Splunk Is More Than One Thing — And That's the Point

I'll be upfront: I've never been a Splunk power user. I haven't written SPL in my sleep or built dashboards for fun. What I have done is spend increasing amounts of time around Splunk people — including my tack-sharp-Cisco Live co-hosts Michelle and Lauren, who kept nudging me toward questions I wasn't fully asking yet — and found myself in Vegas watching Splunk show up everywhere.

Security sessions. AI architecture diagrams. Platform conversations about things that seem only loosely related to log management. At some point it starts feeling less like a product and more like... infrastructure. Like something foundational that other things are being built on top of.

That observation kicked off a question I kept raising with myself: what actually is Splunk right now? And the more I sat with it — especially after going back through the recordings of a couple of center-stage sessions on the show floor — the more interesting the answer got. So this is me thinking out loud, not as an expert, but as someone who keeps ending up in rooms where Splunk matters and wants to understand why.

Pre-Security (can't stop what you can't see)

Splunk didn't start as a security tool. That's the first thing I had to get straight, and figuring it out did a decent job of humbling me about how little I actually knew walking in.

The conventional wisdom in enterprise data, back when Splunk was founded in 2003, said you had to structure your data before you could use it — build the schema, define the fields, impose order first. Splunk said the opposite: ingest everything, index it like a search engine, figure out what you need later. That premise sounds obvious now. In 2003, it was genuinely radical.

That idea found its first true believers not in the SOC, but in IT operations. Sysadmins. DevOps engineers. People drowning in machine-generated data from servers, applications, and network devices who desperately needed a better way to search through it. Splunk became their tool — not because a CIO approved a budget line, but because the engineers demanded it.

The IPO came in 2012. The cult following was already well established by then, and by every account I've heard, the annual user conference — called .conf, styled like a Unix command — has been less an enterprise tech event and more a practitioner pilgrimage. People who competed in "Boss of the SOC" capture-the-flag competitions not because their boss told them to, but because they genuinely loved the craft.

Security eventually became the dominant narrative — SIEM, threat detection, the SOC — because that's where enterprise budget concentrated and where Cisco's acquisition story was clearest. No real surprise there: sit on data that valuable, and the use case with the biggest checkbook usually gets to write the headline. But Splunk the platform never stopped being more than that. The security story just got loudest.

Three Splunks, Same Login

Walk into a room of Splunk practitioners and ask what they do. You'll get answers that barely overlap.

The IT Operations crowd runs Splunk IT Service Intelligence — ITSI — to monitor the health of business-critical services, and a center-stage session on the show floor made that world a lot less abstract for me. Nimesh Bernard, who runs the observability team at Fannie Mae, walked through what that actually looks like inside a hybrid, multi-cloud environment running both legacy on-prem systems and cloud-native services.

His team's problem wasn't a shortage of tools — if anything, it was too many of them, each ingesting data in its own proprietary format. When something broke, fixing it could mean fifty or sixty people on a bridge call trying to piece together what happened. Their fix has been deliberately unglamorous: standardize everything on OpenTelemetry so every team logs in the same format, run it through a pipeline for correlation and normalization, and land it all in Splunk so security, IT, and the business are looking at the same underlying data, even when their dashboards look different. The end goal is self-healing infrastructure, but Bernard was clear his team isn't rushing it — they started with something as boring as automated CPU-spike remediation, run in parallel with human responses to compare results, before trusting agents with anything bigger. That's not a SOC story. It's a NOC story, and it's arguably the least flashy, most foundational use of the platform — which is exactly why it doesn't make headlines the way security does.

The OT and industrial crowd is doing something even further from the security headline. They're connecting Splunk to PLCs, SCADA systems, historians, and industrial control systems on the factory floor — ingesting data via protocols like MQTT and OPC-UA that most enterprise IT folks have never heard of. The value isn't primarily threat detection. It's operational visibility: asset health, production efficiency, quality control, downtime prevention. A manufacturer running Splunk to reduce unplanned downtime isn't thinking about SIEM. They're thinking about yield and uptime.

The compliance and fraud crowd is a third world entirely. Financial services organizations, retailers, healthcare systems — they've built entire Splunk practices around PCI, HIPAA, and GDPR monitoring, and around fraud pattern detection that has nothing to do with external threat actors. These are often business analytics use cases sitting on top of a security-adjacent data infrastructure. Different stakeholders, different success metrics, different conversations entirely.

Three communities. One platform. And here's the irony I keep running into: I'm learning these distinctions right as the platforms containing them get folded into one unified Cisco story, which raises an honest question — does the distinction still matter once everything's living under the same roof, or is "Splunk is more than one thing" already becoming "Splunk is one thing with several dashboards"? I don't think that question has a clean answer yet, but it's worth sitting with as we look at the loudest of those three communities up close — because that one's evolved fast.

Security Stole the Mic

Security became the dominant Splunk narrative for the obvious reasons — that's where the budget concentrated, that's where Cisco's acquisition story was clearest — but it's also just where the AI arms race is moving fastest right now, on both sides of the fight. A center-stage session from David Dalling, who leads Splunk's global security specialty team and go-to-market strategy, made the case for just how fast that story is moving.

His framing centered on the collapsing time between vulnerability and exploit. In 2018, the average gap was roughly two and a half years. By 2023 it had shrunk to about five months. Dalling's claim now, with frontier AI models in the mix on both sides of the fight, is that it's down to under twenty hours — less time than it would take a human analyst to even finish researching a vulnerability before it's already been weaponized against someone.

His argument isn't that AI created a new problem. It's that AI compressed an old one past the point where the traditional SOC model — built around human analysts triaging alerts one at a time — can keep up. What he described instead is a three-layer agent structure:

• Detection agents that handle the volume of alert triage, malware reversing, and writing search queries;
• Investigation agents that automate hunting and correlation; and
• Response agents that carry out guided, natural-language playbooks once a human has signed off. The stated philosophy is augmentation, not replacement — moving analysts off repetitive triage and into the harder work of adversary analysis, detection engineering, and deciding when to actually trust an agent with a consequential action.

How seriously Cisco is treating that argument showed up in the numbers, not just the framing. In a separate live demo at the same event, Splunk's SVP and GM Kamal Hathi ran an Agentic SOC in which Triage Agents automatically discarded roughly 92% of incoming alerts as false positives — without a human reviewing them first. That's the single biggest time sink in a traditional SOC, handled before anyone clocks in. Cisco's president and chief product officer, Jeetu Patel, put the urgency even more bluntly on the same stage: "In a matter of a few months, a SOC that is not agentic won't even make any sense."

Whether that philosophy survives contact with budget pressure over the next few years is a fair question. But it's a more specific, falsifiable claim than "AI for security" — and that specificity is itself worth noting.

Data Fabric, Machine Data Lake, Federated Search — Same Thing or Three?

Spend a few days at Cisco Live and you'll collect a small glossary of terms that all seem to be circling the same idea: Data Fabric. Machine Data Lake. Federated Search. At some point I stopped being sure whether these were three different architectural layers or three different ways of describing the same thing.

A couple of sessions on the show floor actually helped untangle part of it.

Cisco Data Fabric, as Dalling described it, is essentially Splunk itself with federated search and AI capabilities layered on top, plus added awareness of location and context — the foundation everything else in the agentic SOC architecture sits on. Cory Minton, Cisco's global field CTO, framed it similarly from the observability side: the first of three priorities his team is building toward is unifying cross-domain data so AI tools and human analysts work from shared context instead of fragmented silos.

The Splunk Machine Data Lake is a more specific, newer piece: a low-cost storage tier — Minton compared the economics to S3 — that complements rather than replaces the core Splunk index. The index still handles the high-value, low-latency data that drives real-time detections. The data lake is meant for the much larger volume of lower-value data that gets collected for compliance or context but rarely gets searched, with a knowledge graph attached so it's not just dead storage. It's set to go generally available next month.

Federated Search is the connective tissue between the two, and increasingly between Splunk and outside stores entirely — Minton mentioned Snowflake, Azure Data Lake, and Databricks expansion landing within the next month or so. The pitch is that you shouldn't have to migrate data into Splunk to search it; you should be able to reach out to wherever it actually lives.

So: Data Fabric is the architecture, the Machine Data Lake is a storage tier inside it, and Federated Search is what lets you query across both without moving anything. You'll also hear it called an "agentic substrate" in some circles — same idea, dressed in analyst language — but the actual mechanism is what held consistent across both sessions: store less-valuable data cheaply, search it without moving it, point agents at the unified result. That consistency is what makes me more inclined to take the architecture seriously even when the vocabulary gets slippery.

The Trouble With Tidy Metaphors

Cisco and outside coverage have reached for different metaphors to describe what Splunk has become inside the Cisco machine — operating system is one I've seen used, intelligence layer is the phrase Minton used on stage. Both gesture at the same architectural reality: Splunk really does sit underneath, ingesting from everywhere, making data searchable and actionable regardless of source, in a way that increasingly resembles infrastructure other things are built on rather than a standalone product.

But "operating system" and "intelligence layer" are both loaded in their own way. An OS is infrastructure — the thing other things run on, with no identity of its own beyond enabling everyone else's. An intelligence layer sounds more active, more like the thing doing the thinking. Neither one quite settles the actual tension, which is that Splunk does have its own identity, built over two decades with a practitioner community that adopted it because it solved real problems in ways they chose, not ways a CIO mandated.

The more Splunk becomes foundational plumbing inside Cisco's architecture story, the more interesting a softer version of one question gets: whose daily experience is the roadmap actually optimizing for right now? For the Cisco Live audience, it's the layer that makes everything else smarter. For the practitioner community, it's still the thing they built their professional lives around. Both are true right now. The open question is how long they stay true simultaneously.

Acquired on Monday, On Stage by Wednesday

I didn't expect a company Cisco had only just acquired to be this visible. I'd already written about the Galileo and Astrix deals back when they were announced — Cisco bought a lie detector and a bouncer for AI in the same week, more or less — but reading about an acquisition and watching the acquired company show up in person, on stage, inside live demos, are two different experiences.

During Minton's session, he brought up Atin Sanyal, Galileo's co-founder and chief product officer. Sanyal described getting pulled into Cisco Live with less than forty-eight hours' notice — not into the company, into the keynote slot — and flying to Vegas to walk on stage alongside his co-founder, head of product, and lead product managers, all newly part of Cisco. His own read on it, delivered half as a joke and half as a genuine observation, was that it's becoming clear why people call Cisco the largest startup in the world.

That's a meaningful admission to make out loud, on the record, this soon after a deal closes. It suggests Cisco's smaller, more recent bets — Galileo, and the non-human-identity company Astrix before it — aren't just getting bought and quietly absorbed over a multi-year integration. The people are showing up in front of customers almost immediately. Nobody puts that specific detail in a press release. You only catch it if you're in the room when someone says it out loud.

More Than Lip Service, Less Than Settled

These were keynote-adjacent center-stage sessions at a vendor's own conference, on a show floor built to sell a vision. Of course it sounded clean. Of course the case studies were flattering and the roadmap slides had no gaps in them. That's what the format is for, and I'd be naive to pretend otherwise.

But there's a difference between polish and substance, and what stood out across both sessions was how specific the claims were willing to get. A named customer describing an unglamorous, multi-year, not-yet-finished journey toward self-healing — including the parts where they're deliberately not trusting agents yet — reads differently than a generic case study slide. A co-founder admitting on stage that he had less than forty-eight hours' notice before he was standing in front of a Cisco Live audience is a stranger, more honest thing to say than the usual acquisition talking points. A GA date next month for a specific storage tier, and a hard number — eighty percent of one beta customer's tier-one analyst workload automated — are claims that can actually be checked later, which makes them riskier to make if they're not true.

None of that proves the integration is fully baked, or that every team inside Cisco and Splunk is moving at the same pace the stage implied. But it's a lot more specific than synergy language, and specific claims are the ones worth holding a company to. I'll be watching for whether the Machine Data Lake ships on schedule, and whether Bernard's team at Fannie Mae gets further down the self-healing road by the time .conf rolls around in Denver this September. That's a more honest place to leave this than a tidy conclusion: Splunk is more than one thing, the integration is further along than skepticism alone would predict, and the proof is still being written in real time.

It's an exciting time to be in networking.

Robb Boyd spent nearly two decades at Cisco as Managing Editor of TechWiseTV — the company's highest-ROI marketing asset, reaching audiences in 65+ countries. Today he helps technology companies close the gap between their engineers and everyone else: customers, executives, and the broader audiences that actually move markets. If your technical experts have something important to say but struggle to say it in a way that lands, that's the problem Robb solves — through hosted video series, guided narrative content, and on-camera work that makes complex ideas clear without making them simple.

Want more analysis like this? Subscribe to ExplaiNerds. And if you're a marketing or content leader with a story that deserves a bigger audience — let's talk.