How Splunk is Playing for Power in Big Data

October 17, 2014

“Question: How do you eat an elephant? Answer: One bite at a time.”

– Anon

“Sp[e]lunking: The hobby or practice of exploring caves.”

– Merriam-Webster dictionary definition of Spelunking

“Splunk will continue to make it easier and less expensive for our customers to acquire, index, and store machine-generated data in greater volume every year. .. Splunk is unique in that it has torn down the walls between Security, IT Ops, Applications, and the line-of-business.”

– Godfrey Sullivan, CEO, Splunk in Q2 FY15 earnings call


  • Though still a moderately-sized software business at $420m or so in revenues, Splunk has planted a flag as an early leader in the much-hyped big data analytics category. When your company name becomes a verb, you’re getting somewhere. Although the broader world doesn’t yet think of “splunking” as it does about “googling”, Splunk and many customers already use this term.

  • The company has achieved this success by focusing on mission-critical use cases in IT operations and security management. In the SIEM category, it is succeeding against competitors such as IBM Security, HP/Arcsight, and McAfee, rated as among these leaders in the top right-hand side of Gartner’s Magic Quadrant. In IT operations management, it’s also doing well against IBM/Tivoli, BMC, CA, Compuware, Quest, App Dynamics, and a younger player, New Relic.

  • Splunk’s latest major offering, Hunk (launched a year ago), has a chance of becoming a key analytical engine for Hadoop and noSQL clusters, which are gradually disrupting traditional enterprise data warehouses.

  • Though initially a downloaded on-premise offering, Splunk is now available as Splunk-as-a-service. This cloudified business is growing rapidly, already representing a surprisingly high percentage of revenues (37%) in the most recent complete quarter.

  • Since the beginning Splunk has offered a freemium pricing model available to SMB and large enterprise customers. Recently it has been shifting its focus to serve more of the latter as a natural extension of its land-and-expand sales strategy. Up to 70% or so of its customers upgrade to enterprise licenses and expand their utilization of the product in new areas of their business.

  • As this trend solidifies, the company is doubling down on its ability to address more complex customer problems and is adjusting its operating model accordingly, particularly in sales, proserv, and customer support.

  • Today Splunk is able to cite an impressive number and variety of customer success stories in different forms on its web site. Not every tech company can provide as varied and well-documented proof points. This focused effort is a key part of the company’s play for early power not only in IT ops and SIEM, but in the larger big data category.

Against many larger pretenders to leadership in big data, notably IBM with its Watson and other analytics assets, and hundreds of startups and others jostle for a position in the category, Splunk has stood out by building a franchise in a corner of the category related to helping customers to generate valuable analytical insights from large volumes of log and machine data. Google is probably the principal pure-play web business that has generated most intelligence from machine-based data for its own benefit, but Splunk is an arms dealer that is benefiting hundreds of businesses.

The company is accomplishing this by providing a sophisticated array of tools designed to help IT departments and corporate operations to become much better informed in real time about problems that can hurt them – and thus able to head off security and other threats before they occur – as well as to pursue opportunities to tailor marketing promotions, analyze usage of ATMs for indications of customer preference, accelerate time-to-market for new product introductions (NPI), save large amounts of money, and so on. In this way, Splunk is migrating successfully from its initial IT customer base, where its natural sponsors include the Chief Information Security Officer (CISO) or Chief Security Officer (CSO), IT Ops management, and even the CIO, to line of business functions, where CMOs, CFOs, and even CEOs increasingly come into the picture.

How tech companies describe their value propositions can be instructive. Splunk describes its mission variously as “making machine data accessible, usable, and valuable” to every user or customer. Another statement, about its products, states the value proposition “get IT and business insight from machine data”. And the company slogan reads: “Collect, index, and harness your IT data.” The company started out with a vision to become the Google for systems administrators, using a novel search-based approach to sift through massive volumes of log data in order to provide sys-admins with the ability to quickly detect inefficiencies, block threats, and analyze security breaches. From there it has become a key player in SIEM.

A year ago Splunk announced its first Hadoop management platform called Hunk, which is still an early-market offering, reflecting the complexity that still surrounds the challenges of using Hadoop or noSQL clusters to replace the costlier and kludgier data warehousing technologies traditionally provided by Teradata, HP, IBM, SAS, Informatica, and Netezza (now part of IBM). Today the adoption of Hadoop or noSQL clusters is to my mind in the chasm; open source and proprietary tools predominate, but what’s still lacking are repeatable whole product solutions. The existence of so much open source code is encouraging to cost-cutting CIOs, but the complexity for companies to define a coherent strategy for managing and analyzing increasingly massive volumes of structured, semi-structured and unstructured data is inherent.

The power of customer references

While doubling down on Security as the main horizontal “use case”, the Splunk team extends its reach to IT operations, and into business operations. Doug May, head of the company’s business consulting services, graciously provided me with a summarized list of recent examples of business outcomes achieved by customers, some of which are already available on the company’s web site. Compared with other fast-growing enterprise software companies, Splunk produces an impressive number of customer case studies, ROI stories, customer profiles, snapshots, and videos, on its web site, and what’s more it tends to these cases like a very caring gardener, a systematic effort that most companies find it hard to sustain. The only way that Splunk is able to produce these detailed case studies is by deploying a business consulting team that works closely with customers through the product evaluation to post-implementation, recording the outcomes that they are targeting and achieving.

In security and compliance, Edmunds.Com, the automobile research and buying site, which has a complex infrastructure of devices, applications and services, was able to move from a highly reactive and manual process of detecting and responding to potential risks and threats to where they have reduced the number of malicious security incidents, by 80% using Splunk’s real-time monitoring. Another example involved a large, global engineering firm that needed to protect design specs for airports and power plants as well as their bid information. They were able to detect and block advanced persistent threats (APT’s) coming most often from China and Iran before any critical intellectual property is compromised. At the volume of APT’s they’ve identified and stopped, Splunk’s impact has been in excess of $200M, based on the estimates of industry experts on the average IP loss from a theft ($840,000). A large, global financial services firm was able to detect and stop 96% of all online account compromises in as fast as 37 seconds helping them to avoid more than $10M in fraud losses. Before Splunk they had to manually analyze data and couldn’t even gain access to the data for one full day.

None of these examples cite specifically the costs associated with the risk of a data breach. These days such incidents are reported daily across the globe. While success of “not” having a data breach generally doesn’t garner much public attention, it is worth a lot to each Splunk customers that can avoid breaches such as those that have afflicted gret damage at Home Depot, Target, Citibank and others. That said, the difficulty of attaching hard financial numbers to risks or actual breaches avoided doesn’t alter the fact that incident avoidance is often the primary benefit of leveraging big data for real-time threat assessment and security.

In the sphere of IT operations, including DevOps, customers have also achieved notable results: With Splunk applied to critical business applications in its environment (ERP, CRM, and MSP services), Autodesk reduced their time to investigate incidents by 80%. Further, they reduced problem resolution time (root cause analysis post-incident) from months to hours. Together those 2 benefits helped them to save thousands of hours per year. In turn they were able to more effectively monitor, report, and exceed their SLAs. Later their security team began using Splunk to help resolve issues which previously took weeks to months to resolve and are now achieved in a day or less. And recently marketing began using Splunk to monitor the effectiveness of their email campaigns targeting new and existing customers with real-time visibility. This evolution from IT operations use cases to Security and then into business operations with marketing, exemplifies an increasingly typical evolution among customers who eventually decide to standardize on Splunk.

A Fortune 100 consumer beverage company is applying Splunk to monitor and troubleshoot their critical financial applications, reducing downtime and improving staff efficiencies through incident avoidance and faster resolution. They have documented $6M per year in employee efficiencies from reduced incident investigation time and over $7M/year in improved margins from less critical downtime of those applications (i.e., ERP and Treasury applications cost them millions per day when not functioning properly). Home Depot has applied Splunk to index any and all data in real time. By providing alerts on anomalies, and dashboards on operational health they have reduced the number of critical incidents (categorized as Severity1 and Severity2) by 43% year over year. A large US-Based University used Splunk to gain insight into their IT Operations, much of which was hosted out at Amazon Web Services. They were able to identify servers being paid for that were not being utilized – an impossible task before they used Splunk. This level of visualization reduced their monthly bill with Amazon by over $400,000 per month.

As a couple of the examples above have shown, once it has demonstrated results in Security or IT operations cases, usage can spread rapidly to business operations, where budgets are usually much more elastic than in IT. New York Air Brake, a provider of braking systems, training simulators and train control systems, now enables its customer personnel to drive trains more efficiently based on machine data collected from every major mechanical component. Drivers travel at optimal speeds and brake at appropriate times, helping them the company’s customers to save 5-12% on their fuel costs, resulting in estimated collective savings of over $1bn over several years. Domino’s Pizza started using Splunk in IT operations, saving them more than $300,000 by replacing legacy tools. A single minute of downtime costs their online e-commerce site $100,000, and Splunk has helped them dramatically increase effectiveness of their monitoring and troubleshooting. They are also able to provide insights to their developers on user behavior, and are now able to see how their coupons and other marketing promotions are working in real time so they can modify them and maximize each one’s return. Finally, a large, global chip manufacturer helped their hardware engineers regain tens of thousands of hours previously spent on resubmitted failed tests to their job scheduler, allowing them to deliver their projects 1 to 3 weeks faster. At $5M/day in average revenue per project, this time-to-market gain has significant impact on their competitive position and their ability to generate revenues and achieve profits from each new product.

Competition, growth and the path to consistent profits

With its impressive growth Splunk has thrown down the gauntlet to competing vendors, and from now on has a target on its back. Larger players will do whatever they can to undermine Splunk’s lead, and younger player such as Sumo Logic, Elastic Search, and New Relic will take aim at different parts of Splunk’s portfolio. One ace that Splunk may hold up its sleeve is the experience and business-savvy of its executive team. The company has managed to attract an impressive team of seasoned tech executives led by Godfrey Sullivan, former CEO of Hyperion (acquired by Oracle a few years ago). To name a few others, Steve Sommer, the CMO, was previously CMO of Portal Software and before that Informix in their high-growth eras, and Doug Merritt, SVP of world-wide field operations, was formerly a successful entrepreneur and also senior executive at SAP and most recently Cisco. David Conte, the company’s CFO, was previously CFO at Ironkey and Opsware, the Marc Andreesen company acquired by HP back in 2007. In the company’s most recent earnings call in late August, Sullivan and Conte described in detail how rapidly customer adoption is accelerating inside of each organization, citing many different use cases and customer transactions, and responding effectively to analysts’ questions. It did no harm that the company was announcing excellent results, but nonetheless the team deserves credit for the company’s performance and in particular for its businesslike approach to building the business.

Since it went public in April 2012, Splunk has had an interesting time – mainly positive – with analysts and investors. Just as has occurred with for years, and Netsuite and Workday more recently, investors are struggling to understand how to value the business and its growth. In Splunk’s case, an understandable current preoccupation of investors is the speed of the transition from the conventional perpetual license model that launched the company to a tiered consumption model based on volume of data indexed per day. Most established major players such as IBM, Oracle, and SAP are struggling mightily to complete this transition with minimal bumps along the way.

One factor that many fast-growing and recently public companies share in hot categories is a “growth now, profits later” (GN/PL) strategy that at times makes investors nervous. The justification for this approach is that their main priority at today’s stage of growth is to grab as much market share as possible in order to establish a powerful position in the market and thus avoid unpleasant fates, such as being taken out by a larger competitor before they can achieve their mission, or being trumped by competitors in mind and/or market share. Practicing what I describe as “land-grab economics” is strategically sound when the market is in a tornado, but less so before or after this stage of frenetic growth. Based on all the evidence I see in the marketplace, big data in general, or even the SIEM or IT Ops Management sub-categories, are not yet quite experiencing tornado adoption dynamics (where pragmatist customers start buying and deploying a product in a frenetic rush). Therefore, I have my concerns about the timeliness of this strategy.

When implemented at the wrong time, GN/PL strategies can result in companies spreading themselves too thin, causing them to fail to reap a fair return on the value they deliver to customers. Just as likely, by playing the volume game too soon, companies short-change their commitments to customers and turn promising relationships into problematic transactions. On this theme, there is reason to believe that Amazon, with all the attention it garners, has done the public capital markets a considerable disservice with its obstinacy about pursuing growth without profits. Amazon has pursued this strategy in both its B2C e-commerce volume-operations business as well as its B2B Amazon Web Services cloud hosting business. Fortunately, investors are now beginning to push back on this approach. Nonetheless, the fact that Jeff Bezos has managed to sell this strategy to investors for so long has drawn many other B2B companies into following a similar tack. However, not every aspect of this philosophy is to be dismissed. Jack Ma of Alibaba has made it clear that his priorities, rather like those of Bezos, are to serve customers first, employees second, and shareholders third. There is some reason to identify with this customer-focused philosophy, after two or three decades in which “shareholder value” became every company’s north star. Serving shareholders is all well and good, but focusing on quarterly financial performance to the detriment of sustained growth and profitability can be very distracting to a management team that is trying the achieve a good balance between short and long term success.

From what I can detect, the Splunk management team is being very thoughtful about how far it pushes the envelope on deferring meaningful profitability, but some risks remain. Right or wrong, investors today seem to consider that 30%, or better, 50%+ growth year over year is a very good substitute for immediate profitability. But this patient attitude on the part of investors is not to be taken for granted, and this week’s sudden pullback in the stock market could also have a harsh effect on valuations. My advice to high-growth tech companies, as I’ve already stated on record in earlier blog posts mentioned above, is at minimum to present a coherent and believable path to profitability that show results significantly in the black occurring within a 12-30 month timeframe. Otherwise, investors and analysts may infer that management is being cavalier in its responsibilities to deliver returns to shareholders.

These concerns can periodically detract from the otherwise excellent performance of a company like Splunk, because they can drive away some growth investors who would otherwise love to hold the stock and accompany the rocket ship throughout its period of high growth. Even investors who intend to keep the stock tend to get cold feet at certain moments, making for excessive volatility in the share price, which isn’t particularly good for people’s stress levels. has suffered from this problem. Despite its admirable success in leading the Saas evolution and building a fast-growing $5bn. revenue business, its share price has been relatively constrained as compared with other Saas high-fliers such as Workday and NetSuite.

In defense of software companies the size of Splunk, as soon as they grow beyond being promising startups and achieve annual revenues above, say $200m, they enter the terrain of the ‘tweener – that is companies that can be squeezed (or swallowed up) by larger players on one side and disruptive startups on the other side. Management teams in ‘tweener companies are continually anxious to establish a power position from which they can either continue growing as an independent business – possibly acquiring other companies to fill out their portfolios or gain access to new markets – or at least become very expensive to acquire. Today, Splunk’s market valuation (around $6.5bn. at time of writing) acts as a deterrent to acquisitive predators because the number of companies that can afford to pay the premium is limited to a small group – probably no more than a dozen companies such as IBM, Oracle, SAP, Cisco, and maybe even GE – but this does not yet place it entirely “out of danger”.

Splunk’s last quarter also produced an increase in the number of small customers signing up at entry price points. This phenomenon is a by-product of Splunk’s longstanding freemium model that has enabled individual users in companies to download Splunk for free in order to try it out by indexing up to 1GB of data a day. At the same time, the company’s long-term strategy is to serve enterprise customers, and indeed the company is signing increasing numbers of three-year Enterprise Adoption Agreements with its business customers, What connects the two ends of the spectrum is a land-and-expand strategy that in itself is not unique but seems to be working extremely well for the company. A business user downloads the software to try it out for a period; if they apply it to a real use case and find it valuable, consumption surpasses their free limit and they start paying. As positive results begin to accumulate, the single user who might be in the IT security department gets their colleagues using the product, and eventually it leaks over into colleagues in IT operations who have a different problem to solve, and eventually hits one of the lines of business, such as marketing promotions. During this evolution, budgets get established for the IT department to acquire an enterprise license, and by this time the customer organization requires and expects “enterprise-grade” attention and service from Splunk.

Today Splunk’s pricing is based on a usage-based model calculated on volume of data indexed, not volume stored or any other metric. For many customers this is very amenable because it is simple to understand and relates more closely to value – though, in some cases, it may not correlate closely to palpable results for the business. For example, on occasion customers might worry about this algorithm because their monthly bill can produce surprises on the upside (increased payment required) if a group of users, unbeknownst to them, suddenly increases its consumption of indexed data without any clear record of results achieved. This is the downside of any consumption based model, because it needs need to be managed by the vendor or the customer in order to avoid unpleasant surprises. To deal with situations like this, Splunk and any other company that offers a consumption-based pricing model might consider either capping charges at a certain level, or offering fixed-term monthly or annual subscriptions. Offering different pricing options in the same business contract – say, a usage-based or gainsharing alternative vs. a fixed subscription fee – is a legitimate path to consider for enterprise customers that use the vendor’s offerings extensively across the organization.

Regarding the inevitable transition from a conventional perpetual license model to a rateable model (subscription or usage based), Splunk appears from its most recent quarterly results to be accelerating the switchover. In its Q1-2015 earnings call, the company reported that 37% of its total license revenues were rateable, a 7-10% higher rate than the company previously expected, and an impressive result.

Strategic opportunities for big data vendors

I see several key lessons that every company – including Splunk – can learn from observing the company’s growth to date. These include some old-school ideas critical for proving value and gauging the overall return on investment. Too many “Xaas” companies have marketed their wares on the basis of reduced cost and ease of implementation and use, without understanding how to secure active and persistent engagement on the part of their business users or how to price their offerings based on value delivered.

  1. Pick a mission-critical theme that your company can make a meaningful, if possible unique, contribution to – for example, security is a key, increasingly topical, theme that Splunk has selected – and focus on tangible use cases “owned” by an identifiable and empowered, customer sponsor who can find “budget” even where none exists. Help them to build a business case for adopting your product(s), as well as to expand the number of use cases they can address in different parts of their business. This consultative land-and-expand approach not only demonstrates proven value to the company’s operations and even to its business strategy, but provides evidence of “night and day” impact – as in “our operations today are as different as night is from day compared with before we used Splunk or XYZ”.

  2. Build and nurture a library of customer case studies in various different forms in order to make them easily digestible for prospects and others who have different information appetites. As important, keep refreshing the cases with new information on use cases, expanded deployments, and especially more recent results accruing to the customer’s business.

  3. Determine whether your sweetspot is to operate as a Volume Operations business or as a Complex Systems business. As your business grows, even if you started by focusing on business users or SMBs – as the majority of cloud-era software business have done, from Salesforce on down – decide whether you will over time focus more on SMBs or on enterprise organizations, because each will take you in different directions. There are really only two business architectures in tech to choose from, although you may need to operate elements of both. This is not so much an either/or issue, but you must decide which one you will major in and which one you will minor in. This is something that IBM learned in the 90s under Lou Gerstner but that HP under several CEOs from Lew Platt to Meg Whitman has never properly understood, so while it optimized for volume ops with its PC and printer businesses, it has dramatically sub-optimized in its enterprise computing and services businesses for decades. Above all, it is critical not to conflate the two business models, as in, for example, using volume-based pricing or mass marketing in a value-based complex systems business where relationships, domain expertise, and thought leadership are key assets.

  4. Be very clear who your competitors are in your area of big data, from major systems players such as IBM or Oracle to startups who might come at you from any direction. Define your one or two crown jewels – unique, sustainable, and valuable to your target customers – that you will leverage to achieve competitive separation. In emerging categories, keep in mind that your main competition is the status quo – in other words, existing in-house or client-server/mainframe technologies and corresponding business processes.

  5. Resist the urge to adopt land-grab economics when it’s too soon or too late to do so. If your category is not in a clear, sustained, mass-market tornado, it behooves you to be thoughtful about your pricing model, always matching it to the value you are delivering to customers. To achieve this, you must have some form of business consulting capability in your professional services organization, with domain experts for specific use cases and/or market segments.

  6. Avoid being distracted by Amazon-style race-to-the-bottom tactics in pricing products and services, and avoid being distracted by the pervasive presence of free open source software in the mix – case in point, Hadoop and noSQL, and many of their associated components. Customers expect to pay a fair price to vendors who earn their trust by focusing on helping them to solve complex problems and also help them to track the true return on their investment in both quantitative and qualitative terms.

Above all, try to do as Splunk has done – i.e., avoid getting sidetracked by the hype, and just get on with building a solid value-delivering business. Big data won’t become a big and profitable category unless it starts off as a number of smaller, focused, value-delivering sub-categories, each one with vendors focused on clear use cases and on delivering strong and unambiguous value.

Disclosure: For this article I interviewed several Splunk executives, who were gracious enough to provide insights about the company’s successful growth to date. I have taken care to exclude any information that Splunk might consider sensitive or confidential. I am not a shareholder (nor plan to be), nor do I have any other economic ties to the organization.