September 28, 2015 - 8:26am EST by
2015 2016
Price: 57.21 EPS -1.81 0.13
Shares Out. (in M): 129 P/E 0 0
Market Cap (in $M): 7,350 P/FCF 59.50 68.94
Net Debt (in $M): 0 EBIT -216 20
TEV (in $M): 6,495 TEV/EBIT 0 330.48
Borrow Cost: General Collateral

Sign up for free guest access to view investment idea with a 45 days delay.

  • Technology
  • Application Software
  • data services
  • Management Change


Splunk (SPLK) is overvalued, with street estimates calling for a long tail of mid-20% growth. However, the business
is structurally limited in terms of its TAM due to (1) a high price point that is driving management discounting, (2) a
model that makes margin expansion difficult, and (3) limited growth due to an increasingly commoditized product,
limited opportunities in areas that they are presenting as TAM expansion opportunities, and a technological shift that
brings significantly cheaper alternatives.
Splunk (SPLK) is a software company that monitors, indexes, and analyzes machine-generated data, giving users a
convenient web-style interface to search and derive insight from log data for applications as diverse as network
security, IT Operations Management, Application Performance Management, and the emerging categories of
marketing and Internet-of-Things. SPLK was founded in 2003 and fulfilled a need to organize and make accessible
large amounts of data that previously had been left un-analyzed. Providing best-of-breed analytics, a rich ecosystem
of applications, and a usable and intuitive interface, SPLK enjoyed explosive growth and had a highly successful IPO
in 2012.
Indispensable and Expensive
Splunk fills a critical need in IT. With a large number of different appliances, Splunk allows IT professionals to collect
data from each of these different boxes and get a birds-eye view of what is happening. Using Splunk, customers can
collect log files, call detail records, website interaction data, and system configuration alerts and make sense of data
sets that were previously so large and so disorganized that they were unintelligible. The major use-cases that Splunk
has are (1) IT Operations, (2) Application Performance Management, and (3) Security. Splunk was a unique offering,
collecting this unstructured data, making it comprehensible to IT users, and allowing them to draw insights to prevent
IT malfunctions, security breaches, and to ensure optimal application performance. Knowing the value of their
offering, Splunk charged a premium for its product, charging on the basis of estimated peak amount of data (in GBs)
indexed per day rather than users, data sources, cores, volume of data flows, or any other metric. This resulted in
a pricing model that was expensive and unpredictable.
With data volumes growing 40-50% per year, this created expectations for explosive growth, as Splunk provides
software, run on-premise by a customer, and then charges the customer based on how much they use the software
on their own servers, even though the additional usage costs Splunk nothing. Wealthy customers, including large
retailers, service providers, financial service companies, and enterprises with large data centers have been willing to
pay this premium for a product that was head and shoulders ahead of alternative offerings, able to make sense of
critical data, and interface it so they could easily make use of it for IT, business, and security use cases.
Splunk enjoyed rapid growth of its customer base, growing from 900 customer in 2009 to 1400 customers in 2010 to
3700 customers in 2012 and 6400 customers during this most recent quarter. However, as it grew it size, Splunk
derived a greater and greater proportion of bookings from its existing customer base. From 37% in 2009 to 55% in
2010, 73% in 2012, and most recently, 70%.
Bearish Clouds Gather
However, Splunk’s high price point led for customers to attempt to curb their usage of the platform and to seek out
alternatives, most of which proved disappointing. Bears commonly cited the ELK Stack as a competitor, an open-
source alternative that could provide similar functionality. However, the immaturity of the solution made the
implementation cost-prohibitive, requiring strong developer talent, man-hours, and ultimately bringing ELK vendors
roughly $15m in revenue, a miniscule number relative to Splunk’s TTM revenues of $537m.
In addition, cloud-based competitor SumoLogic raised concerns, before the company underwent a management
change, hiring Ramin Sayar. However, as the experience of one major financial services company demonstrated,
SumoLogic lacked the functionality to replace Splunk in the enterprise. In this case, the Financial Services firm
approached SumoLogic about replacing Splunk, but, due to SumoLogic not having an on-premise solution and the
bank being unable to meet its compliance requirements while migrating critical data to the cloud. As a result, despite
multiple efforts to dislodge Splunk, the bank ultimately had to return to the platform, lacking any alternative.
Defying Gravity
Nevertheless, Splunk managed to consistently outperform despite these concerns in its customer base, shocking the
bears with consistent growth in the high 40s and low 50s. How did they do this? An interesting view on what allowed
Splunk to beat the odds becomes evident through a look at their breakout of their security revenue in 2H 2013 and
2H2015. In the back half of 2015, in order to take advantage of the security trade and the ballooning valuations of
security providers, Splunk broke out their security revenues as a percentage of total revenues. When compared to
2013 numbers, they revealed that the core business had been growing at a 35% CAGR while security had driven the
outperformance, growing at nearly at 80% CAGR.
Splunk’s success in security was due to their poaching the best talent for Security Information & Event Management
(SIEM) from the hottest company in the space, ArcSight. Founded in 2000, ArcSight had been acquired by Hewlett
Packard in 2010, and as employees began to leave once their options no longer gave them an incentive to stay, they
jumped to Splunk, the most prominent hire being Haiyan Song in February 2014, who headed product development
at ArcSight. Bringing on the premier engineering talent from ArcSight, Splunk was able to develop the premier SIEM
in the market, and drive explosive security growth.
The New Emerging Bear Case
(1) Discounting to Drive Growth
Splunk’s first indication of weakness came in Q4 2014, when, facing security revenues that were underperforming,
the company began discounting at both the high and low ends of their markets. At the high end, Splunk began
signing ELAs with enterprises, giving them a fixed cost to make their product’s pricing more palatable and
predictable. At the low end, Splunk offered cheaper rates for entry-level customers in their cloud product, hoping to
drive up their customer count as well as get users hooked on the platform. These discounts allowed them to drive
better growth in their non-security business than in their security business in Q4, with revenues ex-security growing
31% q/q and security revenues growing 21% q/q. The result was a successful Q4, with Splunk beating street
estimates by 7.5%.
In Q1, however, continued discounting combined with slowing security growth led to a more ambiguous Q1, with the
street spooked by low security revenues (1/3 of revenues versus 35-40% the two previous quarters), and revenues
and billings that failed to meet high street whispers. The result was driven by more discounting, which seemed to be
yielding less. However, management messaged the slowdown as tied to a shift towards ratable revenues. However,
much of this shift to ratable revenue was driven by a single large cloud transaction.
Management messaged investors in Q2 a far more aggressive version of discounting, including the ‘Unlimited EAA,’
which allowed customers to use as much capacity as they require at no additional cost. Pricing these contracts
based on the size of the customer, it allowed them to maintain their customers base and to continue to charge them
more, albeit less than before. Meanwhile, SPLK cleaned out its EMEA sales team.
Meanwhile, Q1 gross margins seemed strong, showing none of the typical signs one would see due to discounting.
The reason behind this was due to the nature of Splunk’s COGS. Splunk faced a hit to GMs from the increasing
move to their cloud business due to that business involving significant up-front investments. However, discounting
did not impact the on-premise GMs due to Splunk having very little cost in deploying an on-premise solution. The
customer simply runs Splunk’s software on their own servers and gets charged based on utilization.
However, management has noted that the impact of discounting will be seen in their operating margins. In Q2, strong
security revenues drove another beat, with security revenues growing 35% q/q while the core business grew 9% q/q.
Management guided operating margins flat y/y during the next FY, telling the street that there would be no margin
expansion over the next year due to investments to drive growth.
(2) Margin expansion unlikely
The guide-down of margins was the first indication in the numbers of the difficulties SPLK faces in maintaining growth
given their high price point. A series of further checks into the business further indicate the challenges they have
Splunk has a 50/50 Indirect/Direct sales mix, with the limiting factor to driving sales coming from sales engineers,
who are required to configure and customize the product to particular customer use cases. Due to the high price
point, the sale remains an evangelist sale, with only 1/20 of new business sourced from the channel, according to
reseller partners.

Meanwhile, the company is attempting to deal with slowing core sales by building out new vertical-specific products
similar to their SIEM in security, while acquiring security vulnerability management company Caspida. Increased
spending on sales, R&D, and acquisitions are their hope of reaccelerating growth and measuring up to the
expectations that they have messaged the street.
As a result, they have messaged the street that leverage will not be forthcoming in the next FY, as they concentrate
on growth, messaging a long tail of growth that will drive long term upside.
(3) Emerging unstructured data solution, moonshot TAM stories
However, when it comes to their ability to drive longer-term growth, Splunk is on the wrong side of history. Having
taken advantage of a red-hot security market and opportunistically picked up talent from ArcSight, they are quickly
going to have a hard time finding the kind of growth they have found previously in other verticals.
The reason is that, while SPLK was the only show in town in 2004 in their ability to collect, analyze, and present
unstructured data, and while they found a killer app in their SIEM, the fundamental technology they offer is available
from a number of options, and at a far more realistic price point.
Competitors such as SumoLogic, Loggly, and LogRhythm provide their own log analysis, event management, and
SIEM solutions, pricing competitively against Splunk in order to drive adoption. While open source providers such as
Elasticsearch, Logstash, and Kibana offer a significantly cheaper offering, the cost of developers are prohibitive
enough to keep Splunk as a compelling options. However, the most interesting open source challenges come from
Hadoop-based file systems, in-memory analytics stacks such as Spark and Cassandra. With a host of new company
such as Hortonworks and Cloudera in a punishing price war, new vendors such as Platfora, DataStax, and
DataBricks creating new stacks for customers to utilize structured and unstructured data sets simultaneously. While
Splunk retains an advantage in terms of integration and interface, checks with industry veterans indicate that it is just
a matter of time before the economics of the space change to make what Splunk offers largely commoditized.
Meanwhile, Splunk is likely to maintain a sticky customer base which has migrated their data onto its product, and will
move to convert this revenue, which is license and ELA based, onto a recurring revenue model, in order to ensure
their ability to continue to operate the business despite limited growth opportunities. The company has messaged
huge growth opportunities in marketing and Internet-of-Things, but both these markets are problematic. Marketing
and marketing automation is largely about data integration, and vendors such as Salesforce.com and even Oracle
have access to far more meaningful data sets in the enterprise to be able to provide an integrated product.
Meanwhile, conversations with Internet-of-Things startups indicate that HW providers are focused on maintaining full
control of the stack, including the data and analytics, in order to avoid IoT hardware from being commoditized in the
same manner as networking, storage, and server hardware. As a result, I question if these drivers for growth have
substance behind them rather than being simple and convenient buzzwords.
While the company is certainly not a zero, it likely should not trade at the absurd multiple it currently enjoys. If we
assume that Splunk is able to grow in line with street expectations, but begins to slow considerably in 2017 (growth to
20%), we can put a 4.5x multiple on those numbers to get a $42 stock, given that we would expect revenues to slow
considerably past that point.
- A string of security acquisitions allows Splunk to continue to cover up slowing core growth with accelerating
security revenues
-Splunk is able to find another killer app log management use case like SIEM to reaccelerate growth
- Splunk is acquired by IBM or ORCL, which we believe is unlikely given their embracing next generation file
systems and architectures such as Map Reduce, Spark, and Cassandra


I do not hold a position with the issuer such as employment, directorship, or consultancy.
I and/or others I advise do not hold a material investment in the issuer's securities.


- Continued guidance of flattish operating margins
- Continued discounting by the company
- Continued acquisitions to attempt to cross-sell the user base
- Share gains by Platfora, Flume, and other Hadoop, Spark, and Cassandra architectures
- Monetization of the ELK stack
- Share gains by SumoLogic, LogRhythm, and Loggly
    show   sort by    
      Back to top