Companies that use Splunk (including churned)

We dug into our own data to find which companies are using Splunk (particularly the Cloud version). We also asked a few engineers from these companies to share us any interesting use cases they're using Splunk for.

General Dynamics (GDIT)

Defense · Reston, Virginia · Splunk

General Dynamics is one of the biggest defense companies in the country. They make submarines, fighter jets, tanks, that kind of thing. But they also have a huge technology arm called GDIT, with about 30,000 employees, that builds and runs computer systems for the U.S. government. Pretty much every major federal agency uses them in some way.

What's interesting about GDIT and Splunk is that they're not just using it to keep their own company running. They're running Splunk on behalf of the government, on some of the most sensitive systems in the country.

The biggest example is the work they do for the part of the U.S. military that handles the Middle East. GDIT runs the Splunk setup that keeps watch over those networks, looking for cyberattacks and suspicious activity around the clock. Every engineer on that team needs the highest level of security clearance just to walk in the door. They've also built automation on top of Splunk so that when something suspicious shows up, the system can start responding on its own instead of waiting for a human to notice.

GDIT does this kind of work for civilian agencies too. They run Splunk for the U.S. Postal Service, monitoring the systems that keep the mail moving. And they run it for a Navy system that handles pay and personnel records for every sailor in the country, where the data is sensitive enough that protecting it really matters.

There's also a program where GDIT uses Splunk to help the U.S. military share intelligence with allies around the world. Same idea: take a tool most companies use to watch their own networks, and run it on something much higher stakes.

So Splunk shows up all over GDIT's government work. The common thread is that GDIT isn't just a Splunk customer. They're the company the government hires to actually run Splunk on the systems that can't fail.

---

Wells Fargo

Banking · San Francisco, California · Splunk

Wells Fargo is one of the biggest banks in the country, with about $1.9 trillion in assets and roughly 250,000 employees. They serve one in three households in America, plus they run a sizable investment bank that trades bonds, currencies, and other financial products around the world.

What's interesting about Wells Fargo and Splunk is the team that sits behind it. They have a dedicated group whose entire job is keeping the bank's production systems running, and Splunk is one of their main tools.

This team works around the clock. When something breaks at 3am, like a payment system slowing down or a batch job failing, they're the ones who get the call. They use Splunk to dig through logs and figure out what went wrong, then fix it before it affects customers. They run Splunk alongside other tools like Grafana and AppDynamics as the standard stack for watching over production. When the bank's nightly batch jobs run, when applications get deployed, when something starts behaving oddly, this team is watching through Splunk.

The other place Splunk shows up is on the trading floor. Wells Fargo has trading desks in Hong Kong, New York, Charlotte, and elsewhere where bankers buy and sell bonds, currencies, and other financial products all day. The systems behind that trading have to work fast and they have to work right. If pricing breaks down or trades stop going through, the bank loses real money in real time.

There's a separate team that supports those trading systems, and they use Splunk as part of how they keep things running. When a trader notices something off, this team uses Splunk to trace the problem through the trading systems. They sit close to the traders and work in a follow-the-sun model, with teams in different time zones handing off coverage so there's always someone watching.

Two very different worlds inside one bank. The team running the back office and the team supporting the trading floor have completely different rhythms, but both rely on Splunk to do their jobs.

---

CrowdStrike

Cybersecurity · Austin, Texas · Splunk

CrowdStrike is one of the biggest cybersecurity companies in the world. Their main product, called Falcon, sits on company laptops and servers and watches for cyberattacks. They protect thousands of organizations, which means their software is generating an enormous amount of data every second of every day. Every login, every file change, every network connection on every protected machine becomes a log entry that has to be stored, searched, and analyzed.

What makes CrowdStrike interesting is that they used Splunk as the engine behind their actual product, not just for internal IT monitoring. They built what they themselves described as a peta-scale Splunk cluster, running 24/7, used to spot adversaries and stop breaches in real time. A petabyte is a million gigabytes, so peta-scale means they were storing and searching across multiple petabytes of security data at once. That's the kind of scale you only see at companies whose entire business depends on processing huge amounts of data fast.

The team running it had a tough job. Every change they made had to allow for continued scaling, because the volume kept growing as CrowdStrike added more customers. They wrote a lot of automation in Python just to keep up, and engineers were on call around the clock because the cluster couldn't go down. If Splunk slowed, threat detection slowed, and that meant attacks could slip through.

Then in 2021, CrowdStrike bought a company called Humio for around $400 million. Humio was a logging platform, basically a competitor to Splunk, designed for the kind of high-volume work CrowdStrike was already doing. After the acquisition, CrowdStrike started shifting some workloads off Splunk and onto Humio. Engineers were asked to support both platforms during the transition, which is honest about how these things actually work. You don't move petabytes of data overnight, and you don't rip out a tool that's actively protecting customers from cyberattacks. You move things over piece by piece while keeping everything running.

So the CrowdStrike story is really one of evolution. Splunk was the foundation that let them scale up to the size they are today, the tool that handled the data behind their product when they were growing fastest. Then they decided to bring that capability in-house by buying Humio and starting a long migration. Two big bets, in sequence, on how to handle the data behind a security business.

---

Morgan Stanley

Financial Services · New York, NY · Splunk Enterprise, Splunk Cloud

Morgan Stanley has been in financial services since 1935, and these days it runs technology operations across 42 countries for roughly 80,000 employees. When you're moving that much money around, one system hiccup you didn't spot in time can cost real money. So the firm has quietly built Splunk into the nervous system of how it watches its own machinery.

The reach is genuinely wide. Splunk sits inside Wealth Management's production platforms, the Institutional Securities trading stack, the FX trading flow, fund services, and the Deposits modernization effort that's pulling workloads off the old mainframe. If a trade is moving somewhere in the firm, Splunk is almost certainly watching the pipes.

The cybersecurity side is where things get really interesting. Morgan Stanley's Cyber Data Risk & Resilience group pipes logs and events from across the firm into Splunk so they can spot anything that looks off, treating it like a giant search engine for security data. Custom rules pull out the bits that matter, and in-house automation tools keep the whole thing humming as new data sources come online.

They've also started wiring Splunk into their GenAI ambitions. Inside Fraud Technology, the observability stack feeds real-time fraud screening platforms that now layer on large language models and smart search to explain alerts in plain English and summarize weird patterns automatically, so a human doesn't have to read through thousands of rows of logs to figure out what happened.

What's wild is how far down the org chart it goes. The group supporting the firm's most senior leaders globally uses Splunk as one of its core diagnostic tools, so when a board member has a technology issue, the investigation often starts there. Same tool, radically different use case.

Splunk doesn't stand alone in the stack. Grafana, Prometheus, Dynatrace, and AppDynamics all show up next to it depending on the workload. But Splunk is the one that keeps reappearing across divisions, geographies, and use cases, which tells you everything about how embedded it's become.

---

Synchrony

Financial Services · Stamford, CT · Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security

Synchrony is one of those companies most people use without realizing it. If you've ever opened a store card at a big retailer, financed a vet visit, or set up payments for a new set of tires, there's a good chance Synchrony was quietly running the credit behind it. They power consumer financing across retail, health and wellness, auto, home, pet, and more, which means billions of transactions flowing through their systems every year.

To keep that machinery running smoothly, they've built a serious Splunk operation. A dedicated Enterprise Logging group looks after the whole setup, which spans both on-prem Splunk and Splunk Cloud. The scale is eye-catching: more than 11,000 Splunk Universal Forwarders pushing data in from hosts and network feeds all over the company.

Forwarders are tiny agents sitting on servers whose job is to ship logs back to a central place where questions can be answered. With 11K+ of them running, pretty much every corner of Synchrony's infrastructure is visible.

Security is a huge chunk of why it's there. They run Splunk Enterprise Security on top, which turns all those logs into a giant detection engine for spotting threats, sketchy access attempts, and things that shouldn't be happening. The identity and access management folks plug directly into it for monitoring and analytics.

But it's far from just a security tool. Synchrony's digital servicing apps, mobile apps (MySynchrony), payments platforms, and BNPL products all lean on Splunk for production support. When something breaks in the app someone uses to pay their credit card bill, Splunk is usually where the investigation starts.

The marketing side uses it too. Their Martech stack integrates email, SMS, customer data platforms, and ad tech, and Splunk helps keep all those moving parts visible. Even their client support group uses it to track contractual SLAs when partner merchants ask how the authorization systems are performing.

Synchrony hasn't just dropped Splunk in and called it a day. They automate upgrades and config changes with Chef, Ansible, and Terraform, keeping the whole platform at N-1 patch level to stay ahead of vulnerabilities. It runs alongside New Relic and Grafana in the observability mix, but Splunk is clearly the workhorse for logs and security telemetry across the board.

---

Brown Brothers Harriman

Financial Services · Jersey City, NJ · Splunk Enterprise, Splunk ITSI, Splunk Enterprise Security

Brown Brothers Harriman has been around since 1818, which makes them older than most countries' current borders. They're a private partnership serving asset servicing clients across 90 markets and running multi-family office services, investment management, and corporate advisory for a pretty selective roster of clients.

A bank that old could easily be stuck in the past, but their observability stack tells a different story. BBH runs a serious Splunk shop as the centralized logging and observability platform for the entire firm, and they've been doing it for years.

The setup is a full-blown enterprise deployment: search heads, indexers, deployers, deployment servers, and both heavy and universal forwarders feeding data in from every corner of the firm.

Where things get interesting is what sits on top. BBH runs Splunk ITSI to build IT service models that map their infrastructure components to actual business services. This means they can look at a dashboard and know not just whether a server is healthy, but whether the trading platform or asset servicing flow it supports is actually working for clients. KPIs get tuned continuously to keep alerts meaningful instead of noisy.

They also run Splunk Enterprise Security as the backbone of their cyber threat monitoring operation. The threat hunting team uses SPL queries to proactively dig through logs looking for adversary activity, mapping findings to the MITRE ATT&CK framework and building custom detections when they spot new patterns. When a Tier-3 incident fires off, Splunk is where the investigation starts.

The automation side is where BBH really leans in. A global team constantly expands what gets monitored automatically and scripts operational recovery so issues resolve themselves before anyone has to wake up. Ansible pushes configs and manages upgrades, and the whole thing is version-controlled in Git.

Data onboarding gets the full treatment too: CIM compliance, custom parsing rules, correlation rule development, and integration with ITSI all handled by engineers who hold Splunk Architect certifications.

For a 200-year-old bank, that's a pretty modern operation. The fact that they're hiring Splunk engineers in both Krakow and Jersey City simultaneously tells you this isn't a side project. It's a core piece of how BBH keeps its promise of premium service to some of the most demanding clients in finance.

---

JPMorganChase

Financial Services · New York, NY · Splunk Enterprise, Cribl

JPMorganChase has been around since 1799, which makes it one of the oldest financial institutions still standing. Today it runs banking, investment banking, asset management, and payments across 100 markets for roughly 226,000 employees.

A firm operating at that scale doesn't get the luxury of flying blind. Every trade, payment, and login needs to be watched, and when something looks off, someone has to figure out why fast.

Inside JPMC's Enterprise Platforms organization, Splunk is the foundation of the monitoring and telemetry stack. Logs, metrics, and events flow from every corner of the firm into it, giving engineers a single place to investigate incidents and spot operational problems before they turn into outages.

Dedicated engineers own the Splunk platform end to end: indexes, sourcetypes, inputs, and the props and transforms that shape incoming data. They tune SPL searches, build alerts and dashboards, and keep the whole Splunk app ecosystem running across environments.

What makes the JPMC setup really interesting is how they've paired Splunk with Cribl. Cribl sits in front of Splunk as a smart traffic controller for log data, routing events through pipelines that parse, enrich, redact sensitive fields, sample noisy sources, and drop what isn't worth the storage cost. It's a serious way to keep observability costs in check at bank scale.

Splunk doesn't live alone in the stack. Grafana and Elastic sit alongside it for different workloads, but Splunk is clearly the anchor when the question is "what just happened and why."

---

Salt River Project

Utilities · Tempe, AZ · Splunk Enterprise

Salt River Project has been keeping the lights on in Arizona since 1903. Today they deliver electricity to roughly a million customers across metropolitan Phoenix along with water services that literally make desert life possible. As one of the largest public power and water utilities in the country, a bad day at SRP isn't a slow dashboard, it's traffic lights going dark and air conditioners cutting out in 115-degree heat.

That's why SRP runs Splunk not in one place, but in two distinct environments that most companies never have to think about.

The first is the usual corporate Splunk setup, where the Security Operations Center hunts for threats across SRP's enterprise IT. Analysts build dashboards, correlation rules, and playbooks to triage events, pulling in threat intelligence from government partners and industry sources to stay ahead of whatever's targeting utilities this week.

The more interesting half is the OT Splunk platform. OT stands for Operational Technology, the industrial control systems that actually run the substations, power plants, and water infrastructure. These aren't regular servers. They're specialized gear that speaks protocols most IT folks have never heard of, and they need a completely separate logging and monitoring environment because a mistake in OT doesn't mean a frustrated customer — it means an outage for a city.

SRP has a dedicated OT Splunk Administrator role whose entire job is owning that environment end to end. They onboard data from control centers, substations, and industrial systems, validate that it's flowing cleanly, and build the dashboards and alerts that give operations teams eyes on the grid. The OT Splunk also has to satisfy NERC CIP, the security rules North American electric utilities have to follow to stay compliant with the regulators who oversee grid reliability.

Splunk gets paired with OT-specific monitoring tools like Dragos, Nozomi, and Claroty, which understand industrial protocols. The SOC uses all of that together to hunt for threats that might be targeting the grid specifically, since attacks on utility OT environments are a known and growing concern.

---

Salt River Project

Utilities · Tempe, AZ · Splunk Enterprise

Salt River Project has been keeping the lights on in Arizona since 1903. Today they deliver electricity to roughly a million customers across metropolitan Phoenix along with water services that literally make desert life possible. As one of the largest public power and water utilities in the country, a bad day at SRP isn't a slow dashboard, it's traffic lights going dark and air conditioners cutting out in 115-degree heat.

That's why SRP runs Splunk not in one place, but in two distinct environments that most companies never have to think about.

The first is the usual corporate Splunk setup, where the Security Operations Center hunts for threats across SRP's enterprise IT. Analysts build dashboards, correlation rules, and playbooks to triage events, pulling in threat intelligence from government partners and industry sources to stay ahead of whatever's targeting utilities this week.

The more interesting half is the OT Splunk platform. OT stands for Operational Technology, the industrial control systems that actually run the substations, power plants, and water infrastructure. These aren't regular servers. They're specialized gear that speaks protocols most IT folks have never heard of, and they need a completely separate logging and monitoring environment because a mistake in OT doesn't mean a frustrated customer — it means an outage for a city.

SRP has a dedicated OT Splunk Administrator role whose entire job is owning that environment end to end. They onboard data from control centers, substations, and industrial systems, validate that it's flowing cleanly, and build the dashboards and alerts that give operations teams eyes on the grid. The OT Splunk also has to satisfy NERC CIP, the security rules North American electric utilities have to follow to stay compliant with the regulators who oversee grid reliability.

Splunk gets paired with OT-specific monitoring tools like Dragos, Nozomi, and Claroty, which understand industrial protocols. The SOC uses all of that together to hunt for threats that might be targeting the grid specifically, since attacks on utility OT environments are a known and growing concern.

---

SS&C Technologies

Financial Services · Windsor, CT · Splunk Enterprise

SS&C Technologies is one of those companies that almost every big financial firm touches without the average person ever hearing about them. Based in Windsor, Connecticut, with 27,000+ employees across 35 countries, they build the technology behind 20,000+ financial services and healthcare organizations, from giant asset managers to small shops. If you've ever had a 401k statement, a mutual fund account, or a medical claim processed, odds are pretty good SS&C software was running somewhere in the plumbing.

Keeping that kind of plumbing stable is where Splunk comes in.

SS&C runs Splunk Enterprise as a proper on-prem deployment, not just a basic install. They run it in a distributed setup where multiple Search Head Clusters and Indexer Clusters work together to handle serious volumes of log data without slowing down. They also use SmartStore, a Splunk feature that moves older data to cheaper storage so the system doesn't get bogged down keeping everything on expensive disks.

The engineering work goes deeper than just keeping the lights on. The team owns the whole Splunk data pipeline from start to finish. That means managing how data gets in (forwarders), how it gets cleaned up (parsing rules), how it gets stored (indexes), and how people search it. SPL queries, dashboards, and alerts get tuned to be genuinely useful instead of noisy walls of information.

Where SS&C puts real focus is on making observability actually work for the rest of the company. Instead of just running Splunk and letting application teams dump logs into it, they partner with infrastructure and app teams to onboard data the right way, set standards around naming and tagging, and keep tamping down alert noise so real incidents stand out.

There's also a strong culture of production discipline: change windows, backups, rollback plans, and post-change checks. The kind of habits you need when your software is processing trades, fund accounting, and healthcare claims for thousands of clients every day.

---

Airbus

Aerospace & Defense · Élancourt, France · Splunk Enterprise, Splunk Enterprise Security, Splunk ITSI

Airbus is one of the two companies that make most of the world's commercial airliners, sharing the sky with Boeing. They also build military aircraft, helicopters, satellites, and space systems, employing around 86,000 people worldwide.

A company that designs planes and defense platforms can't afford sloppy IT, and what's striking about Airbus is just how deep Splunk runs through the entire organization.

Airbus has its own in-house cybersecurity arm with over 450 specialists who protect not just Airbus itself but also government, military, and institutional clients across Europe. Splunk sits at the heart of their security operations center, working alongside other tools that watch for malware on laptops, automate responses to attacks, and detect intruders on the network.

The Splunk setup is a big one, spread across multiple servers and tuned with custom rules, integrations with company login systems, and detailed parsing to make sense of mountains of log data.

What makes their approach really interesting is how they build detections. Most companies click through a Splunk interface to set up alerts one by one. Airbus treats detections like software, storing them in code repositories, testing them automatically, and deploying them through pipelines, the same way developers ship new features in an app.

They also map their coverage against MITRE ATT&CK, which is basically a big catalog of known hacker techniques, so they can see exactly which attacks they can spot and which ones they can't. Then they run fake attacks in a lab to make sure their alerts actually fire when they should. That's a level of rigor most companies never reach.

Splunk also shows up in parts of Airbus that have nothing to do with security. It helps keep the systems that deliver aircraft maintenance manuals to airlines running around the clock. On the factory floor, it watches the tools that balance workloads across assembly lines so planes get built efficiently.

Teams building Earth-observation satellites use Splunk dashboards to analyze test results automatically. Even the helicopter division pulls Splunk into the stack that runs their customer and sales systems.

---

Worldpay

Financial Services · Atlanta, GA · Splunk Enterprise, Splunk Cloud, Splunk Observability Cloud

Worldpay is one of those companies whose name you might not recognize, but whose technology you've definitely used. Every time you tap a card at a coffee shop, check out online, or pay a subscription, there's a good chance Worldpay is silently moving that money behind the scenes.

The scale is almost hard to believe. Worldpay processes around 2.2 trillion dollars in payments every year, across 146 countries and more than 135 different currencies, supporting over a million merchants worldwide. They're the largest card payment processor by volume on the planet.

When you're running plumbing that big, you can't afford for anything to go quietly wrong. Even a few minutes of trouble can mean millions of failed transactions. That's where Splunk comes in.

Worldpay runs a full Splunk stack, not just one product. They use Splunk Enterprise for their on-premises servers, Splunk Cloud for their cloud systems, and Splunk Observability for tracking how fast and smoothly their applications are running. Think of those three together as a giant command center that shows every heartbeat of their payments network in real time.

The infrastructure sitting underneath all this is enormous. Worldpay runs around 20,000 servers, thousands of databases, and petabytes of storage, spread across their own data centers and public cloud. Splunk is the tool that ties all of that together, pulling in logs, metrics, and performance data so engineers can see what's happening everywhere at once.

There's a dedicated Splunk and observability team inside Worldpay's Infrastructure Services group. They build dashboards that show system health, set up alerts that catch problems before merchants notice, and pipe data from cloud services, containers, and applications through OpenTelemetry, which is basically a modern standard for collecting that kind of data.

The team also runs 24/7 rotational shifts, which makes sense. Payments don't sleep, and neither can the people watching over them. When a bank in Asia goes quiet at 3 AM local time, someone somewhere is looking at a Splunk dashboard making sure things keep flowing.

---

Euroclear

Financial Services · Brussels, Belgium · Splunk Enterprise, Splunk Enterprise Security, Palo Alto Cortex XSOAR

Euroclear is one of those companies almost nobody outside finance has heard of, but without them, European capital markets would grind to a halt. They're a settlement house, meaning they're the invisible layer that makes sure when someone buys a bond or a share, the money and the asset actually change hands correctly. Think of them as a giant clearing post office for trillions of dollars of securities.

They connect more than 2,000 financial institutions around the world, settling trades in bonds, equities, derivatives, and investment funds. If a European bank buys government debt or a pension fund swaps shares, Euroclear is usually the one making the transfer happen safely behind the scenes.

When you're sitting at the center of global capital markets, security and reliability aren't nice-to-haves. They're the entire job. That's why Splunk plays such a central role inside Euroclear's operations.

At the heart of their cyber defense sits Splunk Enterprise Security, their SIEM. Euroclear's detection engineering team writes custom correlation searches mapped to the MITRE ATT&CK framework, which is basically the industry's master list of known attacker behaviors.

What makes their setup stand out is how seriously they treat detection quality. They run adversary simulations using tools like Atomic Red Team and MITRE CALDERA, which safely mimic real attacker techniques to test whether Splunk actually catches them. They manage their detection rules like software code through Git and CI/CD pipelines, a practice known as detection-as-code.

Splunk also feeds into their Cortex XSOAR platform for automated response, so when an alert fires, predefined playbooks can start investigating, containing, and resolving threats without waiting for a human to manually click through every step. Under that sits a 24/7 Security Operations Centre staffed in tiers, with analysts escalating through Tier 1, Tier 2, shift leads, and team leads around the clock.

Beyond security, Splunk shows up across Euroclear's broader technology stack too. They're in the middle of a massive modernization program, moving their legacy CREST settlement system (the backbone of UK securities settlement) off mainframes and onto modern Java-based microservices running on OpenShift and Kafka. Splunk provides the observability layer that helps engineers see what's happening across both the old mainframe world and the new containerized world during this multi-year migration.

---