Will Shifts in Splunk Enterprise Pricing and SIEM Landscape Affect Customer Spend?

By Kristian Tuinzing

Director of Client Services, NPI

June 09, 2021

Interested in learning more about NPI’s services?

Contact Us

Last year, we saw many vendors experimenting with newer pricing models to meet shifting customer demands. At the same time, many enterprises are experiencing spikes in IT security-related incidents. The confluence of these factors (and others) have prompted a shift in the SIEM (security information and event management) landscape – ranging from changes to Splunk enterprise pricing to the emergence of new players and beyond. NPI is noticing certain behaviors among industry leaders in the market that rise above the noise. 

It’s important to point out just how white-hot the SIEM market is right now. We are starting to see competitors catch up to the leading market titans – a point I dig into further below – and the resultant shifts in vendor behavior are worth taking notice of. This is especially evident with CrowdStrike’s $390M+ acquisition of Humio, a vendor that only recently entered the enterprise scene. The market is likely in for even more changes and volatility in the short term.

Hard Shifts in Splunk Enterprise Pricing Models Inspire Similar Behavior from Competition

Many of the major players in this space like Splunk and New Relic had started offering new licensing alternatives to traditional per-GB capacity pricing in 2020. As NPI analyzes deals for our clients, we are seeing that Splunk has started making a more concentrated shift away from per GB price models. 

For example, Splunk’s newer vCPU (on-premise) and Splunk Virtual Core or SVC (cloud) have seemingly become the vendor’s default pricing standard. These new pricing metrics are likely to give more of an advantage to the vendor in the long run when compared to per-GB.  New Relic appears to be trying similar moves, but NPI hasn’t seen as much of a trend established outside the norm as compared to Splunk. 

When it comes to Splunk enterprise pricing, NPI recommends clients take a hard stance at staying on per GB metrics for the time being as vCPU/SVC metrics appear to be increasing client fee averages noticeably compared to traditional licensing.

Emergence of New Competitors

Both Splunk and New Relic have been dominant players in the SIEM category for years, but competitive dynamics are starting to reshape the market. Competition from vendors like LogRhythm, Datadog, and Dynatrace remains strong. Meanwhile, names like Humio (now acquired) and Devo that rarely came across our analysts’ desks in 2020 have become noticeably more frequent. 

These newer market entrants and their customer engagement tactics are causing a stir in the market. Humio’s standard of only offering unlimited capacity deals is a good example. Positioning credible competitive threats with established players like Splunk and New Relic is becoming increasingly important, although we recognize this may not always be feasible given the high switching costs involved. 

Continued Push to Cloud-native Solutions

Like most IT categories, cloud solutions remain a hot topic in this space, but scalability remains an issue to an extent. NPI knows Splunk recently invested in expanding its own cloud solution capabilities to be able to handle larger customer data pools, but its solution is still mostly limited to the 50TB to 100TB per day range. 

Splunk is more eager than ever to push large names to the cloud, and this can make sense for customers given how much hardware is required to run an ever-expanding on-premise footprint. NPI finds that converting over from any on-premise deals to Splunk or New Relic’s cloud solutions is an important sourcing event that sets pricing precedents far into the future, so it’s worth extra preparation. That includes ensuring pricing is at or below best-in-class targets, and performing license optimization to establish a baseline purchase that accurately aligns with usage requirements.

Use of Tools to Reduce Capacity Needs for Splunk, New Relic and Others

With data sizes continuing to grow (sometimes exponentially), more third-parties are beginning to offer tools specifically aimed at reducing total capacity needs for Splunk, New Relic and others in the field. We’ve seen some clients reduce GB/day capacity needs by 15 to 30 percent. These services are often an added path to savings in addition to securing rate reductions from vendors. 

The SIEM market is at an inflection point, which creates new opportunities and risks for enterprise customers. As NPI helps enterprises keep up with and respond to these challenges, one thing is clear – there is leverage to be had for the well-informed and well-prepared buyer.