Cisco’s Splunk acquisition is risky as peers jostle, bills mount, users eye open source opportunities

Splunk has a big target on its back and both established application performance monitoring rivals and upstarts are nipping at its heels.

Cisco’s Splunk acquisition is risky as peers jostle, bills mount, users eye open source opportunities

There was one joke alone that greeted Cisco’s decision to buy data guzzler Splunk for $28 billion and it was repeated with minor variations ad nauseum across end user circles: “Cheaper than paying the bill?”

Splunk is proud of its position as a leader in two Gartner Magic Quadrants: Application Performance Monitoring (APM) and Observability, and Security Information and Event Management (SIEM).

These showcase, in the 2022 SIEM Magic Quadrant report’s words, Splunk’s “ability to deliver IT observability and analytics to non-security users, while providing joined security operations functionality…”

But (and Splunk is not alone here) bill shock is not uncommon for its services among end-users. Slurping up vast amounts of log data from across enterprise ecosystems can get hugely costly and lengthy threads bewailing recent pain and sharing tips on controlling bills for Splunk, Datadog, or others, are common on social media and user forums.

Splunk costs: “Angst” is common

Is the SIEM category itself getting a little dated?

Indeed among the “concerns” Gartner highlighted in its 2022 SIEM Magic Quadrant (above) were that “Buyers are still reporting angst with Splunk costs and the newer Splunk Virtual Compute (SVC) pricing has not provided the relief promised," cautioning that "increasing demands to log everything are forcing existing Splunk clients and new buyers alike to look at cheaper alternatives to offset massive data ingestion and storage costs…”

This steady drumbeat of concern about cost and price transparency in an time when the "pull" of security concerns is being counterbalanced by the "push" of macroeconomic headwinds and aggressive "finops" has increasingly been capitalised on by Splunk's challengers.

Peers like New Relic have tried to make hay out Splunk's “hidden costs” and Dynatrace, better known for its application monitoring platform, has started to muscle into the SIEM space, emphasising an ability to marry classic security-driven log analysis with runtime context, threat hunting and more  built around its new "Grail" data lakehouse, launched in 2022, whilst cloud-native security firms like Sysdig tout native process-level visibility into dynamic production environments across cloud and K8s.

Right, perhaps that's not a concern for Splunk, which has seen ARR grow steadily (to $3.85 billion) and which has tightened up its internal operations under its new CEO, improving cash flow and trimming opex.

"We're excited to bring Cisco and Splunk together. Our combined capabilities will drive the next generation of AI-enabled security and observability," said Chuck Robbins, chair and CEO of Cisco. "From threat detection and response to threat prediction and prevention, we will help make organizations of all sizes more secure and resilient."

The Big Interview: Dynatrace CEO Rick McConnell

But the market dynamic alluded to above has seen companies like Dynatrace and Elastic that were arguably less traditionally associated with having a strong security offering start to encroach on Splunk's turf, citing not just cost efficiency but a world in which the classic log-driven SIEM needs to evolve and as AI looks to be a major disruptor.

(Dynatrace, for example, suggests that "traditional log-based SIEM approach to security analytics may have served organizations well in simpler on-premises environments. But this limited approach causes challenges in today’s hybrid multicloud reality [SecOps teams need] reliable, automated responses based on precise data-driven insights... including topology and runtime context... Experience with the recent MOVEit vulnerability illustrated some of the key incomplete data challenges organizations face when trying to find definitive answers to questions like “were we exploited?” and “was any sensitive data stolen?” Relying only on logs to find indicators of compromise (IoC) is no longer effective, especially for application attacks, because logs simply don’t contain all the clues. As our experience with MOVEit shows, IoCs that remained hidden in logs alone quickly revealed themselves with observability runtime context data, such as metrics, traces, and spans."

There are other threats too, not least from DIY open source logging and observability stacks: As Gartner (in a July 2023 report on APM capabilities that saw Splunk drop to 11th place in a list of “Product Scores for Security Operations Use Case”), noted: "Organizations continue to struggle with the increasing cost of monitoring and observability solutions, and many are looking to open-source tools, or open-source-derived products to augment vendor products or as alternatives."

Asked about the competitive environment on Splunk's last earnings call, CEO Gary Steele said "I would say the competitive environment was largely consistent with what we've seen this year. The players that we see in the observability market have remained consistent. And then, on the security side, I would say consistent as well. And even as you go to new customers, you will see incumbents there. You might see some legacy SIEM vendors that we then take out and replace. That's been pretty consistent. So, I would say, there's no -- there's been no big fundamental change competitively."

But observability and security are big markets and there are going to be a lot companies with what Splunk insists is a $100 billion market in their crosshairs. As more vendors in APM and infrastructure monitoring take on log management to round out their observability platforms, open source and other upstarts start to nibble at the opportunity meaningfully, can Cisco ensure it stays sharp and can respond to how the market is evolving? That's a very big "wait and see".

History suggests some concerns about life post-Cisco acquisition are not entirely unfounded. But with it building on a series of more recent network performance monitoring acquisitions like ThousandEyes and SamKnows, Splunk will certainly make Cisco a major security player. Will the tailwinds that have driven Splunk to such growth keep blowing in the same way however? That's a big "watch this space."