Cisco and Splunk plot multi-year data fabric journey

It’s been over a year since the Cisco acquisition. What were the major themes from the recent announcements at .conf25?

Frank Dimina: The announcements were the culmination of a year’s worth of work to operate truly as one Cisco. They fall into a few major themes. First, AI systems need resilience, so we’re building observability and detection capabilities specifically for large language models (LLMs). The second is what AI can do for Splunk. We announced several agentic AI features to make it easier to get security insights from data, such as a triage agent that explains alerts in real time, and a malware reversal agent that simplifies complex threats and extracts indicators of compromise so you can update your systems for those behaviours.

The third theme is about modernising the data platform. Our philosophy has changed. Instead of being the centre of data, where you have to bring everything into Splunk, we want to be the centre of gravity for analytics. This is a subtle but really big difference because it means you no longer have to move all your data, whether it sits at the edge or in a data lake, to Splunk. Announcements like our federated search for Snowflake mean you can use a Splunk dashboard to analyse data wherever it sits.

The most exciting long-term theme is the Cisco Data Fabric. This is not a one and done product release. This is going to be a journey over the next few years where you’ll see us deliver full visibility across all of Cisco’s product lines. Those who don’t work in data think that sounds really simple, but it’s a lot of work to get data into a single system to deliver insights.

However, that doesn’t mean we’re favouring Cisco products. We’re still committed to being the most open ecosystem, working with every vendor. We believe that if you have products from both Splunk and Cisco, you should get value out of the box, but you can still bring in data from other products and get analytics on it.

Dave West: With the Cisco Data Fabric, it doesn’t mean you need to ingest all the data from across Cisco’s vast portfolio. It allows you to do federated search across the portfolio, determine which data you need to look at, and only ingest the data you need for deeper analytics. That is pretty unique. We are also building a common AI Canvas that will work across networking, security and Splunk to identify issues and find root causes using generative AI, rather than having five different tools.

Instead of being the centre of data, where you have to bring everything into Splunk, we want to be the centre of gravity for analytics. This is a subtle but really big difference because it means you no longer have to move all your data, whether it sits at the edge or in a data lake, to Splunk

This move towards a federated model seems to push Splunk beyond addressing IT and security use cases. Are you moving into broader business analytics?

Dimina: It’s a good question. Our focus still is on machine data. This is where the lines can blur, because when people think of business analytics, they often think of human-generated data like Word docs or Excel files. We’re really trying to focus just on machine data, because that ChatGPT-like experience for machine data doesn’t exist today. However, you can still get business analytics from machine data. We have customers using it for fraud detection and compliance, and to predict when tenants might not renew a lease. We think there’s tremendous untapped value in machine data.

West: A great example of that in this part of the world is Singapore Airlines. They use Splunk to enhance customer experience and reduce outages. It’s a line-of-business use case, but it’s using machine data to create a much better experience for travellers.

Dimina: This is what we mean by digital resilience – your ability to withstand and recover from any adverse event that causes a disruption to your business systems, whether it’s an IT incident or a security incident, and it can be for any industry. All that machine data can be super helpful for reactive or predictive analyses.

Other major vendors are also consolidating and building their own data platforms. What gives the combined Cisco and Splunk an edge?

Dimina: I would argue that it’s incredibly difficult to build a next-generation data platform, and if you don’t have thousands of people thinking about that every day, you’re going to fail. We see security companies with a great endpoint security product try to build a data platform, fail, and then acquire another company a few years later. Being able to analyse massive data sets where they exist is an incredibly difficult challenge. Then there’s the question of scale. A lot of products have great demos, but can they work in large production environments?

We’re now working with one of the world’s largest financial services companies. They spent two years with a big-name organisation that claimed they could get a data platform working in their cloud environment. But it was never operational because of the sheer amount of data they had to process and the number of people interacting with the data. While we talk about the unique capabilities of Cisco and Splunk, there are also conversations on the scale of the organisations we serve. No one can keep up with the way we can service those customers.

West: You have to deliver security inherently from the network all the way up – from access to the edge to the cloud. To be able to protect users, flows and data, and then wrap a digital resilience capability on top for orchestration, automation and response – honestly, there’s no one else that can do that. Splunk is perfect for today’s world, where customers are moving workloads to the cloud, back from the cloud, and deploying air-gapped capabilities. There are very few platforms that can work across on-premise and the cloud at that scale.

Your vision of a unified data platform is compelling, but many organisations still operate in silos. Are customers ready to break down the walls between their security, network and IT operations teams?

West: I still think customers will be fragmented in their decision-making, but we see a lot of things starting to consolidate under CIOs or chief financial officers. As customers move towards AI and look at their next-generation business services, I’m seeing more convergence than I saw before. I was in meetings today where customers were all talking about the same thing: “Dave, we really need to think about SOC [security operations centre] and NOC [network operations centre] convergence.”

That tells me they want to look across the foundation of the services they deliver. We’re also seeing that the convergence of IT and OT [operational technology], and being able to leverage the Splunk platform in the OT arena – where resilience is everything – is super important.

Dimina: Resilience is driving a lot of that convergence. Two or three years ago, nobody was talking about resilience. Now, it’s becoming more of a board-level topic. Oftentimes, when there’s a cyber issue, the first sign of that is an IT issue, like system latency. Bringing SOC and NOC teams together brings efficiency and productivity gains. That’s what made Splunk special from the beginning – it’s a platform that can serve different users with the same data.

With this shift towards a federated data fabric, are you rethinking your pricing models when it comes to data ingestion and long-term data retention?

Dimina: We’ve been through two major pricing evolutions, moving from data ingest to workload pricing, which customers have been happy with. The new security editions we’ve announced are also a new way of buying that maps to a customer’s maturity journey instead of just buying a bunch of different products. We’re always looking to evolve, but there are no immediate plans for another major change.

However, to your point, the federation capabilities do bring some new pricing aspects. For customers where the use case doesn’t make sense to move data around, it gives you new pricing models to craft a solution that makes sense for you. Not moving data has a lot of cost savings, so we’re going to keep listening to what our customers ask for and be as flexible and responsive as we can.