The best SIEM out there, if you're willing to learn
What do you like best?
You can customize all aspects of the platform, automate workflow actions, design rules with detailed drill down searches, enrich the notables with valuable context, and if you're willing to get creative and hack it a little bit, you can do unexpected things.
If you choose to follow this route, there is a great and active community ready to help you achieve even the weirdest of goals.
What do you dislike?
Hard to ensure the logs are processed into CIM compliance, if this is not done right, the product becomes mediocre. This process can require professional services and lots of maintenance.
Recommendations to others considering the product:
Invest in training your personnel properly, since it's very easy to misuse this tool and get low performance or inconsistent results. Also adhere to logging standards, Splunk ES works amazingly as long as you keep your logs CIM compliant and in good shape, if that's not the case you'll get an expensive, unreliable, and even slow tool.
What problems are you solving with the product? What benefits have you realized?
Using it as a SIEM, allowing to generate alerts for the SOC to triage and then kick off more in-depth investigations, providing different views of your overall security stance under the concept of domains, you can analyze dashboards related to hosts, malware, network activity and so on. It also integrates with threat intelligence frameworks so your detection rules have a higher relevance.
