Re: Starting Splunk ES POV- Any advice?

cjharmening · ‎06-08-2023

Hello all,

Starting end of next week my team will be doing a POV of Splunk ES as a possible replacement of our current SIEM. We are looking at the cloud with workload pricing model.

I am wondering if anyone can provide any tips or tricks related to doing a POV of ES. The sort of things you feel can be difficult or take time to complete, Monthly care and feeding of the Product that you and your team do. How the Workload pricing actually computes in your environment ( example's say you have 100 SVG's and you send in 5 TB a day and do 1,000 searches...) .

I appreciate any insight anyone can provide.

Thank you

inventsekar · ‎04-02-2026

Hi @cjharmening

Pls forgive my ignorance.. but,
POC meaning "Proof of Concept",

POV means... is it "Proof of Value"?

As suggested by @gcusello , pls follow those ideas, You will save lots of time("Valuable Time").

PS - this is mine - Karma Given 2217 Karma Received 490.. pls give me karma, thanks.

gcusello · ‎04-02-2026

Hi @cjharmening ,

I don't know how deep your knowledge of Splunk and ES is.

In general, I recommend finding a trusted Splunk partner and relying on them.

Otherwise, you risk wasting a lot of time or thinking that ES implementation is science fiction, when in reality it's just a standard integration job.

Otherwise, contact Splunk Sales to have the support of a Splunk Sales Engineer.

Anyway, in few points:

use only CIM compliant logs,
stricktly follow the documentation,
use Splunk Security Essential App to understand which Detection implement,

Ciao.

Giuseppe

PickleRick · ‎04-07-2026

Yup. These terms are often used interchangeably but in fact they _should_ mean something slightly different.

PoC is indeed a proof of concept. This should mean that we're trying out a new solution aimed at solving a specific problem in a particular way but before we spin up a whole huge solution we want to check if our way of thinking is right and if it will actually work. So in case of a sales case it would be a customer who asks us if we're able to tackle a specific problem in their environment with our solution and we say "yeah, this should work just right but let's try it first in small scale so you see that it does".

PoV is a proof of value. It's much more a sales concept and is meant to show the customer that the product has the functionalities we promised and that by buying it the customer can really bring some, well, value to their organization.

In practice often those abbreviations are used completely freely 🙂

Aaaaand back to the topic - with any system which isn't just "fire and forget" (and Splunk, especially ES isn't one), I would recommend to go with a Partner to do a decent PoV installation. But also remember that decent PoV will require also a time commitment from your end as a potential customer.

Starting Splunk ES POV- Any advice?

other

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation