Splunk (SPLK) is overvalued, with street estimates calling for a long tail of mid-20% growth. However, the business
is structurally limited in terms of its TAM due to (1) a high price point that is driving management discounting, (2) a
model that makes margin expansion difficult, and (3) limited growth due to an increasingly commoditized product,
limited opportunities in areas that they are presenting as TAM expansion opportunities, and a technological shift that
brings significantly cheaper alternatives.
Splunk (SPLK) is a software company that monitors, indexes, and analyzes machine-generated data, giving users a
convenient web-style interface to search and derive insight from log data for applications as diverse as network
security, IT Operations Management, Application Performance Management, and the emerging categories of
marketing and Internet-of-Things. SPLK was founded in 2003 and fulfilled a need to organize and make accessible
large amounts of data that previously had been left un-analyzed. Providing best-of-breed analytics, a rich ecosystem
of applications, and a usable and intuitive interface, SPLK enjoyed explosive growth and had a highly successful IPO
Indispensable and Expensive
Splunk fills a critical need in IT. With a large number of different appliances, Splunk allows IT professionals to collect
data from each of these different boxes and get a birds-eye view of what is happening. Using Splunk, customers can
collect log files, call detail records, website interaction data, and system configuration alerts and make sense of data
sets that were previously so large and so disorganized that they were unintelligible. The major use-cases that Splunk
has are (1) IT Operations, (2) Application Performance Management, and (3) Security. Splunk was a unique offering,
collecting this unstructured data, making it comprehensible to IT users, and allowing them to draw insights to prevent
IT malfunctions, security breaches, and to ensure optimal application performance. Knowing the value of their
offering, Splunk charged a premium for its product, charging on the basis of estimated peak amount of data (in GBs)
indexed per day – rather than users, data sources, cores, volume of data flows, or any other metric. This resulted in
a pricing model that was expensive and unpredictable.
With data volumes growing 40-50% per year, this created expectations for explosive growth, as Splunk provides
software, run on-premise by a customer, and then charges the customer based on how much they use the software
on their own servers, even though the additional usage costs Splunk nothing. Wealthy customers, including large
retailers, service providers, financial service companies, and enterprises with large data centers have been willing to
pay this premium for a product that was head and shoulders ahead of alternative offerings, able to make sense of
critical data, and interface it so they could easily make use of it for IT, business, and security use cases.
Splunk enjoyed rapid growth of its customer base, growing from 900 customer in 2009 to 1400 customers in 2010 to
3700 customers in 2012 and 6400 customers during this most recent quarter. However, as it grew it size, Splunk
derived a greater and greater proportion of bookings from its existing customer base. From 37% in 2009 to 55% in
2010, 73% in 2012, and most recently, 70%.
Bearish Clouds Gather
However, Splunk’s high price point led for customers to attempt to curb their usage of the platform and to seek out
alternatives, most of which proved disappointing. Bears commonly cited the ELK Stack as a competitor, an open-
source alternative that could provide similar functionality. However, the immaturity of the solution made the
implementation cost-prohibitive, requiring strong developer talent, man-hours, and ultimately bringing ELK vendors
roughly $15m in revenue, a miniscule number relative to Splunk’s TTM revenues of $537m.
In addition, cloud-based competitor SumoLogic raised concerns, before the company underwent a management
change, hiring Ramin Sayar. However, as the experience of one major financial services company demonstrated,
SumoLogic lacked the functionality to replace Splunk in the enterprise. In this case, the Financial Services firm
approached SumoLogic about replacing Splunk, but, due to SumoLogic not having an on-premise solution and the
bank being unable to meet its compliance requirements while migrating critical data to the cloud. As a result, despite
multiple efforts to dislodge Splunk, the bank ultimately had to return to the platform, lacking any alternative.