Splunk started as a logfile analysis tool, a category that has now been gentrified into the SIEM category. That is how it works, but what it does is best captured by one of the company’s famous t-shirt slogans: looking for trouble. The latest evolution of the Splunk product offers timely and necessary tools that further that goal, but as with any increasingly complex solution, there are corresponding challenges in reaching the audience.
The Event
Being
2020 this was, of course, a virtual event. I was mainly involved in the private
analyst sessions, but the website was easy to navigate and well designed to
support a global audience. Content was available in multiple languages and
structured around roles and skill levels and there was an impressive roster of
outside speakers including actors, a singer, and restaurateurs. I don’t
normally pay attention to sessions with sportspeople, however this is Splunk so
it was a bit different as the chat was with skateboarding legend Tony Hawk. He had also recorded a special video explaining,
and demonstrating, the history of the Ollie. Both were excellent.
Despite
the content being virtual, we did not miss out on the usual free food and
merchandise that make events popular and special. Ahead of time, we received a
kit of cool Splunk-branded material and a treasure trove of munchies to keep us attentive and not wandering off for
snacks. This hybrid format is definitely the future of events.
The Product
While
the theme of .conf20 was creating a platform for “Data-to-Everything”
innovation, for me the key message was that the tool is expanding to meet the
needs of a world going cloud. Splunk Cloud was launched back in 2013, but in
line with any sensible IT organisation, the focus is now fully on cloud
delivery. This is particularly important at a time when most businesses are
fighting with workload spread across multiple cloud providers, SaaS vendors and
legacy on-premises systems. The complexity of hybrid cloud needs to be matched
by a cloud native SIEM approach, and this is precisely what Splunk is offering.
The
Splunk Observability Suite is their answer to providing a universal window into
the innards of your IT estate, reaching across the spectrum of IT roles,
including developers as well as technical and operations support functions.
Developers will welcome a more standard
programming language, SPL2,
and commitment to open
source. Great support too
for a DevOps approach, and they are quick to emphasise that this is using the
actual data for feedback, not sampling or predictive, and from some of the
client examples that includes a vast amount of data even by modern standards.
Given
the ability to handle petascale data, Splunk is also addressing the growing
world of machine learning, with the intention of adding data scientists to
their target market. Part of this is the introduction of SMLE, Splunk Machine
Learning Environment, which I will write about another time.
The Pricing
Splunk
is moving its clients from fixed licenses to workload pricing, basically
charging for what they use. This is, of course, in line with other SaaS and
Cloud vendors, and it makes absolute sense in the new world where workload
volumes may change dramatically from unexpected events. That flexibility is
invaluable, although it does require a change in thinking from CFOs and the
budgeting process. It also allows us This is clearly a big step forward in
business model, and judging by the financial figures shared with us, it has
been a big success.
The Problem
All
this is great, but Splunk now faces three challenges. The first is getting over
that looking for trouble message to an ever-broader constituency, many
of whom will not understand the mechanisms in the same way as those of us who
are used to debugging systems. The messaging will have to be adapted to
describe the business benefits more directly, and not the unquestionable
technical capabilities.
The
second issue, and thanks to Bola Rotibi for highlighting this, is the need for
vertical solutions that address industry-specific needs. Splunk needs to expand
its range of implementation partners to achieve this, rather than attempting to
develop domain expertise in house.
The
final challenge is that of converting insights into action. Observability is a
great start, but even better would be the ability to recommend fixes or indeed
to activate them in well-defined cases. Automating finding the trouble and
solution is an obvious objective, but until that can be done reliably,
non-technical people will struggle to understand the value proposition as
currently expressed.