[windexh8er]

I can add from the other side of the fence. I worked for a startup that was acquired by Splunk. They are everything listed here and worse on the inside.

My first few weeks at Splunk were very odd. They try to indoctrinate new hires with a barrage of "A-players" that continuously talked about how awesome Splunk was. Except... When I started Splunk was getting their ass kicked by cloud-first players that had recently come to market. Splunk's monolithic architecture wasn't well suited to be run as SaaS at the time and Splunk was burning cash and losing money on every customer that they suckered into moving away from their perpetual licenses into subscription hell. I left money on the table when I ran out the door less than 6 months later.

I'm curious what Splunk's long game is with this because they just told every F2000 that their bottom line is being chipped away by Cribl and friends. So if I'm an enterprising procurement department I'd be tossing Cribl or Rudderstack or whatever other data transformation preprocessor on the table alongside my renewal. Expand opportunity? If you put your ear to the tracks you can almost hear all of the account managers digging out missed quota excuses.

Splunk isn't innovative and hasn't been for a long time. Most of the employees saw the writing on the wall and went to Snowflake as soon as the opportunity presented itself. Splunk tried to capitalize on the security market by, basically, double charging customers for ES. Instead of delivering value it seems to be Splunk is just looking for ways to squeeze a few last drops of lemonade.

[keyle]

Sounds like a good move... From their about page:

    Splunkers have received over 1,020 patents to date

that tells me everything I need to know.

[PanosJee]

I am one of those people. There was a bonus for every patent granted. They were telling us that we need to big patent arsenal to fend off against IBM. It turned out that Splunk is IBM now.

[kenrose]

“You either die a hero or you live long enough to see yourself become the villain”

[mring33621]

I am against software patents and choose to ignore all pleadings from my employers regarding patent filings. IMO, the bonuses (~$1-2K) are not worth going against my views.

You could have made the same choice, but did not.

[daenney]

Your last sentence is rather dismissive and seems unnecessary to make your point. You're assuming that they share your views on software patents. They might not. Or at that time not realise the issue with software patents in the first place.

[keyle]

Hear hear. I know what you mean, I've lived through the same in a different Fortune 100.

[dec0dedab0de]

Interesting, I helped manage a splunk install at a fortune 200 about a decade ago. At the time the recommendation was to use syslog-ng to filter incoming logs before indexing. I just heard of cribl 2 weeks ago because the fortune 20 I currently work for is planning on switching to it. I didn't realize it was a massive shift like that, I just thought it was the corporation switching things just because they do that sometimes.

[flounder3]

There have been a few other recommendations over the years, including putting a separate tier of forwarders first in line to perform transforms and such. There were always plenty of options for on-prem/DIY/Enterprise especially when using syslog instead of directly via HEC.

Their SaaS offering used to have said inline tier called IDM (Inputs Data Manager) where we were directed to configure filters during our POC… a key requirement for moving from Enterprise to SaaS because conf files aren’t managed the same. One month (to the day!) after we moved, they randomly decided to migrate us to a new “Victoria experience” where that tier suddenly disappeared without explanation. We filed support tickets asking 1) what happened? and 2) how do we filter things out now? and were directed to hire professional services because that was outside the scope of standard support!

The whole point of moving to SaaS was to not have to babysit our own clusters (small shop at the time), so spinning up a ton of infra in front of the freshly greenlit SaaS setup would have negated the productivity gains and financial pivot.

Ultimately, the entropy of hundreds of applications logging in disparate formats and namespaces outweighed our ability to sanitize each app within a reasonable amount of time, leading to unwanted data being indexed, ergo overages. Overages that our sales engineer originally assured us we could address by filtering things out with the snap of a finger. Bait and switch.

Ingest Actions were not available at the time, and were not functional (even in beta) until 10 months later.