Last week, executives from Cisco and Splunk, including Liz Centoni, Jeetu Patel, and Tom Casey, held a 45-minute round table where the combined entity outlined their plans for Cisco’s observability future. General opportunities and high-level customer observability pain points were communicated in that discussion. Yet, customers still seek high-level action plans and specific execution details from the merger. While generic customer pain points to observability and security were discussed, the market sought more information about how these major observability platforms would come together. The full video of this roundtable can be seen here ->

Tom Casey from Splunk has taken over the product ownership of the Cisco #Observability solution strategy. This move aims to reduce leadership alignment friction by not having competing priorities across #O11y divisions to drive a unified platform. The collaboration between Cisco and Splunk has the potential to provide visibility from the network to the application level, which other observability vendors lack. However, the details of how this will be accomplished are not yet clear.

Splunk has been working hard to integrate its recent acquisitions, including SignalFx, Omnition, Rigor, Flowmill, Plumbr, and VictorOps, into its Observability platform. With Cisco acquiring them, Splunk’s initial direction of keeping SignalFx as a Splunk observability cloud while maintaining the Cloud logs as Splunk Platform (as it was difficult to change the architecture completely to merge them all together) might change. We still don’t know which platform the incoming observability products, such as AppD, Thousand Eyes, and FSO (Full Stack Observability), will move into or merge with.  They also diverted investments or decommissioned some acquisitions, including VictorOps and Incident Intelligence to make things simpler (Though engineering and support teams maintain those solutions, product, and strategy teams were eliminated thereby indicating the future of these products may be short-lived).

Given Cisco's history and past experience of integrating observability products, such as AppD and ThousandEyes, and Cisco’s own organic observability platform FSO, and the time Cisco took to streamline operations, field teams, pricing, and create a combined solution, Constellation expects that this new collaboration will take even longer to come to fruition. Many existing Splunk and AppD customers have expressed concerns about how this collaboration will unfold. For example, they are worried about getting the right recommendations from the field/solution teams given many overlapping solutions. Customers are very nervous about the combined Cisco observability solution pricing structure going forward, and whether they will pay a double dip fee to Cisco, which has not been fully disclosed yet. The combination of multiple platforms, add-ons, suites, packaging, overlapping features, and licensing models may confuse the customers, and field teams until the unified pricing structure and full-stack unified platform take shape. These include DEM (Synthetic Monitoring & RUM), APM (Distributed Tracing), metric stores, tracing stores, session replay capabilities, Infrastructure monitoring, and log capabilities overlap along with Splunk having their own powerful query language (SPL) which Cisco’s observability solutions lack. Cisco should proactively take the time to clearly explain these outcomes to customers and properly execute on it with specific defined milestones.

Furthermore, both companies claim that the acquisition is to catch up with AI demands. Yet, neither of them is a leader in infusing AI into their Observability or AIOps solutions. There are other competing vendors ahead of Cisco/Splunk with their generally available AI use cases, which Cisco/Splunk both need to catch up with. For instance, Splunk AI assistant (formerly SPL Co-Pilot), introduced in .conf23, is still in preview mode and constitutes a very basic use case of using a natural language interface to produce SPL (Splunk query language) used in observability data searches. Cisco's AI does not perform any observability-related tasks yet. It will be interesting to see how many AI use cases they can support quickly to catch up with the market.

Since a significant portion of Splunk's revenue comes from their ARR, this could help Cisco launch into the ARR model, which they have been trying to expand for the last few years.

Constellation POV

Based on our conversations with existing Splunk and Cisco customers, and Splunk ex-employees, Constellation believes that the integration faces many challenges. Constellation expects that the combined entity will take at least two years to complete post-merger integration in a manner that users will see the benefits.

Although the Cisco/Splunk team has said all the right things so far, execution will be critical, and it could be painful and slow, which may cost some large accounts that are already experimenting with competing solutions. Constellation believes that the overall merger will bring benefits to customers and partners, but be prepared for a much longer than expected post-merger integration, given the different architectures, consumption models, data collected, culture, and technical debt accrued over the years.

At first glance, the idea of combining Security with Observability seems to be a good one, and it aligns well with Splunk's ongoing mission before the acquisition. Bottom line – while this high-level strategy sounds promising, it needs more details to be fully understood and value realized.