Getty Images/Tetra images RF

Splunk-Cribl lawsuit over log management heads to trial

A jury trial, in which Splunk now accuses Cribl of violating the terms of the Splunk Enterprise license and its partnership agreement, is scheduled to begin April 8.

The Splunk-Cribl lawsuit will head to trial next week, according to a ruling in a U.S. District Court in California.

Splunk originally filed the suit in October 2022 seeking injunctions against Cribl on 12 counts including patent and copyright infringement, unfair competition, and interference with prospective business relations.

Following more than a year of pretrial proceedings, the matters to be decided at the trial now include "breach of contract ... copyright infringement, violation of the Digital Millennium Copyright Act, breach of [Splunk's] Technology Alliance Partnership Agreement, tortious interference with prospective business relations, and violation of California Business and Professions Code Section 17200," according to a March 11 court order.

California's Section 17200 prohibits "any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising."

Both companies sought dismissal or summary judgments in these matters, which were denied by William Alsup, senior district judge of the U.S. District Court for the Northern District of California.

Alsup's March 11 order denying those motions further states as follows:

At [the March 7] hearing, it became clear many factual questions remain that have a bearing on these claims. These include factual questions that go to whether Cribl used Splunk Enterprise trial versions for 'Internal Business Purposes,' whether Cribl copied protected elements in reverse engineering, whether Cribl circumvented technological measures that effectively controlled access to protected elements, and when and what Splunk learned about Cribl's support for the S2S protocol in its various incarnations. It also became clear that there are facts in the mammoth record that were downplayed in the briefing but that could prove decisive in light of all admissible evidence. For example, one fact that was discussed at some length at the hearing but alluded to in a footnote in a motion is that Cribl had an annual renewable corporate license to Splunk Enterprise when it was serially downloading Splunk Enterprise trial versions, and that this corporate license was repeatedly renewed by Splunk from Cribl's inception until 2023 -- including once after this lawsuit was filed ... The judge suspects neither party wanted to draw attention to this fact because it cuts both ways: it suggests that Cribl's use of Splunk Enterprise trial versions was not for 'Internal Business Purposes,' as set out in the Splunk General Terms, and it suggests that Splunk's course of performance was not to enforce the Splunk General Terms against Cribl.

Clint Sharp, CEO and co-founder, CriblClint Sharp

Cribl co-founder and CEO Clint Sharp, who was previously a senior director of product management at Splunk, has claimed publicly that the intellectual property in question was based on code posted by Splunk under an Apache license on GitHub.

Sharp highlighted that the terms of the suit have changed in a blog post this week, calling Splunk's initial allegations "completely fabricated."

At this point, nearly all of the headline grabbing portions of the case are no longer part of the lawsuit ... yet we are still likely going to trial. Why? Because this was never a lawsuit aimed at curing an injustice.
Clint SharpCEO and co-founder, Cribl

"The patents Splunk referenced in the lawsuit were thrown out early in the case. At this point, nearly all of the headline grabbing portions of the case are no longer part of the lawsuit," Sharp wrote. "Notably, I am no longer a named defendant, and yet we are still likely going to trial. Why? Because this was never a lawsuit aimed at curing an injustice."

At the time, Cribl's LogStream product was used by enterprise customers such as health startup Accuhealth to reduce the amount of data sent to the Splunk Enterprise log management back end, reducing the amount they had to pay Splunk for data ingestion. Since the suit was filed, Cribl has diversified its product offerings to focus on federated search and a data pipeline product, Cribl Stream, while Splunk has been acquired by Cisco.

Overall, the continued legal action now seems misguided, according to one industry analyst and former Splunk executive.

Andi Mann, global CTO and founder, SageableAndi Mann

"I don't see any winners here, regardless of outcome," said Andi Mann, global CTO and founder of Sageable, a tech advisory and consulting firm in Boulder, Colo., who served as chief technology advocate at Splunk from 2015 to 2021.

"For Splunk, even if they prevail in court, it will not help them innovate and win in the marketplace. For Cribl, it is a drain on their limited time and resources ... and a loss would be even more severe," he said. "For customers, it is just a lot of thrash and noise that is distracting their technology providers from helping them deal with an explosion of monitoring data and the heightened expectations of their customers."

A Splunk spokesperson declined to comment on pending legal matters. Cisco did not respond to requests for comment as of press time.

Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.

Dig Deeper on IT systems management and monitoring