Getty Images

Splunk suit claims Cribl built on stolen log management IP

Former Splunk employees and industry watchers reacted to a lawsuit filed by Splunk this week alleging that Cribl's business is based on stolen log management code.

Splunk filed a lawsuit against its former partner Cribl this week, alleging that the log management vendor, founded by former Splunk product managers, based its business on stolen intellectual property.

Cribl markets products that enterprise customers use to filter data before it's sent to Splunk and other log management and log analytics tools, which reduces the amount many of those joint customers must pay for data ingestion and storage.

One customer, Accuhealth, said in March 2021 that it reduced spending on Amazon EC2 resources to support Splunk by 30% using Cribl's LogStream software. Another Splunk customer from a Fortune 1,000 company also spoke publicly this year about using Cribl to filter data the company sends to Splunk Cloud and reduce spending.

Cribl, meanwhile, has raised $400 million in funding, including a $150 million Series D round in May.

[Cribl is] built on a value proposition that started as, 'We make Splunk cheaper.' And now they're cozying up to Splunk competitors like SentinelOne. In a different timeline, I see all of that as Splunk's for the taking.
Andi MannFounder, Sageable

Some industry watchers were puzzled by the timing of the suit, given Cribl has been in business since 2018. It may have taken Splunk time to gather evidence against Clint Sharp, co-founder and CEO of Cribl and former senior director of product management at Splunk, but it's also likely Cribl's business growth in the last two years -- in large part at the expense of Splunk -- played a role.

"They're clearly eating Splunk's lunch," said Andi Mann, now founder of consultancy Sageable, who served as Splunk's CTO for DevOps from 2015 to 2021. "[Cribl is] built on a value proposition that started as, 'We make Splunk cheaper.' And now they're cozying up to Splunk competitors like SentinelOne. In a different timeline, I see all of that as Splunk's for the taking."

Cribl has capitalized on longstanding pricing complaints from Splunk Enterprise customers. The company has changed its pricing terms in recent years in an attempt to address those complaints, but Cribl has also served as a means of partially moving away from Splunk for some, since a big data system such as Splunk's would be an onerous undertaking to replace entirely.

Clint Sharp, CriblClint Sharp

Splunk's complaint, filed in Delaware this week, where both companies are incorporated, seeks compensatory and punitive damages from Cribl and Sharp, as well as injunctions barring them from continuing to use the IP Splunk alleges the company illegally obtained. In a blog post about the suit, Splunk pointed out it isn't asking the court for Cribl's business to be shut down or blocking Cribl from accessing its platforms. But what it is asking for could seriously damage Cribl's business.

The effect this would have on joint Splunk-Cribl customers is difficult to predict, analysts said. Cribl supports other log management tools and could potentially rewrite its product to eliminate any code Splunk is successful in forcing them to remove.

"It shouldn't affect either customer base while this is being litigated. ... Like any litigation, there is going to be brand reputation damage on one or the other, depending on how this all plays out in the long term," said Katie Norton, an analyst at IDC. "If Splunk's claims end up being true, I think it could seriously hurt Cribl. ... Alternatively, if the claims prove false, it could reflect negatively on Splunk as just a big guy trying to squash a smaller competitor."

Splunk's complaint includes bombshell accusations

Splunk seeks injunctions and penalties on Cribl on 12 counts, including patent and copyright infringement, unfair competition and interference with prospective business relations. At the heart of the case is a protocol called "Splunk-to-Splunk" or S2S, which Splunk's complaint states Cribl's founder, Sharp, stole before leaving Splunk.

"Before resigning from Splunk, in early 2017, unbeknownst to Splunk and without authorization, Mr. Sharp posted a derivation of Splunk's proprietary and confidential S2S source code to his personal GitHub webpage," the Splunk complaint states. "Mr. Sharp named this derived code 'go-S2S.'"

The complaint argues that this derivation of S2S, along with Splunk implementation specifications, product roadmaps and information about Splunk customers and prospects were obtained via Splunk sales managers that Cribl recruited, remains the foundation of Cribl's business. Cribl's LogStream management product, and later an Edge product, are based on access to and understanding of the S2S protocol, the complaint states. Some 80 former Splunk employees have left to work at Cribl, making up a quarter of its workforce, according to the complaint.

"Cribl has used its illicitly obtained support for the S2S protocol as a means to convince Splunk's customers to buy software and services from Cribl," according to Splunk's complaint. "Cribl's ability to get a foothold in the market depended upon its ability to make available and support the S2S protocol, which it implemented using Splunk's proprietary source code without authorization."

Relationship turns 'adversarial'

While Cribl has been in business for more than four years, the contentious relationship between the two companies came to a head in 2021. Splunk alleges that's when its former sales managers, three of whom are named in the complaint, brought proprietary information about Splunk's business to Cribl, which the company used to target Splunk's largest customer accounts.

"Cribl's public conduct became increasingly adversarial over time," the complaint said. "Cribl's sales employees (and Mr. Sharp in particular) disparaged Splunk and its software in conversations and sales pitches to Splunk's actual and potential customers."

Splunk's complaint alleges this disparaging communication also extended to Splunk employees in an effort to recruit them.

"Despite building its own product on top of Splunk's (using materials misappropriated from Splunk), and despite building its business by marketing to Splunk's customer base (again, using misappropriated materials), Cribl engaged in a marketing campaign that asserted Splunk was 'stale' and Cribl was a company where Splunk's employees could 'keep innovating.'" the Splunk complaint states. "Indeed, Cribl went so far as to commission a billboard directly outside of Splunk's headquarters to advertise this false message directly to Splunk's employees."

Splunk makes a different protocol, called HEC, available to authorized partners that build products based on Splunk for log management. Splunk's Technology Alliance Partner (TAP) program also has a limited Splunk Enterprise license for software development purposes. Cribl joined Splunk's TAP program in 2018, but its membership in that program was terminated on Nov 2, 2021, due to the company's use of S2S rather than HEC and Splunk's displeasure with its business practices. Since then, Splunk alleges Cribl has continued to base its products on Splunk without legal authorization to do so.

Cribl released a brief public statement Wednesday, denying Splunk's allegations.

"We have built interoperability using our own hard work and open source implementations, such as Eventgen," the company said in the statement. "While Splunk tries to stifle competition through litigation, we will keep our relentless focus on our customers to give them choice and control over their data."

On Thursday morning, Sharp posted a thread on Twitter responding in more detail to the suit.

"Since 2014 or before, implementations of the Splunk to Splunk (S2S) protocol have been open sourced for delivering data to Splunk," Sharp said. "An implementation of S2S in Splunk Eventgen is still available under an Apache license, assuming they don't take it down after our statement."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Next Steps

Post-lawsuit, Splunk and Cribl meet again in data pipelines

Dig Deeper on IT systems management and monitoring