Splunk is an Amazing SIEM – So Why Are Some Clients Unhappy?

March 21, 2023 | 3 min read

Matthew Gonter

Global Technical Solutions Architect

Here are some common Splunk mistakes, plus how to maximize your Splunk subscription with BlueVoyant’s expertise and services

Splunk has been a market leader for more than 15 years in Security Information and Event Management (SIEM). Splunk enables clients to streamline their security operations in the face of changing requirements, growing threat landscape, and developing analytics strategies. Clients can choose whether to have the platform on-premises or in the cloud by choosing either Splunk Enterprise or Splunk Cloud Platform. And beyond these platforms, Splunk also offers numerous Security and Observability tools to help clients be more resilient.

Clients often find it difficult to have the in-house expertise to properly deploy, monitor, and manage any SIEM, let alone optimize it using best practices to help meet current and future organizational business needs. According to SumoLogic’s 2020 State of SecOps and Automation report, 70% of IT security leaders say the volume of security alerts they receive on a daily basis has more than doubled in the past five years. When you add that to the stat that 61% of organizations do not have a central 24x7 SOC to monitor and orchestrate threat analysis and response, you have a recipe for frustration.

So why are some companies so frustrated with their Splunk deployments? Because Splunk deployed without optimized configuration and ongoing management becomes a budget eye sore. Over the years, I’ve seen clients’ pain points fall into three areas:

Uncontrolled in Data Ingestion

Splunk designed a highly capable analytics engine that allowed clients to ingest any and all forms of data. The value of Splunk is its flexibility in data ingestion. But the onboarding of poor data quality leads to increase in data costs, or data burden. Data utilized is missing fields, poorly formed, or not relevant to any analytics.

Content Sprawl

The point of any SIEM is to gain actionable results and place them in the hands of analysts that can react quickly and with as few false positives as possible. Multiple frameworks and Key Performance Indicators (KPIs) like Mean-time-to-Detect, Mean-time-to-Remediate, and Mean-time-to Acknowledge have been around for years and are still the forefront of most SOCs. Creating and managing content that supports reducing the KPI’s and not breaking the bank is a hard balance.

A strong indicator of content sprawl is the number searches that are still effective and generating quality results. I’ve personally seen upwards of 300 saved searches generating more than 86,000 executions a day. Of those searches, half were operational. Missing data, data structure changes, or stale and invalid content was identified in the environment. These executions increased compute costs throughout the environment and have potential to keep teams running around chasing ghosts in the systems.

Getting Value from Splunk Quickly

Migrating environments, developing content, and onboarding data is critical to extracting the most value out of Splunk quickly. This means having the talent and staff on hand to perform all the required tasks to ensure success. Clients are struggling to find and maintain this talent in today’s market.

Moving to Splunk Cloud can be difficult if you haven’t done it before. Check out some of the lessons learned from our very own Carl Kennedy: Splunk Cloud Platform Migration Lessons Learned. He enumerates some of the gotchas he’s experienced over the past few years doing these migrations.

How Does BlueVoyant Help?

All of this frustrates Splunk clients and has them considering whether or not they should dump Splunk. That would be a mistake.

BlueVoyant brings Splunk expertise to wherever your Splunk instances reside, regaining the optimization and management you need to extract the maximum amount of value. BlueVoyant is focused on reducing data burden, expediting implementation, and streamlining threat detections to harness the power of your data in Splunk Cloud or Splunk Enterprise. Our Splunk Workshops target getting control of content sprawl and data burden by mapping the data to the analytics of value. Whether you’re in cloud or on-prem, we can quickly deploy our MDR content to the Splunk stack of choice enabling your Security Operations Center with high fidelity alerting. Our content management system ensures only the relevant content is deployed and maintained in your system.

Get back to managing your business and allow us to manage your Splunk anywhere it lives.

Matt Gonter is a technical solutions architect for BlueVoyant specializing in Splunk

MDR for Splunk