An ode to Splunk

With Splunk 's sale to Cisco for an impressive $28 billion in cash, I see people jumping onto the internet to dance on Splunk’s supposed grave. That’s naive. The Splunkers envisioned and built a product and company that’s been a constant inspiration to my founders and me. They’ve amassed an A-list clientele and a multi-billion-dollar revenue stream. In many, many ways they’ve inspired Axiom’s vision and mission.

I want to take the opportunity to call out those ways Splunk inspired us, and how we envisioned and designed Axiom not as a Splunk competitor in their current focus of cybersecurity, but as a next-generation, cloud-native approach to event data for every possible goal.

Brilliant in foundation and evolution

Splunk invented log search, which didn’t exist before Splunk put themselves in the shoes of thousands of DevOps engineers (it wasn’t called that yet) and crafted an answer to the awkward, lossy logging experience from which those engineers had been suffering:

• They moved the user interface from the Unix shell command line into the browser, making it interactive and more graphical (with a command-line API if you wanted to run it from a shell script.)
• They embraced the messiness of logs. You didn’t need to write parsers to ingest unstructured data.
• They made search results interactive. You could click to see similar or related events.
• There was a valuable free-forever edition (anonymous downloads allowed) solidly backed by the company.
• They funded the porting of dozens of Linux libraries to other OSs so they could ship self-contained installations.
• The subscription price started at $2,500 per year, low enough for an engineer to put on their credit card to get rolling.
• Their docs were published on a wiki so any customer could edit or contribute.
• They fostered community among their influential users by speaking to the emerging DevOps culture in their own language. Their t-shirt slogans were written by their engineers rather than marketers: “Take the sh out of IT.” You could make fun of Splunk online and they would laugh with you. Splunk was fun, not stuffy.
• They were generous about license overages. They never turned off ingest (so you wouldn’t lose data) and I’m told salespeople had latitude to issue temporary upgrades.

As they evolved, Splunk continued to raise our expectations for logging:

• They horizontally scaled Splunk’s capacity rapidly, from a 10 GB/day first release in 2005 to 100 TB/day by 2012 - more than a decade ago!
• Rather than SQL, which feels awkward when dealing with streams of log events, they enabled structural queries based on search. It was like Googling your logs.
• A piped query language and virtual fields let users build complex queries without needing to become experts in nested query structures first.
• Splunk added dashboards & custom views based on searches — more like bookmarking a query than creating a configuration.
• Everything in Splunk is an app, including the default search UI. You can edit and extend it, or any other app, to meet your needs. There are thousands of Splunk app developers today.

Why we picked up the torch

My Axiom co-founders and I had been working at other companies where we relied heavily on log collection and analysis to get full visibility of our services. We simply couldn’t afford Splunk at the scale we needed. Their free edition, which they had made hard to find, didn’t support our volume of event data. We tried open-source Elastic, but it cost more to scale it to our demands than the cost to run our actual product!

It felt unreal that a fast-scaling, cloud-native service like one we had built was producing so much data so easily, yet there was no place to send that data which wouldn’t take up endless developer time or money, or sometimes both.

Couldn’t someone take logging to its obvious next stage, we wondered? Eventually, we realised that someone is us.

I won’t try to read the Splunkers’ minds, or claim they did anything that isn’t plainly visible. They’re not stupid — quite the opposite. But in serving their current clientele and honing their security positioning, they seem to have left some things behind that mattered to us: A heartily supported free version. Power-user features like keyclick combinations that let us fly through a session. Simple pricing with predictable billing.

Splunk also put off re-architecting to go fully cloud-native. Serverless computing and optimised block formats for event data could make it much more efficient. They haven’t taken advantage of structured data in ways we did from the start.

And really, Splunk’s pricing is out of sync with that of modern cloud-native products and services. We doubt Cisco will radically reduce it — they didn’t buy Splunk to give it away.

The future of logging — far more than o11y or security

Axiom today is where Splunk was in the 2000s - looking back we see the end of the evolution of the traditional logging architectures, and looking ahead we see all the possibilities of what could be with our own new technology. Our cloud-native serverless architecture is tuned for maximum compression of full-fidelity event data formats. Our free-forever edition is fully featured. Axiom is compatible with all popular collectors and agents. Our APL piped-query language was designed to be easy to learn on your own. You can view 100% of events (stop sampling!) with an infinite scrollback window. And with Axiom, you can afford to ingest and store 100% of those logs, traces and metrics for longer periods — our business model is built on no-surprises pricing that scales smoothly from dorm-room ambitions to global colossus.

We probably can’t match the wit of Splunk’s early t-shirts, however we have a lively community going on Discord that’s kicking some life back into event analytics. For anyone wondering what we’re working on for the near future: Integrated pipelines that keep Axiom from ever being a silo. Expanded handling of both structured and messy log formats. Rich parsing mechanics to meet legacy logs where they are. Apps that deliver rich, exploratory workflows. World-class documentation, education and evangelism. All on an extensible platform where we will support and reward creative developers.

Splunk was a brilliant leap forward for event data. Axiom was conceived and is being built as the next leap forward from there. To that end, we’ve brought on Splunk’s founding head of product, Christina Noren , as an advisor to Axiom. Christina believes Axiom is Splunk’s natural successor for logging. So do we.