REDPIXEL - stock.adobe.com

IT pros react to blockbuster $28B Cisco-Splunk deal

Cisco goes through with its long-rumored acquisition of Splunk for security and observability. But the two aren't necessarily a perfect fit, according to some industry observers.

The news that Cisco will buy security analytics and observability player Splunk for $28 billion rocked the enterprise IT industry this week as IT pros and analysts assessed the benefits and risks for both companies.

In some ways, the news wasn't a total surprise. Cisco was rumored to be in talks to purchase Splunk in February 2022, a time when Splunk was transitioning between CEOs and its revenue growth had slowed.

Since then, however, Splunk returned to healthy growth under president and CEO Gary Steele, and rumors of a merger died down. Cisco also made significant investments in its own observability and security analytics tools beginning in February 2023, culminating in the initial release of its Full-Stack Observability platform in June, which it began to integrate with security tools this month.

A joint press release disclosing the acquisition emphasized Splunk's security analytics tools as a primary motivation for the deal.

"Specifically, Splunk's security capabilities complement Cisco's existing portfolio, and together, will provide leading security analytics and coverage from devices to applications to clouds," the press release read.

At first glance, there are some obvious ways the two companies could fit together, according to analysts.

"This is a very natural fit, especially because Cisco decided to enter the observability race with the acquisitions of AppDynamics and ThousandEyes and has been trying to build the Full-Stack Observability platform," said Andy Thurai, an analyst at Constellation Research. "Adding Splunk to this mix brings a true full-stack observability capabilities between application performance monitoring, digital experience monitoring, logs and SIEM [security information and event management] to add to [Cisco's] network monitoring."

Rob Strechay, lead analyst, TheCubeRob Strechay

However, until now, Cisco's Full-Stack Observability strategy had been focused on OpenTelemetry and open source tools -- a potential sticking point as the companies integrate, according to Rob Strechay, lead analyst for enterprise tech media company TheCube, in a LinkedIn post. "What will happen to that strategy and investment in the community?" he wrote.

Moreover, neither Splunk nor Cisco has been seen as a leader in AI, according to Thurai.

"While I can see the synergies in security and observability, I don't see it as much in AI," he said. "Neither company is a leading player in applied AI. … Splunk is ahead of Cisco on that front, but both need to catch up."

Cisco–Splunk face rocky road down market

Other observers said they hoped Cisco's scale might add further flexibility to Splunk's pricing, which was altered in 2021 as the company transitioned to cloud.

"Hopefully [Cisco] can shore up the costs of the storage of log data," said Kevin E. Greene, public sector CTO at OpenText Cybersecurity. "We have been seeing customers looking to move off [Splunk] because of cost."

In fact, Cisco must add flexibility to Splunk's pricing structure and make its cloud offering truly multi-tenant, Strechay said in an online interview.

"Splunk has long been seen as expensive and as a tier 1 product, where you pay for it based on what they call ingest pricing, which is the volume of data you examine. … They also have a workload pricing model that is about as easy to understand as guessing what the stock market closing number will be today," he said. "Cisco will have to work on rationalizing this … and make this easier to consume."

The combination of companies will also be tasked with shoring up Splunk's hybrid cloud approach, Strechay said.

"Right now, if you want to use Splunk for hybrid cloud, you are most likely deploying on premises, because they are only aligned with AWS and Google Cloud's marketplaces," he said. "This brings up added costs with the egress of log data from cloud deployments back on premises. Security, networking and volumes of data make this very complicated."

Cisco-Splunk combo raises culture questions

A Splunk enterprise customer said he's seen the company's culture change as it has grown, and not for the better. He fears Cisco will further accelerate that trend.

"The culture has been going downhill but still OK," said Steve Koelpin, lead Splunk engineer for a Fortune 1,000 company in the Midwest and a Splunk shareholder.

Splunk's sales and customer reps' close relationships with customers have eroded over the years, Koelpin said, in part due to cost-cutting measures and turnover within the company. "I think the culture will plummet under Cisco. … A lot of the momentum will be lost. I see tons of great engineers, architects, consultants and seasoned [veterans] there leaving."

The companies' joint press release mentioned that Steele will join Cisco, reporting to Chair and CEO Chuck Robbins, but did not address the fate of the rest of Splunk's workforce.

In the meantime, in addition to adding pricing flexibility, Koelpin said the deal will likely be good for the security analytics market.

"[Splunk] enterprise security is the best tool on the market for SIEM by a long shot," he said. "If Cisco could integrate ThousandEyes, AppDynamics and Splunk together, [it] could offer a unique capability in the security space."

That may be a big "if," said Larry Carvalho, an independent analyst at Robust Cloud.

Hopefully [Cisco] can shore up the costs of the storage of log data. We have been seeing customers looking to move off [Splunk] because of cost.
Kevin E. Greene Public sector CTO, OpenText Cybersecurity

"This is a good acquisition since Cisco can combine its networking capabilities with the security capabilities of Splunk. [But] Cisco has not had a good track record of assimilating software into its portfolio, as evidenced by the AppDynamics acquisition," Carvalho said.

Splunk has its own track record of difficulty with integrating acquisitions between TruStar, TwinWave, Phantom Cyber, and Metafor on the security side as well as Flowmill, Rigor, Plumbr, SignalFX, Omnition, and VictorOps on the observability side, Thurai said.

"Splunk already was struggling with too many acquisitions themselves," he said. "My advice would be to dump the smaller, not-useful ones to concentrate on the bigger goal."

Splunk has historically been a direct-sales-oriented company, while Cisco has a strong track record in channel-driven sales. But in Koelpin's view, this also could be good news.

"I've worked for a [Splunk] partner and saw firsthand how hard it was to get in as a partner and to get work," he said. "I definitely see it becoming easier to establish partnerships, which may drive down consultant rates [for customers]."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on IT systems management and monitoring