architecture allows organizations to expand capacity while maintaining performance and reliability. Proper infrastructure planning, data management, and search optimization are important to ensure the platform continues to perform efficiently as the environment scales.

    Which solution did I use previously and why did I switch?

    Splunk Enterprise Platform was our primary log management and analytics platform, so we did not migrate from another SIEM or log management solution. We selected it because of its powerful search capability, scalability, broad integration support, and ability to centralize logs from multiple systems for monitoring.

    We did not conduct a formal evaluation of multiple solutions before adopting Splunk Enterprise Platform. The decision was primarily based on its strong reputation for log management and analytics, extensive integration capabilities, powerful search functionality, and its ability to scale to meet enterprise security and operational requirements.

    How was the initial setup?

    Before implementing Splunk Enterprise Platform, I clearly define my use cases, identify the log sources I want to onboard, and estimate my expected data volume to plan licensing and infrastructure appropriately. I invest time in learning the Search Processing Language and designing an efficient ingestion strategy, as these have a significant impact on performance and usability. It is also a good idea to start a phased deployment, build dashboards and alerts around your highest priority use cases, and establish governance for user access and data retention from the beginning. This approach will help me get the most value from the platform while keeping the deployment manageable.

    What was our ROI?

    We have seen operational benefits, although we did not formally measure ROI with specific metrics. Splunk Enterprise Platform helped reduce the time required to investigate incidents by centralizing logs and providing powerful search capabilities. This improved analyst productivity and troubleshooting efficiency. The biggest return has been better visibility and faster access to relevant data, rather than a measurable reduction in headcount or quantified cost savings.

    What's my experience with pricing, setup cost, and licensing?

    The pricing for Splunk Enterprise Platform for large volumes is on the higher side compared to some alternatives, especially for organizations that ingest large volumes of data. The initial setup requires investment in implementation, but once deployed, the platform provides strong value through its scalability and extensive capabilities. The licensing model is straightforward but requires careful planning to manage data growth and costs. For organizations that prioritize security and IT operations, the overall value generally justifies the investment.

    What other advice do I have?

    My organization has tracked TCO metrics for the non-indexing analytics approach to evaluate the success of reducing TCO with Splunk Enterprise Platform's non-indexing analytics approach.

    Splunk Enterprise Platform provides useful artificial intelligence-assisted capabilities that can help improve security operations and data analysis. From a governance and security perspective, I think it is important that artificial intelligence features respect existing role-based access control, maintain audit logs, and protect sensitive data. Organizations should also have clear policies around how artificial intelligence is used, what data it can access, and how artificial intelligence-generated insights are validated before taking action. Overall, the artificial intelligence capabilities are promising, but strong governance, transparency, and data protection are essential for enterprise adoption.

    Artificial intelligence capabilities in an enterprise security platform can significantly improve productivity by helping summarize data, identify patterns, and assist with investigation. However, the accuracy and reliability of the output depend on the quality of the underlying data and configuration. Artificial intelligence-generated insights should be treated as decision support rather than definite answers, and they should always be validated by security analysts before taking action. I provided this review with an overall rating of nine out of ten.

    Information Technology and Services

    Splunk Enterprise Excels at Analyzing Large Machine-Generated Logs

    Reviewed on Jul 08, 2026
    Review provided by G2
    What do you like best about the product?
    The best about Splunk Enterprise is its log analyzing capabilities. It can analyse large machine generated logs
    What do you dislike about the product?
    Its licensing is very costly for analysing large machine generated logs. It requires much fine tuning to support large log analysis
    What problems is the product solving and how is that benefiting you?
    The problem that Splunk Enterprise solving for me is Centralized log management for machine generated logs that i mainly use for troubleshooting. It supports real time dashboard and alerts based upon the data provided.
    Sama Parveen

    Monitoring has become centralized and alerts now reduce response time across many servers

    Reviewed on Jul 06, 2026
    Review from a verified AWS customer

    What is our primary use case?

    My main use case for Splunk Enterprise Platform is for doing data analysis. I can give you an example of how I use Splunk Enterprise Platform for data analysis. We are monitoring the infrastructure of the client, such as what systems they are using. It could be network devices, or it could be Windows or Linux servers. We get the infra-related data in Splunk Enterprise Platform environment, such as CPU, memory, and host status, and based on that, we do the configuration at our end. If any issues are there, we are generating the ticket. For example, if a disk is occupying more than 90% of its space, then based on that, we are triggering an alert. If any host is not responsive, we generate an alert such as 'host reporting no data'.

    We are having multiple ways to use Splunk Enterprise Platform day-to-day. We have multiple environments, such as a high availability environment and a low availability environment. Based on the client's budget, we set up Splunk Enterprise Platform infrastructure. For example, with a high availability environment, the cost will be more, but the availability of the monitoring tool will be high. That is called the clustered environment. If a client has a low budget and they have a smaller number of servers to monitor, then we will go for a distributed environment.

    What is most valuable?

    The best feature of Splunk Enterprise Platform is data insights. The data is very quickly searchable. The data is stored in an index. If you have a very large amount of data and you put it in Excel, it will take a lot of time to work on it and get the insights, such as the exact error logs. But in Splunk Enterprise Platform, data is stored in a TSIDX file. We have an index to get the data, so you can quickly get a look at your environment's data. The visibility is very high.

    Suppose a thousand servers are under monitoring. All the data from those thousand servers is ingested into Splunk Enterprise Platform. If any of the servers go down, it will quickly create an alert, irrespective of how many. Even if a thousand servers go down, it will create the alert quickly. The investigation is very easy. We have a set of indexes where data will be stored. We will have log files, we will have the log data, so the analysis is very easy.

    We also have vendor support. If my environment is not working or is showing an error, the vendors provide support on time. The security level is also very good. Whenever any vulnerability is detected, the vendor will inform us, and they will come up with the latest version so that we can do the upgrades. The documentation part is everything very transparent.

    Whatever problem the client comes up with, for example, 'My environment has this many servers, and we cannot do it because it is at different locations,' it cannot be manually monitored. There should be a one-stop destination so that we can monitor all the environments. In that way, Splunk Enterprise Platform is playing a very important role in our organization to serve clients better.

    The response time is reduced because within 5 to 15 minutes, if any issue occurs with the server, it will generate an alert. If the system comes back up, there is an automation process, so the ticket will auto-resolve as well. However, the footprint will always be there. It will show exactly when the issue happened. It is saving time also because whatever data we are getting, it is taking less time to parse, index, and process the data and give us the ticket.

    What needs improvement?

    Regarding improvement for Splunk Enterprise Platform, compatibility is needed. They are coming out with a newer version every two months, and there is the vulnerability part. When they are releasing any version, they need to check it from a security point of view completely. The remediation they are providing is in the newer version. In the existing version itself, they can review it and provide the fixes so that every two or three months, we do not need to go for upgrades, because upgrades take some time.

    The Splunk experts are there who are involved and have the knowledge to do the integration. Everything is fine. The only thing is the vulnerability part, which is the only flaw I observed.

    For how long have I used the solution?

    I have been using Splunk Enterprise Platform for the last five years.

    What do I think about the stability of the solution?

    Splunk Enterprise Platform is stable.

    What do I think about the scalability of the solution?

    The scalability of Splunk Enterprise Platform is very good. If we are talking about the cluster setup, you can add more indexers, more search heads, and more heavy forwarders. You can add more components based on your requirements. Scalability is very easy in Splunk Enterprise Platform.

    How are customer service and support?

    Customer support is also top-notch. We are getting the support. They have on-call support and email support.

    Which other solutions did I evaluate?

    Multiple options are available, such as Dynatrace and DataDog, but Splunk Enterprise Platform is the leading one nowadays because it provides security features as well. Splunk Enterprise Platform was acquired by Cisco, and Cisco is a big player in security. Splunk Enterprise Platform is a good one, and it is also cost-saving. It is not charging more. It is charging based on indexing the data only, so we are good with Splunk Enterprise Platform.

    What other advice do I have?

    Governance and security within Splunk Enterprise Platform is good. Whenever they find any vulnerability, they immediately inform their customers, telling them to stop using something and providing the fixes. They come up with it immediately. Splunk Enterprise Platform itself was bought by Cisco, so from a security point of view, they are getting better now.

    Directly, as of now, we are not integrated with agentic AI, but we are using agentic AI for the troubleshooting part. It will take some time to integrate it, but these things will be there. However, everywhere, human intervention will always be there. It cannot allow the AI to go and change the configuration without the permission of a human being.

    Splunk Enterprise Platform has high capability. It is capable of handling that much data. It will use more resources, but it can handle it.

    We have used the federated search feature of Splunk Enterprise Platform because the client had location-related security requirements. We have the option and the feature where we can hold the data there, and it can be searched from one location. The data will be stored in a different location, but it can be searchable from one destination. It is very helpful. The environment is providing a very reliable solution to us.

    Splunk Enterprise Platform has a very good feature. You can mask the data while indexing it. If you are talking about the access part, we have multiple access levels available. If you want to limit the access to particular data for a particular team, we have that option. We can create a customized role, and it also has in-built roles. Based on that, a dedicated user can only access the dedicated data.

    Nothing is missing because Splunk Enterprise Platform has very strong capabilities with multiple roles, and we have customized roles as well. For the login process, we can use SAML and LDAP. It is a very good platform that provides you with a way to maintain data security. The governance tools provided by Splunk Enterprise Platform are very good.

    The cost saving is a shared resource for multiple projects. We can work for 10 to 12 or 15 projects with Splunk Enterprise Platform skill set. I am working as an admin and developer, so that part comes under the architect team. We have a dedicated team that decides the pricing, cost, and licensing based on the client's requirements, such as how many servers are under monitoring. For a thousand servers, it should go with a clustering environment and high availability. It totally depends on the demand of the client.

    Because we have 10 to 12 projects and 10 to 12 associates, there is no dependency. If someone goes on leave, everyone else has access to all the projects, so there is no dependency. Everyone can work on any of the projects, so it is good. You do not need to put two dedicated people there, and if those two people are not there, then who will work? There is no such issue. With shared responsibility and shared resources, it is working very nicely with less cost.

    I would rate this review an 8 overall.

    MeghaGarg

    Centralized log monitoring has enabled real-time insight into high-volume workflow activity

    Reviewed on Jun 30, 2026
    Review provided by PeerSpot

    What is our primary use case?

    The team I work on is a workflow team for the bank. We get a lot of traffic because of onboarding and workflow processes, which results in around a million hits per day. Whenever we have a release scheduled, Splunk Enterprise Platform is a very useful tool for me to monitor the logs.

    What is most valuable?

    Splunk offers an advantage where I can log and monitor all of the microservices in a single location. Search Processing Language (SPL), which is the query language for the product. SPL does take time to master as it is somewhat complex. When searches are straightforward, then it is quick, but if you need to perform complex searches with multiple pipes, sub-searches, or statistical functions, then it becomes somewhat confusing. You need time to become familiar with it.

    I created some Splunk Enterprise Platform dashboards, which is the main focus of my work. I used a drag-and-drop builder, and it has real-time updates, visualization varieties, drilldowns, and token inputs. I built a dashboard for the application which answered these questions: which workflow combination has the highest hits and which users are triggering them. I wrote a query using SPL which aggregated the results from the API in the given timeframe that we can choose, and accordingly it will show a pie chart. Using the drilldowns and tokens, I built another panel where if you click a particular combination, it will list the number of users hitting that combination and how many times. This is something very useful I found in Splunk Enterprise Platform dashboards.

    What needs improvement?

    Regarding the downsides of Splunk Enterprise Platform, as I mentioned, one is the Search Processing Language is somewhat complex when it comes to complex filtering and searching. You need to become familiar with it to make complex searches. That is one thing.

    There is not a no-code option for panels. You have to write an entire query for it. It would be better if they could introduce more drag-and-drop options so that people can add more features to their panels and pie charts and visualize the data they want.

    For how long have I used the solution?

    I have been using Splunk Enterprise Platform for 1.5 years.

    What do I think about the stability of the solution?

    Considering the stability of Splunk Enterprise Platform, it is pretty stable. It sometimes takes time when I switch the timeframe, such as from 15 minutes to one hour. It takes some time in loading all of the logs from the application. Otherwise, it is very stable. It is a latency issue.

    What do I think about the scalability of the solution?

    As I mentioned, the current application I was working on already has a lot of users. So it is a pretty scalable solution. We get millions of hits for the APIs.

    Which solution did I use previously and why did I switch?

    When I joined the company, Splunk Enterprise Platform was already in place from the very start. Many of my friends work in several different companies, many uses DataDog, but here, I have only used Splunk Enterprise Platform.

    Which other solutions did I evaluate?

    I am not involved in those kinds of decisions yet. I do not know about the pricing.

    What other advice do I have?

    The whole bank uses the same tool to monitor their logs and analyze production data or any environment data. That is why I have not had any chance to use an alternative.

    I am not familiar with the pricing because being a junior developer.

    Splunk Enterprise Platform offers Federated Search, which I have not used.

    My overall review rating for Splunk Enterprise Platform is 9 out of 10.

    Shashank Nagesh

    Security monitoring has improved with faster rule creation but search and AI features still need work

    Reviewed on Jun 25, 2026
    Review provided by PeerSpot

    What is our primary use case?

    My main use case for Splunk Enterprise Platform is as a SIEM/SOAR.

    I use Splunk Enterprise Platform as a SIEM where we send all the relevant logs including firewall logs, EDR logs, authentication logs, application logs, and database logs towards Splunk, and then we write rules based on that.

    Day-to-day, it is mainly used as a SIEM solution to look at all the security events and write the rules.

    What is most valuable?

    Splunk Enterprise Platform offers very good integration patterns and extensive support for many log sources with pre-built rule sets and pre-built integrations. It also has a wide variety of support sources.

    Those integrations and pre-built rule sets help my team in our daily work as they made the integrations much faster and easier. Using the community rules was also much faster.

    Splunk Enterprise Platform has very good retention and log ingestion methods. The log querying is also pretty good.

    Splunk Enterprise Platform has positively impacted my organization by providing very good insight into the different security logs.

    I have seen specific outcomes or improvements with Splunk Enterprise Platform, where the time to respond is pretty good. The time to write a rule is very fast, and the time for integration to the different log sources is very good.

    What needs improvement?

    One area where Splunk Enterprise Platform can be improved is that the underlying search architecture is not up to the mark compared to something Elastic. This could be improved.

    I wish Splunk Enterprise Platform could do more towards AI and use AI to help in SOC automation.

    Regarding Splunk Enterprise Platform's AI capabilities, I think its governance and security are pretty good, but not up to the mark.

    Regarding Splunk Enterprise Platform's AI capabilities, I feel that its accuracy and reliability of output are still in the nascent stages, although it is pretty good.

    For how long have I used the solution?

    I have been using Splunk Enterprise Platform for about to three years.

    What do I think about the stability of the solution?

    Splunk Enterprise Platform is stable.

    What do I think about the scalability of the solution?

    Splunk Enterprise Platform's scalability is very good.

    How are customer service and support?

    The customer support is very good.

    I would rate the customer support on a scale of one to ten as an eight. They are able to query and answer most of the questions.

    Which solution did I use previously and why did I switch?

    We have used many solutions before, including Sentinel and Elastic, which we use in combination.

    What was our ROI?

    I feel I have seen a return on investment, and my general impression is that it is a great product.

    What's my experience with pricing, setup cost, and licensing?

    My experience with pricing, setup cost, and licensing is that the setup costs and licensing are pretty high.

    Which other solutions did I evaluate?

    Before choosing Splunk Enterprise Platform, I evaluated other options including Elastic.

    What other advice do I have?

    My advice for others looking into using Splunk Enterprise Platform is that it is a great solution, but it is a little expensive. I would rate this review a seven out of ten.