Notes - SPLK - The Challenges Of Cloud Transitions
Despite numerous attempts of turnaround, we continue to see SPLK to struggle in the cloud era.
Executive Summary
Splunk is attempting to fool investors that they’ve transitioned to the cloud.
In this short report we attempt to explain why it is very difficult for SPLK to migrate to SaaS and why they'll likely become a legacy firm.
We cover why log management-related firms find it difficult to adjust to the cloud, compare SPLK’s transition to PANW & FTNT, and discuss SPLK’s advantages & lack of leadership.
Intro
Splunk’s woes grabbed our attention back in 2020 when they chose not to give any leniency in credit terms to its customers to help them during the worse of the pandemic.
This was a sign of the company’s struggles in transitioning to the cloud. Well, they had already transitioned, but as we’ll point out in this short report, it isn’t a true cloud transition capable of offering the scale that was in desperate need during the pandemic.
Also, as we’ll explain, SPLK’s troubles in migrating to a true SaaS solution is in part because of the nature of its log management-related business, in part because of SPLK’s historically hands-off approach to customer relationship management, and also in large part because of CEO turnover and generally poor leadership.
Log Management & Cloud Transitions
Transitions to the cloud are super hard, but this is especially the case for log management providers. There is no legacy log management provider - logs are the bedrock to SIEM (Security Events & Incident Management), infrastructure monitoring, and APM (Application Performance Monitoring) – that has transitioned to delivering their services in a true SaaS form. Splunk, Dynatrace, LogRhythm, ArcSight, and others, have expanded their offerings to be hosted in the cloud but the software is still delivered on term licenses. As a result, they are single-tenant rather than multitenant – meaning each client has their own specifically allocated servers – and hence the software is still tightly coupled with hardware and therefore customers cannot receive the elastic scale of compute and storage.
This is part of the reason we were so bullish on Sumo Logic in the first half of 2021. SUMO is a cloud-native (born in cloud) log management vendor (that had also expanded into providing SIEM), that is maximizing the multitenancy and elastic scalability of the cloud to deliver superior performance for ingesting and querying large volumes of data. And vendors originating in on-prem log management are too ridden with technical debt to emulate this architecture – hence why we thought SUMO could rise to dominate this market. However, it appears that the GTM execution is lacking the right ingredients which has resulted in a low 15%-24% YoY growth for the past several quarters.
SPLK vs PANW & FTNT
But why is it so difficult for a log management-related vendor to transition from on-prem to the cloud? As of now, SPLK is in fact generating the majority of revenue from Splunk Cloud, but from reading through scores of Reddit discussions between users, the deployment is no easier than deploying on-prem. So, this just reiterates that, whilst Splunk Cloud is hosted in the cloud, it is lacking the nature of true SaaS – in which one of many attributes is the ease of deployment.
To answer the question, it helps to consider why PANW and FTNT have successfully transition to the cloud – both in cloud-delivered (SASE) and cloud-native (cloud security) security. PANW’s/FTNT’s relative success is in large part thanks to the nature of their business. Before the cloud era, these vendors were conducting in-line inspection of data packets with physical or VM-based firewalls located at client premises. So, when the demand for SASE emerged, they had a relatively easier time because they could simply redirect this in-line inspection to their PoPs (Point of Presence or cloud).
Well, it’s not quite as simple as that because the PoPs must operate with multitenancy to achieve the economies of scale. But both PANW and FTNT have achieved this in a step-by-step approach by first having clients allocated to individual VMs with each serving 1000s of connections, and now they’ve magnified the parallelism further by using container-based processes. In a nutshell, instead of traffic passing through the CPE (Client Premise Equipment) on-prem, for SASE it passes through the PoP off-prem.
The nature of SPLK’s business is way harder to move to the cloud. SIEM involves ingesting and storing huge volumes of logs into a cluster of servers, and then making them efficient to query and search whilst keeping costs low. The on-prem way entails a company’s own IT admin and software engineers to work with an outsourced professional services (PS) firm to install SPLK’s software onto the severs in their private data centre. As a consequence, before the cloud era SPLK had a customer base whereby its software was installed by the client, maintained and managed by the client, and SPLK gave little customer support (in fact, most customer support is outsourced to PS firms). Because of this, historically, SPLK appears to have been at somewhat of a distance to managing the customer relationship.
Having to shift all this to the cloud whereby they now need (or should) to manage clients in a multitenant environment and care a lot more about customer maintenance and support is an almost impossible task to undertake whilst also managing the growth of the business. This must be why they’ve opted for the single-tenant cloud hosted approach, so they can at least remove the multitenancy headaches, but at the same time make it look like a true cloud transition to investors.
The truth is SPLK doesn’t even have a smooth on-prem operation, so how can it successfully transition to a new environment whilst managing thousands of employees and growing the business? The quality of customer support is a signal of the extent of technical debt, and unfortunately for many on-prem SPLK customers the onboarding and general support is abysmal. And this has carried on over to Splunk Cloud just minus the issues associated with the software installation and the upgrades. In effect, Splunk Cloud is the same as Splunk on-prem with the only difference being Splunk does the installation and upgrades for Splunk Cloud. And because of merely implanting the on-prem architecture into the cloud, costs remain high for customers, there is no improvement in query/search performance, and they can’t enjoy the elastic scalability that other true SaaS vendors can offer. In fact, costs are likely to be even higher because AWS’s storage service and compute are 2-3x more expensive than your private data centres or colo arrangements. And no doubt the higher costs without the ability to quickly scale is why they were reluctant to extend credit terms to customers during the worse of the pandemic.
SPLK’s Moat
Having said all that, once SPLK is deployed and ready to use, whether on-prem or in the cloud, users highly recommend the depth and breadth of what the software can do with respect to big data analytics. It is this scope and maturity in capability that is SPLK’s competitive advantage and why IT admins and engineers put up with the troubles concerning deployment and customer support. The S&M org is also a formidable force for SPLK that has driven growth in the face of cloud migration troubles. And much of this growth comes from initially landing large enterprise deals and then pushing the land-and-expand motion.
Lacking Visionary Leadership
We’ve mentioned the differences in PANW’s/FTNT’s business compared to SPLK as a major reason for the former succeeding and the latter failing. The other reason is the difference in leadership. Nikesh Arora (PANW CEO) is a one-of-a-kind leader not afraid to make extremely bold moves and Ken Xie (FTNT Founder & CEO) has demonstrated an incredibly long-sighted vision of his industry whereby he has correctly invested to capitalize on the growing demand for security and networking convergence. Unfortunately, SPLK has lacked that type of leadership which hasn’t been helped due to the company having 4 CEOs in its 19-year history, and 3 CEOs since it went public in 2012.
Conclusion
To summarize, the outlook for SPLK doesn’t look great. They’ve been on this cloud journey for almost 10 years now and the aforementioned is all they have achieved. The positive for interested investors is that its gross margin is returning to 80% which indicates it has significant mature-stage profitability potential. Also, if management decided to ease up on S&M expenditure (c. 57% of revenue) then its margins would rise to become GAAP profitable which could gain interest from investors. However, to us SPLK is a SIEM market leader that is quickly legacy-fying, and the value of SIEM is diminishing as we covered in the recent SentinelOne report – security players (PANW and S) have circumvented SIEMs and created their own security-focused data lakes, and then there are also startups innovating atop of SIEMs to stitch together better insights to extract more value. So, from both angles, SPLK doesn’t look positioned to prosper and extract substantial incremental value from these industry dynamics.