Getty Images/iStockphoto

Splunk pricing, observability updates push cloud shift

Some Splunk customers are newly receptive to the vendor's cloud push in a pandemic-stricken economy, and it's piled on further pricing incentives to sweeten the deal.

Amid a broader enterprise cloud rush, Splunk is adjusting its pricing and data indexing options to boost the appeal of its cloud observability platform to on-premises customers who may still be on the fence.

Splunk first launched Splunk Cloud in 2013 as an option for Splunk Enterprise customers, but over the last year has joined other enterprise IT vendors such as Atlassian in mounting a push to become a cloud-first company. Last year, for example, its first rollout for its new Observability Suite products -- based on the acquisition of companies such as SignalFx and VictorOps -- took place in the Splunk Cloud.

Similarly, this week, cloud customers got the first look at new data management features released in preview that may help them cut data storage costs. Flex Index offers cheaper ingestion, storage and searches on "cold" data that may be used for historical or forensic investigations but is less likely to be frequently accessed. Splunk also added Microsoft Azure support for a cloud feature called SmartStore. The feature routes data to cloud object storage rather than Splunk's primary cloud storage, which costs more to use.

Analysts see the vendor's motivations for this as twofold: to increase incentives for customers to move to its cloud platform rather than remaining on-premises, and to help it compete against rivals such as Elastic Inc. and Sumo Logic, which have enticed some users away from Splunk in the past, based on lower pricing.

Splunk is perceived as expensive, which they are moving to address with new pricing models.
KellyAnn FitzpatrickAnalyst, RedMonk

"Splunk is perceived as expensive, which they are moving to address with new pricing models," said KellyAnn Fitzpatrick, an analyst at RedMonk.

Not every on-premises Splunk Enterprise customer has workloads that lend themselves to these new pricing models. Cloud hosting has become much more appealing, however, since labor shortages emerged during the COVID-19 pandemic, along with spikes in demand for digital services.

"I'm starting to believe in the cloud," said Steve Koelpin, lead Splunk engineer for a Fortune 1,000 company in the Midwest. "It's hard to find good talent -- if you can eliminate or reduce the need to have a lot of really talented admins [to manage Splunk on-premises], that's a good thing to have, because admins are very hard to find."

Koelpin's company is generally moving to the cloud, and he said he's personally more open to it now than he was a year ago, in part because of pandemic-driven employee turnover.

"The pandemic triggered it, and losing talent on the admin side," he said. "But it's a lot of things -- you're also getting cheaper storage and more high availability -- a lot of the positives outweigh the negatives now."

Workload and entity pricing hedge against cloud competitors

It's not just observability and security specialist vendors (which are increasingly becoming one and the same) Splunk customers will have to consider as they choose cloud products -- eventually, these tools could also face off against cloud platform providers themselves. Big cloud vendors have already begun offering observability and security services, from Amazon's OpenSearch data indexing and analytics to Azure's Sentinel security information and event management (SIEM).

"Splunk's SIEM doesn't compete with AWS, Google Cloud Platform and Azure yet, but it might three to four years from now," said Christopher Kissel, an analyst at IDC. "The fear is that the larger players will ultimately offer very cheap storage or may offer more security features ... which could consume a lot of [the market for] security functions."

In May this year, Splunk repackaged and re-priced its cloud products in a way that could help it more closely match cloud providers long term. Its base cloud data storage and indexing offerings were renamed the Splunk Cloud Platform, and IT monitoring apps were grouped into what Splunk calls the Observability Cloud, Security Cloud and IT Cloud.

On the pricing front, as of this week, the Splunk Cloud Platform now uses workload-based pricing by default for all cloud customers, which had previously been offered to only some of its largest customers as a pilot. Workload pricing is a concept Splunk first introduced in 2019 that charges according to usage of compute resources used in search and data analytics rather than per gigabyte of data ingested, which can be cheaper for customers who ingest more data than they need to analyze. Competitor Sumo Logic also offers tiered indexing options for similar reasons.

With May's update, users of the observability, security and IT flavors of the cloud platform could also opt for entity-based pricing. Entities in this model can be end users, hosts, IP addresses or specific devices, which means customers can pick which resources they want to monitor most closely and pay accordingly.

"If I keep throwing in telemetry from common endpoints ... they have the means to take in that telemetry, but they're not charging me more to add data" with entity-based pricing, Kissel said. "It's a change from when they had enterprise licensing, where you would strongly consider using [a third-party tool] to shape the traffic and not keep incurring upload/download-based costs."

Splunk Federated Search presentation
Splunk principal product manager Srinivas Bobba presents on Federated Search.

Federated Search caters to multi-cloud, hybrid cloud usage

Among a bevy of product updates Splunk made during its .Conf virtual conference this week was the general availability of a new Federated Search feature it first introduced in July. The feature, which currently supports searches between clouds, between on-premises deployments or from on-premises deployments to cloud deployments, is explicitly intended for multi-cloud and hybrid cloud use cases, according to presentations at the conference. The ability to search from a cloud deployment to on-premises deployment isn't supported in this initial version but is on the roadmap, according to Federated Search product managers in an online .Conf Q&A this week.

Splunk customers at the event said that the new feature, Splunk's third attempt at multi-site search, represents a major improvement over previous products such as the now-discontinued Data Fabric Search and the more recent Hybrid Search.

For example, Federated Search adds more granular role-based access controls, resource quotas and admission controls over remote searches than Hybrid Search did. It also includes the ability to run scheduled searches, which is important to optimize search performance on active systems. Federated Search also includes a more streamlined setup process over Hybrid Search, which required a few licensing and configuration changes, as well as a search head restart.

"Right now, the only way to search both on-prem and Splunk cloud is with a Hybrid Search head," said Derrek Chapin, senior engineer at Kinney Group Inc., a professional services consulting firm in Indianapolis. "Federated search seems to be easier to get up and running."

Federated Search may also turn out be a cost-cutting tool since organizations like Koelpin's global company will no longer have to use the wide area network (WAN) to import data to a central data center or to search separately among multiple locations.

"Federated Search seems to be designed with our exact use case in mind," he said. "One of the biggest problems with a global deployment was that we had to log in to 100 different Splunk instances to search them over the WAN, which was very, very expensive and wasteful."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on IT systems management and monitoring