Wow - I guess I'm both surprised and completely unsurprised. Surprised because Splunk is a pretty big pill to swallow. Unsurprised because they've obviously been interested in the space for a long time (they attempted to acquire Datadog and got shot down).
Good luck Splunk folks - Cisco isn't exactly known for their software innovation in the upper stacks (they still do pretty incredible things at the network OS layer).
That's really a shame, Cisco buying anyone is often a death knell for the product. Look at their acquisition of security companies like Protego, Stealthwatch, ThousandEyes, and others that languish there, bled into watered down features for other dubious Cisco products and disappear into the ocean. Customers then abandon the products to again escape Cisco for other non-stagnant and overpriced products.
Already a customer/friend at a $6B retail customer of mine sent me the link first thing as a Splunk owner there. Just last week I asked if they'd looked at Datadog much yet, and said they'd rip Splunk from their cold dead hands. The follow up to the link for buyout news as that they were going to start looking at Datadog now. Splunk was already expensive, but not Cisco expensive.
Genuinely surprised anybody would acquire Splunk in 2023. Whenever you hear about Splunk from security engineers, they're actively trying to get off it (edit: yes, primarily because of cost). Better, next-gen SIEMs are either here or around the corner.
To pile onto the Splunk "love" going on here. Splunk is one of those systems that's too "powerful" for small use-cases, but too expensive for the ones it's really designed for.
Anecdote, I once worked with a client that really wanted to get Splunk, but produced so much network traffic that the discounted annual costs were more than the entire budget for the rest of the organization combined. That's staff, the building, equipment, power, water, everything...the estimated Splunk cost was more than that.
They went with a combination of ELK and a small team of dedicated developers writing automation and analytics against Spark and some enterprise SQL database. Still expensive, still cheaper than Splunk.
Building splunk has become very democratised in today's day and age.
Back in the day, logging, metrics, event collection etc. was a hard problem that they solved. Esp. when there weren't any simple distributed storage operators.
They have been a cockroach in the orgs, surviving every downturn. As a dev, you might hate it, CISO and CIOs love it. Orgs, often mandate it. The way they dominated the market is via creating CEF formats, integrations. It is more than a logging solution right now. It is an XDR, threat analysis platform etc.
This acquisition is going to be interesting with app dynamics+splunk and others, it feels like there is a larger play here for Cisco.
I don't think the value that splunk have is transitive to ES or grafana. It is, its own thing.
Meraki and OpenDNS both became better post acquisition, and in both cases I’d say it was because Cisco let them continue to maintain a lot of control, the leaders stayed around, and the majority of the engineering teams did, too. Cisco has a long list of successful acquisitions. The release says Gary will report to Chuck directly, which is a strong sign Chuck will make sure Splunk succeeds. (nb, I was CEO of OpenDNS)
Webex is much better under Cisco than it was on it's own. Cisco's expertise in hardware made for a great combination and has kept the product aligned with interoperable standards more than Zoom and some of the others.
The responses here are giving me some hope. I’ve just had many experiences as a customer where products I’ve used became worse (or were shut down) after their companies were acquired
There are exception, but Microsoft seems pretty good at this. GitHub, Minecraft... Skype got a lot better for me in terms of reliability after the acquisition too, of course they've been competed away by other voips like Facetime and Whatsapp these days.
LinkedIn is better than ever for finding a job, or advertising a job, even though lots of people here don't like it because of the LinkedIn poasting culture.
Companies rarely buy other companies in order to make buyee's product better, they buy them to boost the buyer's business or at least remove competition.
I wonder if this segment is ready for disruption. Splunk is very expensive, ElasticSearch is still lacking many of the features of Splunk and when hosted on AWS is very expensive. SumoLogic was acquired by private equity, which means that it won't get cheaper. DataDog is also very expensive.
Solution like SnowFlake for logs / telemetry where compute and storage are separated might be the future.
We're[1] building the OSS equivalent when it comes to the observability side of Splunk/DD, on Clickhouse naturally of course but believe in the same end goal of lowering cost via separation of compute and storage.
We’re also giving this a shot. The annual Splunk bill at our last startup exploded from $10k to $1M when we reached 1TB of logs generated per day, which is actually an easy threshold to hit when you have decent traction and aren’t proactively reducing logs. So we built Scanner.dev to drop these costs by 10x.
Decoupling compute and storage is definitely the way to go. We’re using Lambda functions and ECS Fargate containers for compute that scales up and down rapidly, and S3 for storage. Getting ~1TB/sec log scan speeds, which feels fairly good. We keep sparse indices in S3 to narrow down regions of logs to scan. Eg. if you’re searching for an IP address that appears 10 times in a 25TB log set, the indices reduce the search space to around 300MB. Takes a few seconds to complete that query, whereas Athena and CloudWatch take like 20 minutes.
We’re also using Rust to maximize memory efficiency and speed - there are lots of great SIMD optimized string search and regex libraries on crates.io.
We’re early, so there are a lot of SIEM features like detection rules that we are still building. But Splunk/DataDog users might find it useful if costs are a problem and they use mostly log search:
Everyone complains about how expensive Splunk is but the amount of compute and storage consumed by processing logs is ridiculous.
I feel like we should be talking about the sad state of logging where we think it’s perfectly ok to dump millions of 10k stack trace dumps and think that should be cheap.
I bet they will just try to upsell all the AppD customers with Splunk ES/SIEM. If the Thousand Eyes and AppD integration is any indicator they will add a button in AppD that opens up Splunk...
I haven't used Splunk in a number of years due to its cost. Splunk seems like a good pairing for Cisco - it's complementary to its other offerings to less price sensitive orgs, like Meraki.
I've used several Splunk competitors (Sumo Logic, Datadog, etc.) that all have various strengths but suffer from a lesser version of Splunk's problem (once you're locked in and up for renewal, watch out). I also tried some ELK-based stuff, which just plain sucked.
The one thing that hasn't sucked is AWS CloudWatch Logs, after they added Insights (a log query engine). It has reasonable pricing and works really well if you're on AWS.
We’ve got some logs in CloudWatch, but I barely use it because the query interface is unfathomably slow (in terms of query throughput). Do you use the web interface to query, or some other way?
[+] [-] tw04|2 years ago|reply
https://realmoney.thestreet.com/investing/technology/cisco-r...
Good luck Splunk folks - Cisco isn't exactly known for their software innovation in the upper stacks (they still do pretty incredible things at the network OS layer).
[+] [-] bastard_op|2 years ago|reply
Already a customer/friend at a $6B retail customer of mine sent me the link first thing as a Splunk owner there. Just last week I asked if they'd looked at Datadog much yet, and said they'd rip Splunk from their cold dead hands. The follow up to the link for buyout news as that they were going to start looking at Datadog now. Splunk was already expensive, but not Cisco expensive.
[+] [-] LaLaLand122|2 years ago|reply
[+] [-] wittekm|2 years ago|reply
[+] [-] bane|2 years ago|reply
Anecdote, I once worked with a client that really wanted to get Splunk, but produced so much network traffic that the discounted annual costs were more than the entire budget for the rest of the organization combined. That's staff, the building, equipment, power, water, everything...the estimated Splunk cost was more than that.
They went with a combination of ELK and a small team of dedicated developers writing automation and analytics against Spark and some enterprise SQL database. Still expensive, still cheaper than Splunk.
[+] [-] euph0ria|2 years ago|reply
[+] [-] Thev00d00|2 years ago|reply
Splunk shares were trading at $119.59, so ~31% premium.
Cisco lost 4% in premarket trading.
[+] [-] rozenmd|2 years ago|reply
acquirer pays a premium to nudge the acquiree's board to approve
acquirer's shareholders that disagree with the deal sell, in anticipation of value destruction
[+] [-] airstrike|2 years ago|reply
[+] [-] johnyzee|2 years ago|reply
[+] [-] swozey|2 years ago|reply
[+] [-] dang|2 years ago|reply
Insider trade on Splunk acquisition? - https://news.ycombinator.com/item?id=37599587
Show HN: My Single-File Python Script I Used to Replace Splunk in My Startup - https://news.ycombinator.com/item?id=37600019
[+] [-] SushiHippie|2 years ago|reply
Cisco pulled out of SentinelOne acquisition after due diligence - https://news.ycombinator.com/item?id=37598299
[+] [-] debarshri|2 years ago|reply
Back in the day, logging, metrics, event collection etc. was a hard problem that they solved. Esp. when there weren't any simple distributed storage operators.
They have been a cockroach in the orgs, surviving every downturn. As a dev, you might hate it, CISO and CIOs love it. Orgs, often mandate it. The way they dominated the market is via creating CEF formats, integrations. It is more than a logging solution right now. It is an XDR, threat analysis platform etc.
This acquisition is going to be interesting with app dynamics+splunk and others, it feels like there is a larger play here for Cisco.
I don't think the value that splunk have is transitive to ES or grafana. It is, its own thing.
[+] [-] kabdib|2 years ago|reply
If you can afford Splunk, just wait a couple of years until they figure that out.
[+] [-] surfingdino|2 years ago|reply
[+] [-] grecy|2 years ago|reply
Someone opened 127 calls for $22,000, and closed them today after the buy-out announcement.
A cool way to turn $22,000 into $10,043,000
[1] https://www.reddit.com/r/wallstreetbets/comments/16oi9an/som...
[+] [-] bufferoverflow|2 years ago|reply
[+] [-] leoc|2 years ago|reply
[+] [-] joncrane|2 years ago|reply
[+] [-] apricot|2 years ago|reply
[+] [-] ingen0s|2 years ago|reply
[+] [-] projectileboy|2 years ago|reply
[+] [-] davidu|2 years ago|reply
[+] [-] jve|2 years ago|reply
I'm sure there are tons of other, lesser known acquisitions... looking at what Apple acquires - seems relevant to be integrated into their products: https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitio...
Oh, wow, they even acquired Intel smartphone modem business at 2019 and other Semiconductor businesses.
[+] [-] troupe|2 years ago|reply
[+] [-] projectileboy|2 years ago|reply
[+] [-] missedthecue|2 years ago|reply
LinkedIn is better than ever for finding a job, or advertising a job, even though lots of people here don't like it because of the LinkedIn poasting culture.
[+] [-] sokoloff|2 years ago|reply
[+] [-] jojobas|2 years ago|reply
[+] [-] revskill|2 years ago|reply
[+] [-] mrits|2 years ago|reply
[+] [-] dhaulagiri|2 years ago|reply
[+] [-] avrionov|2 years ago|reply
Solution like SnowFlake for logs / telemetry where compute and storage are separated might be the future.
[+] [-] mikeshi42|2 years ago|reply
[1] https://github.com/hyperdxio/hyperdx
[+] [-] cliffcrosland|2 years ago|reply
Decoupling compute and storage is definitely the way to go. We’re using Lambda functions and ECS Fargate containers for compute that scales up and down rapidly, and S3 for storage. Getting ~1TB/sec log scan speeds, which feels fairly good. We keep sparse indices in S3 to narrow down regions of logs to scan. Eg. if you’re searching for an IP address that appears 10 times in a 25TB log set, the indices reduce the search space to around 300MB. Takes a few seconds to complete that query, whereas Athena and CloudWatch take like 20 minutes.
We’re also using Rust to maximize memory efficiency and speed - there are lots of great SIMD optimized string search and regex libraries on crates.io.
We’re early, so there are a lot of SIEM features like detection rules that we are still building. But Splunk/DataDog users might find it useful if costs are a problem and they use mostly log search:
https://scanner.dev
[+] [-] dogman144|2 years ago|reply
- panther siem (python alerts, thank the lord) and then pandas + databricks + s3 data lakes for deep analysis and IR
- maybe swap in panther SIEM for XDRs, if they get better out of the box
[+] [-] danielodievich|2 years ago|reply
[+] [-] manicennui|2 years ago|reply
[+] [-] jensensbutton|2 years ago|reply
[+] [-] pmcf|2 years ago|reply
I feel like we should be talking about the sad state of logging where we think it’s perfectly ok to dump millions of 10k stack trace dumps and think that should be cheap.
[+] [-] AlbertCory|2 years ago|reply
"RansomWare"
My leading example is SAP. Actually, most of the big ERP packages are ransomware.
[+] [-] stuff4ben|2 years ago|reply
[+] [-] dangus|2 years ago|reply
Also, from a business perspective, Cisco basically removed a competitor from the field.
[+] [-] MDGeist|2 years ago|reply
[+] [-] bugsense|2 years ago|reply
[+] [-] ak217|2 years ago|reply
I've used several Splunk competitors (Sumo Logic, Datadog, etc.) that all have various strengths but suffer from a lesser version of Splunk's problem (once you're locked in and up for renewal, watch out). I also tried some ELK-based stuff, which just plain sucked.
The one thing that hasn't sucked is AWS CloudWatch Logs, after they added Insights (a log query engine). It has reasonable pricing and works really well if you're on AWS.
[+] [-] physicles|2 years ago|reply