Last week, Splunk held its annual user conference — .conf — in Las Vegas with over 4,000 customers, partners, and sponsors in attendance. While this was the 15th .conf, it was the first ever as a Cisco company. The tagline “The Splunk you love. Now even better.” was ubiquitous throughout the conference.

Splunk enjoys one of the most enthusiastic user communities in the cybersecurity and observability markets. Past .conf conferences were full of passionate users who were excited to learn, show off their skills, and pick up a cool t-shirt or hoodie. This year’s .conf was a little more subdued than years past. Some of this can likely be attributed to the recent acquisition. Some customers we spoke to at the event expressed apprehension about the acquisition and Splunk’s future, so if you’re experiencing similar angst, you’re not alone.

The Big Question: “What Will Happen To Splunk?”

.conf came a bit too early to make any definitive statements regarding the acquisition’s success or failure. It’s only been three months since the acquisition closed. In that time, the only major change in Splunk’s org chart has been Gary Steele’s position, moving from CEO of Splunk to president of go-to-market for Cisco. It’s a positive sign that Cisco isn’t making chop cheese out of the company org structure so far, but the question remains: Will Splunk change Cisco, or will Cisco change Splunk?

To its credit, Cisco is very aware of market perception that it will destroy Splunk. Cisco executives were quick to call this out, with hoodie-wearing Chuck Robbins (CEO, Cisco) and Jeetu Patel (EVP & GM, Cisco Security & Collaboration) both stating during keynotes that they “will not screw this up” to the point that it began to feel like overselling.

Splunk’s Key .conf Announcements

Splunk has suffered from a perceived lack of innovation over the past four years. It’s also experienced some brain drain after the acquisition announcement. While it did release some interesting innovations on the data side with federated analytics, the remaining announcements focused on feature completeness, such as data pipeline management and Splunk native to Azure. Highlights from key .conf announcements include:

  • Integrating Cisco Talos threat intelligence. The free integration of Cisco Talos threat intelligence into Splunk was the big announcement. This addresses one critical pain point that clients have had for years. It’s also a good strategy to introduce Cisco to Splunk customers with its security- and intelligence-focused team. While a positive for Splunk security customers, it’s not an innovation and is table stakes for Cisco security products.
  • Building on the “SOC of the future” initiative. Other security announcements included improvements for its “security operations center of the future” initiative, which is based on being a single platform and using AI. This also includes AI Assistant in Security (currently in private preview) to help with incident investigation and remediation.
  • Adding AI for security. Splunk has taken a measured approach to AI compared to its security competitors. Given the hyper-enthusiasm from other vendors around generative AI in security, Splunk’s conservative approach that seeks to deliver real security outcomes stands out. Its AI announcements, however, were lackluster and similar to those that rushed out their AI message: natural language to query language conversion, alert summarization, and product documentation search.
  • Releasing a new version of Splunk Enterprise Security. Splunk also announced Enterprise Security 8.0, which features full integration with its security orchestration, automation, and response (SOAR) tool as well as enhancements for threat detection and response.

Sticking With Splunk

Two big things keep customers with Splunk: the user community and the technical debt that they have already invested into the tool. For customers considering a move off Splunk, it’s likely to take a lot of engineering power and a variety of tools to make the transition possible. At the least, you’ll need security information and event management, SOAR, user behavior analytics, a threat intelligence platform, and perhaps a data pipeline management tool such as Cribl or Tenzir.

Current customers should keep an eye on the Splunk roadmap and investments into innovation. For now, Cisco is investing in Splunk’s future and is funding integration separately. Hold product teams accountable for failure to meet roadmap commitments and for signs that innovation is slowing in this highly competitive environment.

Forrester clients can set up a guidance session or inquiry with us to discuss your options for security log data management moving forward.