All essential data infrastructure these days is open source. Or rather, nearly all -- Splunk, the log analysis tool, remains stubbornly, happily proprietary. Despite a sea of competitors, the best of them open source, Splunk continues to generate mountains of cash.
The question is why. Why does Splunk exist given that "no dominant platform-level software infrastructure has emerged in the last 10 years in closed-source, proprietary form," as Cloudera co-founder Mike Olson has said? True, Splunk was founded in 2003, 10 years before Olson's declaration, but the real answer for Splunk's continued relevance may come down to both product completeness and industry inertia.
Infrastructure vs. solution
To the question of why Splunk still exists in a world awash in open source alternatives, Rocana CEO Omer Trajman didn't mince words in an interview: "We could ask the same question of the other dinosaurs that have open source alternatives: BMC, CA, Tivoli, Dynatrace. These companies continue to sell billions of dollars a year in software license and maintenance despite perfectly good alternative open source solutions in the market."
The problem is that these "perfectly good open source solutions" aren't -- solutions, that is.
As Trajman went on to tell me, open source software tends to "come as a box of parts and not as a complete solution. Most of the dollars being spent on Splunk are from organizations that need a complete solution and don't have the time or the talent to build a do-it-yourself alternative."
Iguaz founder and CTO Yaron Haviv puts it this way: "Many [enterprises] also look for integrated/turn-key [solutions] vs DIY," with open source considered the ultimate do-it-yourself alternative.
Sure, the "path to filling gaps" between Elasticsearch and Splunk may be "obvious," Trajman continues, but "executing on it is less than trivial." Nor is this the hardest problem to overcome.
An industry filled with friction
That problem is inertia. As Trajman told me, "Every company that runs Splunk [13,000 according to their latest earnings report], was once not running Splunk. It's taken nearly 14 years for those massive IT ships to incorporate Splunk into their tool chest, and they still continue to run BMC, CA, Tivol and Dynatrace." As such, "Even if the perfect out-of-the-box open source solution were to magically make its way onto every Splunk customer's desks, they would still use Splunk, at least for some transitionary period."
In other words, even if companies are embracing open source alternatives in droves, we're still going to see healthy Spunk adoption.
It doesn't hurt that Splunk, unlike its open source competitors, gets pulled into all sorts of jobs for which it offers a good enough, though not perfect, fit. According to Box engineer Jeff Weinstein, "misuse" is a primary driver of Splunk's continued adoption, by which he means enterprises pushing data into Splunk for jobs it may not be particularly well-suited to manage. Splunk is flexible enough, he points out, that you "can abuse Splunk syntax to do anything and it kind [of] works on long historical time scale back data." This means, Weinstein says, that "for many companies, [Splunk] is the ad hoc query system of last resort." Open source options may abound, he notes, but don't "give as much flexibility on query."
Moreover, Splunk is "trusted," Weinstein concludes, in an "old-school IBM style." That is, not everyone may love it but at least "no one hates it."
In short, while there are signs that open source alternatives like Elastic's ELK will continue to progress, it's unclear that any of these open offerings will seriously dent Splunk's proprietary approach. Splunk simply offers too much in a world that prizes flexibility over an open license. This may not be the case five years from now, but for now Splunk stands supreme in a market that has otherwise gone wholesale for open source.