Deep Dive into Splunk .conf20
Splunk started as a logfile analysis tool, a category that has now been gentrified into the SIEM category. That is how it works, but what it does is best captured by one of the company’s famous t-shirt slogans: looking for trouble. The latest evolution of the Splunk product offers timely and necessary tools that further that goal, but as with any increasingly complex solution, there are corresponding challenges in reaching the audience.
Being 2020 this was, of course, a virtual event. I was mainly involved in the private analyst sessions, but the website was easy to navigate and well designed to support a global audience. Content was available in multiple languages and structured around roles and skill levels and there was an impressive roster of outside speakers including actors, a singer, and restaurateurs. I don’t normally pay attention to sessions with sportspeople, however this is Splunk so it was a bit different as the chat was with skateboarding legend Tony Hawk. He had also recorded a special video explaining, while demonstrating, the history of the Ollie. Both were excellent.
Despite the content being virtual, we did not miss out on the usual free food and merchandise that make events popular and special. Ahead of time, we received a kit of cool Splunk-branded material and a treasure trove of munchies to keep us attentive and not wandering off for snacks. This hybrid format is definitely the future of events.
While the theme of .conf20 was creating a platform for “Data-to-Everything” innovation, for me the key message was that the tool is expanding to meet the needs of a world going cloud. Splunk Cloud was launched back in 2013, but in line with any sensible IT organisation, the focus is now fully on cloud delivery. This is particularly important at a time when most businesses are fighting with workload spread across multiple cloud providers, SaaS vendors and legacy on-premises systems. The complexity of hybrid cloud needs to be matched by a cloud native SIEM approach, and this is precisely what Splunk is offering.
The Splunk Observability Suite is their answer to providing a universal window into the innards of your IT estate, reaching across the spectrum of IT roles, including developers as well as technical and operations support functions. Developers will welcome a more standard programming language, SPL2, and commitment to open source. Great support too for a DevOps approach, and they are quick to emphasize that this is using the actual data for feedback, not sampling or predictive, and from some of the client examples that includes a vast amount of data even by modern standards.
Given the ability to handle petascale data, Splunk is also addressing the growing world of machine learning, with the intention of adding data scientists to their target market. Part of this is the introduction of SMLE, Splunk Machine Learning Environment, which I will write about another time.
Splunk is moving its clients from fixed ingest model to workload pricing, basically charging for what they use. This is, of course, in line with other SaaS and Cloud vendors, and it makes absolute sense in the new world where workload volumes may change dramatically from unexpected events. That flexibility is invaluable, although it does require a change in thinking from CFOs and the budgeting process. This is clearly a big step forward in the business model, and judging by the financial figures shared with us, it has been a big success.
All this is great, but Splunk now faces three challenges. The first is getting over that looking for trouble message to an ever-broader constituency, many of whom will not understand the mechanisms in the same way as those of us who are used to debugging systems. The messaging will have to be adapted to describe the business benefits more directly, and not the unquestionable technical capabilities.
The second issue, and thanks to Bola Rotibi for highlighting this, is the need for vertical solutions that address industry-specific needs. Splunk needs to expand its range of implementation partners to achieve this, rather than attempting to develop domain expertise in house.
The final challenge is that of converting insights into action. Observability is a great start, but even better would be the ability to recommend fixes or indeed to activate them in well-defined cases. Automating finding the trouble and solution is an obvious objective, but until that can be done reliably, non-technical people will struggle to understand the value proposition as currently expressed.