Speaker 1: 0:22

Welcome to this new episode of Techzine Talks on Tour. I'm Sander and I'm at Cisco Live this week, and when you say Cisco, you say Splunk nowadays as well, and I'm here with Tom Casey, svp and General Manager at Splunk. Welcome to the show, tom.

Speaker 2: 0:36

Thank you, sander. It is great to be with you and it is. You know, it's my first Cisco Live. I said that on stage this morning.

Speaker 1: 0:51

I mean what I said. It's pretty exciting to be here. There's a lot going on. Yeah, it certainly is. I mean, one of the biggest acquisitions of the past couple of years from Cisco, obviously. And I want to talk to you a little bit about how Splunk integrates with Cisco and what it means, especially for customers. Sure, because are there many shared customers between Splunk and Cisco? I would imagine yes, right, yes. Customers between Splunk and Cisco would imagine yes, right, yes. So they need to know now what they can expect from both of those stacks that they already have, how they integrate. So I'd like to discuss that a little bit.

Speaker 2: 1:16

I think that would be great and, you know, in addition to there being many shared customers, there are customers who use one or the other. You know may use Cisco and don't use Splunk currently. May use Cisco and don't use Splunk currently and so we see a great deal of opportunity here to bring you know, not just opportunity to the business but opportunity to the customers to get a better view both horizontally and kind of vertically into the depth of what they're doing, Because that's the thing right.

Speaker 1: 1:38

Customers need better visibility of what's happening.

Speaker 2: 1:40

Absolutely.

Speaker 1: 1:41

Because I think you mentioned you called it a heterogeneous.

Speaker 2: 1:45

I called it a crazy mixed-up, heterogeneous world out there. When I was commenting on it earlier, and the fact of the matter is so few people have a pristine environment where they can start from scratch and do what they want to do. We almost never get to do that. We have generations of things and we need to support those generations of things, and that's one of the things the combination of Cisco and Splunk together are really good at, in both security and observability.

Speaker 1: 2:09

I think I'd like to try and start with maybe a bit of a dumb question. I promise you I will get to the smart questions later, but there's this. I think a lot of listeners will have this question as well what do you mean when we say observability? How do you define observability? Because do we define observability?

Speaker 1: 2:28

Because obviously there are different layers of observability and not every company means the same thing when they say observability and I think that a lot of mix-up is being caused by using that term by a lot of companies right, it can be so how would you define observability?

Speaker 2: 2:45

Well, I think it's part of the reason we use the phrase full stack observability at Cisco, and we think about that because we're not trying to narrow that scope. And so when I think about observability, it's application performance monitoring, the ability to have eyes on whether you're up and running and how your services are operating, and that's at any layer in the stack your own and unknown networks, your infrastructure, your services that you're dependent upon, and the applications and their behavior themselves. And then it's about having a longitudinal view across that, because we know that that stuff lives in traditional on-premise scale-up application environments. You're brand new, really cool, as I said, I think, on stage today, those perfect cloud services we all think we're writing.

Speaker 2: 3:29

You need to marry the old with the new and you need consistent visibility, and then what we're trying to do is not just stay up. We're trying to optimize the experience of our employees and our customers, and that's really where digital experience monitoring comes in, and the promise of kind of getting healthy gives you that ability to go in and become great and that's what we want to do.

Speaker 1: 3:49

So the way I look at it is if you look at what cisco has to offer and when it comes to full stack observability, and compare it with what what flunk has to offer, they're different layers of the, they're different types of data, right? I mean you have the, you have maybe the, the infrastructure data, the one hand, and then you have the maybe customer data, for lack of a better word.

Speaker 2: 4:12

Yeah, I mean I think that's fair in a dimension. I don't really think about it as the customer data versus the infrastructure data. I think you know, if we think about what we bring together here is you bring about just a tremendous amount of data and expertise and what's happening on the network from Cisco. Historically that is underrepresented in observability and I think is a great opportunity for us here. You also bring in strength in on-premise and traditional application performance management and digital experience monitoring with AppDynamics. You then marry that to Splunk, which actually is strong at infrastructure monitoring.

Speaker 1: 4:47

So it does cloud native.

Speaker 2: 4:49

APM, we know how to look at your Kubernetes, clusters and tell you what's going on right. We can go handle those categories of things. And then of course, you also supplement that with just the core Splunk platform and what we do around log analytics, where you can literally ingest almost anything and then figure out how you want to look at it later, and I think that combination is pretty broad.

Speaker 1: 5:09

Yeah, don't you think maybe that's a, if you marry these things right, I would imagine you're not going to get twice the number of alerts.

Speaker 2: 5:21

Definitely not. That would be. That's a fail. That wouldn't help, I think.

Speaker 1: 5:24

Yeah, so how do you make sure that it doesn't turn into a new crazy, mixed up, heterogeneous mess of space? Sorry?

Speaker 2: 5:31

Well, I think you do that in a couple ways. You know, one of the things we've been doing at Splunk is not only for observability but also our security products is working on an increasingly unified data platform, and so having a common data platform lets you get sort of shared context around that data, which means you don't want people just looking at the data, you want them looking at the data in a similar way, and your ability to go do that then helps you go a long way towards denoising your environment. It's kind of out of the mode that I think you and I talked about with a group earlier of this model where you're just focused on mean time to innocence. It's not my fault, it's somebody else's fault. I can go back to my work.

Speaker 1: 6:09

I wish you'd get rid of that as soon as possible. That needs to go away.

Speaker 2: 6:12

What we need to get to is oh, I can see it here and I can navigate which is something I showed on stage today with something like IT service intelligence from Splunk which marries together the visibility of kind of your traditional APM for map dynamics and your modern cloud native APM. With Splunk Observability Cloud, I can see the whole service map, regardless of whether it's old or new, on-premise. You know multi-cloud. I can navigate that. I can see alerts consistently and this is the thing that's really key to me. It doesn't matter where I enter, if I enter from the network or the logs or I enter from the application. I can navigate to the same place using the same data. And so you're going to see us really push this notion not necessarily of all the data in one place, but of having a consistent view of the data and how you access it, because you don't want to be moving data around all day long.

Speaker 1: 6:59

Right, that's not. No, you want to leave the data where it is and start stuff with it?

Speaker 2: 7:05

Yeah, and look, we would generate, you know, ten hundred times more alerts if we just started stuffing all the network data, yeah, the channel.

Speaker 1: 7:13

And what?

Speaker 2: 7:13

you want to do is you want to um, you want to be able to do some creative things like selectively know down in the stack when you want higher degrees of visibility, and I think that's a really promising opportunity here.

Speaker 1: 7:24

I think the the context awareness also is very, very, very strong, right, I mean it's very strong, I think, a very strong feature of the new offering of the integration, because you can go from well, like you said, from anywhere you enter this thing, yeah, and you can go to the right place immediately.

Speaker 2: 7:41

Yeah, and I think you know you're going to find I'm always practical about these things. I'd love for it to be immediately in every case. You don't get to the right place immediately in every case, right now, that wasn't a follow-up question.

Speaker 2: 7:53

But you know what? But there's the value of a little bit of structure that we provide with. Like you know, we're two of the top contributors to OTEL. As a standard, the more structure that comes in, the easier it gets. But even without that, that's really the promise of machine learning. Ai is to help guide people towards those repeatable patterns and get them to the right actions faster.

Speaker 1: 8:18

Because I think the term you use now is unified observability, not necessarily full-stack observability anymore. No, we say full-stack observability.

Speaker 2: 8:25

Still, I talk about a unified security and observability platform, which I think is important because you know a lot of the data is shared that you need in the SOC as well as in the NOC right.

Speaker 1: 8:37

I think in the official press release they called it, or the writers of the press release called it unified observability. Which is that really? Did that resonate? Well, you know, unified storage.

Speaker 2: 8:51

Sure, and that's the focus of the integration. That's a nice analogy, right?

Speaker 1: 8:55

You can actually have the, you can run whatever data type in terms of unified storage, whatever you want, and the same goes for observability. You have one kind of approach where it doesn't matter if you're on the Splunk side or on the Cisco side it's unified in that sense right.

Speaker 2: 9:14

And so there you're right. That's the unification part of it, and unification is just one dimension. It's kind of that horizontal view of full stack observability. But full stack also means the depth of the network as well, and so the depth of the stack, but that obviously the term unified.

Speaker 1: 9:27

it also begs a couple of questions, I think, and that's how far is the intention to integrate these two things? Do you want to go towards one single dashboard to do everything, or are those two layers of observability that we talked about too different to actually do that in one dashboard? Or maybe you don't even want to.

Speaker 2: 9:53

Well, I think you have to preserve optionality.

Speaker 2: 9:55

Well, I think you have to preserve optionality.

Speaker 2: 9:57

The fact of the matter is, practitioners on the ground whether it's a developer in their IDE and their ticket tracking database, whether it's your network engineers and their consoles, whether it's somebody in the SOC they do tend to spend time in their daily workflow in slightly different tools.

Speaker 2: 10:14

So you want to meet them where they are, which means we'll always provide optionality for them to create their own views. But AIOps is a big deal and being able to provide kind of aggregate views and service intelligence is important, and so one of the things we showed today is that to truly get full stack observability and a coherent, cohesive view across your cloud and on-premise environments, across your traditional and your modern apps. Well, you can use IT service intelligence, Splunk IT service intelligence, and that gives you sort of that service map spanning across these different observability zones. But, as you noted earlier, we also want the ability for the network operator to notice something in their console and be able to work from there and navigate kind of that shared data. So I think you're going to see, over time, an evolution where there's a blend of both. I do think we're at a period of coalescence right now where most companies are trying to get that centralized view in place, and that's the priority right now, because there's a lot of talk about reducing the number of tools.

Speaker 1: 11:11

A lot of companies use way too many tools for the same thing. I think you mentioned was it 160? One customer?

Speaker 2: 11:16

I said over 130.

Speaker 1: 11:17

There's one customer that I've talked to that has more than 130 tools for observability alone, can you?

Speaker 2: 11:23

imagine. That's just not workable. No, but even in a smaller enterprise and most companies that are running any sort of digital services for their employees and their customers, they've got too many tools, and so tools consolidation is a real thing. And then we come back to this idea of the unified data platform sitting underneath. If you can turn that into a data consolidation problem, that improves your consistency with your policy application around how you handle data. It avoids duplicate storage costs. It makes things better too, and so we'll talk a lot about that at the Splunk User Conference next week too, and so we'll talk a lot about that at the Splunk user conference next week.

Speaker 2: 12:01

But I think that's an important area in evolution, in the tools consolidation play too.

Speaker 1: 12:06

What's the biggest challenge at the moment when it comes to observability? Is it making it as actionable as possible, Because being able to show where something is going wrong or where something may be optimized is step one, obviously, but ideally you would like the customer to actually say well, I'm going to hit this button and I'm going to solve this. Yeah, Is that still a big challenge? It used to be a big challenge for Splunk, I know from the past. Getting to action, you mean yeah, getting to action. You can ask a lot of questions and you can get a lot of input, but then actually acting on it Is that still a challenge in this space? I think?

Speaker 2: 12:46

in the large, it's still a challenge. You know you've got to get the right data, the right analytics and then apply the right actions right. It's all in service of that. But I think you've got to go back to the way you framed the question. Is it a challenge for the customer or is it going to depend on the customer? I think everybody's at a different place on their observability maturity journey. Some people are still trying to get eyes on their core services, and that's where they are. My general guidance to people is be thoughtful about this and try to oscillate back and forth between maturing your eyes on and the amount of instrumentation or automation you have for actions right. Don't go try to get eyes on everything and then automate everything, because you'll just spend the rest of your life getting eyes on it.

Speaker 1: 13:22

You don't want to do that.

Speaker 2: 13:24

It's like raise the water level, if you will, in both dimensions, kind of concurrently, and oscillate back and forth. So I think that's important advice. And then the other piece of this is you know there are companies who are increasingly mature along this journey, but they're still struggling with the fact that there are still silos right, there's still the business unit or department or subsidiary over here using a different set of tools or not sharing, and somebody else there and your supply chain heck, it's not even limited to what's inside your company anymore. You've got to be able to see across your company and beyond it, and that's where I think we all have room and that's where the promise of network observability comes into.

Speaker 1: 14:05

You're not really breaking down those silos. I don't see that happening.

Speaker 2: 14:09

I don't think you can.

Speaker 1: 14:11

That's one of the things I really have something and that really gets me a bit angry every now and again something, I mean, that really gets me a bit angry every now and again. Not really angry, I'm never angry, I'm very laid back. There was a time where everybody was breaking down silos. My first question always was do you think there's a reason why there are silos and there's a good reason for it? Sure, you can reduce the number of them.

Speaker 2: 14:33

There could be, but even if there's not a good reason for those silos sometimes is that the battle you want to fight.

Speaker 2: 14:39

I mean what you're trying to do is gain visibility to things, get a hold of the right data. You want to make that easy for people so they can do it. You want to make sure it's high-value data and it's easy to do analytics on it. And then you want to get towards action. And if you can come back and say to somebody else, if I marry your stuff to mine, I can correlate some answers and actually help you improve the quality of service you're delivering, they're usually going to take that win, even though they may still be working autonomously and independently, and that's okay. I mean, that's just that's life. That's some of what I meant by you know. Crazy mixed up, heterogeneous world too. Yeah.

Speaker 1: 15:15

And what about the age old kind of complaints when it comes to Splunk, that it costs a lot to store all the logs and all the? It used to be quite an expensive solution and I'm pretty sure it's still not extremely cheap Now that you marry it to another kind of observability piece? Will that bleed customers dry because you have more storage now you need more storage than you used to need. Yeah, I got it.

Speaker 2: 15:46

So there's a misnomer that you need more storage than you used to need, so let's back this up. So first of all, historically, I think you and I were talking you first started interacting with Splunk or coming to our user conference in 2018, or so yeah, and.

Speaker 2: 15:58

I first deployed Splunk and used it I want to say 2013-14 and a gig, excuse me and there are a couple elements of this that have changed. One the licensing model's changed. It's not just ingest-based. You can license Splunk on a workload-based model, which tries to amortize how much you ingest versus what you actually access. But fundamentally, this conversation's about value. Are you getting the value you need out of it? And it's so easy to ingest data into Splunk. A lot of people just ingest everything, yeah you shouldn't do that data into Splunk.

Speaker 2: 16:32

A lot of people just ingest everything and you know, as I said, you don't want every single bit of your network log data necessarily flowing in. You've got to select what matters. We probably need to do a better job being prescriptive and helping you do that, but we now, you know we were introduced last year what we call Edge Processor. It filters, routes and redacts data as it's coming into Splunk. You can flow your high-value operational and kind of ad hoc analytic data into Splunk and then send that write-once-read-never retention compliance-based data off to Amazon S3 buckets, and then what you can do with Splunk is you can still search that data even though we've never ingested it and indexed it as well. And so where I'm finding companies are maturing to now is they're maturing to the point where they need to step back a little bit and revisit their data strategy. What data matters to me, and that's that really helps you can help with that.

Speaker 1: 17:22

But I mean they, they can also probably prepare.

Speaker 2: 17:25

They do better data prep anyway, right, maybe not necessarily leave it up to you to do it maybe I don't know that we need them to do a lot better data prep, but people do need to do, need to start thinking about how to classify data, and so give you an example. You know, there there's new regulation M2131 in the US. There's public sector regulation within the EU. That that, as well as brand new, some of the 2030 initiatives that are taking place, and those things provide a degree of standardization you can use for data categorization. But you've got to take it down to sort of if not the data element, the entity level, and figure out what actually will be useful, and I think that's something we can help with and give more guidance on. But at the end of the day, it's work a company has to do to really break through.

Speaker 1: 18:08

It's one of those things that companies have had to do for a long time but still aren't doing right. So it's one of those basic hygiene kind of things.

Speaker 2: 18:15

Right, but if I can make it so I can again filter out and redact your data and get in federate that storage for you and you can still search it right at some slower pace. I think that really helps people iterate their way towards the right answer.

Speaker 1: 18:33

I think we're almost out of time. We haven't even talked about all the other impacts that Splunk will have on the Cisco portfolio.

Speaker 2: 18:37

You want to do a lightning round? I'll keep them short.

Speaker 1: 18:40

Yeah, so the networking, especially the networking, because that's the biggest business unit that Cisco has right, so you can make a huge difference there. We haven't really heard a lot about it yet.

Speaker 2: 18:52

Yeah, so let me give you a quick hit on it. So on the security side, we think we can take the real-time detections from XDR and some of the signal from down in the network and enrich what's in the SOC to give you that longitudinal view. We think we can also go further and distribute not just the data but the actions long-term that you structure in the SOC back down to the network with things like HyperShield as that manifests. So that's a fun follow-up conversation for us to have at some point, maybe next week, yeah, maybe next week, we can do it next week.

Speaker 2: 19:18

And then on the observability front, all that richness in telemetry you heard us talk about here with ThousandEyes, that's coming in. Getting that integrated more deeply into Splunk, not just AppDynamics as it is today, but the Splunk Observability Cloud and Core Splunk that starts to give a selective signal around the experience users are having inside their owned and unowned networks, sort of a foil for the application part that we discussed earlier.

Speaker 1: 19:41

You got it.

Speaker 2: 19:42

That's about again, I think, about breadth and depth, and you've got to have both, to have full stack observability.

Speaker 1: 19:48

I think there's I mean, there's so much we could talk about for hours right, Because there's potentially such a huge impact that it's going to have. And then finally, just to round it off, Cisco itself is really moving. They announced the security cloud, the networking cloud, and they have a maybe we can even call it the observability cloud.

Speaker 2: 20:06

now, you can.

Speaker 1: 20:12

And collaboration. But then you see, especially security and networking with the foundation of observability are moving towards each other right.

Speaker 2: 20:17

Absolutely.

Speaker 1: 20:19

I had a chat with Jonathan recently and he basically said well, we might even go merge them again, right? So maybe that was quite extreme, right? So we're probably not going to merge it entirely, but there are so many, many, they're so intertwined, those two clouds, that it's not really two clouds anymore. Right, and is it do you think Splunk will, will follow this, this merging of the clouds, if that makes sense well, the way G2 and Jonathan I usually talk about G2 has collaboration and security.

Speaker 2: 20:53

The way we talk about this stuff a lot is tightly integrated, loosely coupled, because customers need it is a heterogeneous environment. They need to be able to have choice. What I think Cisco has recognized here is that people don't just have a cloud. They have multiple clouds and multiple cloud providers and that's for their storage and compute and some of the rest of this right.

Speaker 2: 21:15

And what you really need now to be sort of independent and covering of it all is you need your network and network route optimization, you need security and you need observability, your ability to see all that, to sort of sit independently. And then what's the difference between a security incident and a observability incident? When it starts, a lot of times you don't know, you don't know which it is yet right, and so it makes sense that you enable better and stronger collaboration there too. So I think you're going to find those four things kind of live in a plane. They're kind of a suite of things on their own in the cloud for a while, as long as we don't create a new heterogeneous, complex kind of crazy mess.

Speaker 2: 21:55

Right, that's right.

Speaker 1: 21:56

That's the key here, I think.

Speaker 2: 21:58

Well, and the key for us is to stay open stay committed to. Otel stay committed to supporting things other than just the Cisco network, and that's a commitment we are making.

Speaker 1: 22:07

All right, I think I mean we're out of time anyway. I mean All right, I think we're out of time anyway. I can talk about this for another five hours if I have to, but we wouldn't bore the listener too much with that, maybe.

Speaker 2: 22:16

We'll go ahead another half hour next week. Yeah, let's try and do that.

Speaker 1: 22:19

Thanks for joining. I think it was a very interesting conversation.

Speaker 2: 22:21

Loved it. Appreciate your passion for this, Sander, and helping people get educated here. Thank you.