Yes for sure.  I guess the main limitation that was a deal breaker for us was you didn't have the ability to send calculated data over to service now using the Splunk Enterprise Event Ingestion for Security Operations plugin.  Meaning the only way to get data over (from what I remember) was to created a "fired alert" and then you were limited to fields that would show up under the "events" tab in splunk.  The only way to get data in the events tab is to run in verbose mode but verbose/fast/smart mode didn't effect alerting.  You can't tell an alert to run in "verbose" mode.  So the only way to get data you wanted specifically was the use a "fields" command and spit out the fields you wanted using "fields".  Anything that was created using | stats or | table or any piped commands wouldn't send data over to service now.  Maybe this has changed since I've done it but not being able to use piped commands was the deal breaker for us.