Splunk Enterprise provides log management, search, alerting, real-time correlation and a query language that supports visualization using more than 100 statistical commands.
Splunk is widely deployed by IT operations and application support teams for log management analytics, monitoring and advanced search and correlation.
Analytics on batch data stored in Hadoop/NoSQL Stores and relational databases is provided by a separate product called Hunk, and the DB Connect App for bidirectional support for relational databases.
The Splunk App for Enterprise Security provides predefined reports, dashboards, searches, visualization and real-time monitoring to support security monitoring and compliance reporting use cases.
Splunk App for Enterprise Security now ships with 68 predefined security indicators that can be used to construct a custom dashboard, and there are now 40 predefined dashboards in the security domain menu. Splunk released a report builder with 200 predefined reports/panels.
Splunk now aggregates 18 threat intelligence feeds to enable consolidation into common watchlists.
Splunk is a good fit for security organizations that require customizable security monitoring and analytics, and is an especially good fit for use cases that span security and operations, and for deployments with a focus on application monitoring.
Operational Intelligence gives you a real-time understanding of what’s happening across your IT systems and technology infrastructure so you can make informed decisions.
- Splunk’s strong presence in IT operations groups can provide the security organization with early hands-on exposure to its general log management and analytics capabilities, “pre-SIEM” deployment by operations for critical resources, and in-house operations support for an expanded security-focused deployment.
- Splunk’s dashboarding and analytics capabilities provide a flexible framework for customization to meet a variety of event management and log management requirements.
- Splunk has built-in support for a large number of external threat intelligence feeds from commercial and open sources.
- Splunk provides predefined parsing to a more limited set of IAM vendors than some competitors’ products. Potential buyers should anticipate customization work to handle the parsing of IAM logs outside Active Directory, LDAP and selected other IAM technologies.
- Predefined reporting, while improved in the current release, is still more basic than that of many competitors.
- In cases where operations teams are not using Splunk for operations monitoring (to share deployment costs), Splunk is often significantly more expensive than competing SIEM solutions.