Recently Matt Asay wrote a thoughtful piece about how some technology companies are consumerizing the computing experience. In the case of Apple, Business Week writer Peter Burrows has also recently wrote about The Mac in the Gray Flannel Suite exploring how CIOs are testing the appetite for Macs in the enterprise. Michele Goins CIO at Juniper Networks recently ran a test among the company’s 6,000 employees discovering that 25% wanted a Mac.

Consumerism of the enterprise computing experience is well underway with Apple, Google, SalesForce and even Cisco’s TelePresence and WebEx offerings. According to Matt, all of these products delight users with a positive user experience by focusing on adoption first and dollars second. “Simple, fast and useful,” is the key.

Could it be that the consumerization of IT is far behind? How many enterprise management vendors focus on adoption first and dollars second? Can you honestly say that any of your vendors put you and your users first? Do the words “simple, fast and useful” come to mind as you’re writing the check for your maintenance renewal every year?

We recently compiled the feedback from out Q1 customer survey. Each quarter we survey our customer base like most companies do. What’s perhaps different in our case is we focus intensely in our surveys on the user experience with our product. We ask about ease of use, administration, upgrade processes and documentation quality. What we continue to find is users and customers actually like using Splunk versus being compelled to use it by their organization.

Maybe we’re participating in the consumerization of IT. Perhaps we just like using the stuff we build. Regardless, we are constantly working to improve the Splunk user and administration experience. To us this is the #1 measurement of our and our customer’s satisfaction. You may already know we post our product roadmap on our website including where we’re focused for the next several months. If you have your own ideas send us your feature and improvement suggestions directly to Splunk support.

This week we were rolling in Las Vegas with Interop at one end of the strip and the Microsoft Management Summit at the other end. At Interop we launched the Splunk for Change Management app. And at MMS the Splunk for Windows Management app made it’s debut. Both apps make use of the Splunk Platform which provides a common set of services and APIs making it easy to create and integrate applications that leverage vast amounts of IT data. These are the second and third applications in a series of new releases we’ll be doing this year. Splunk for PCI was the first app launched last quarter.

Splunk for Change Management App

Splunk for Change Management takes advantage of the fact that we index not just logs but configurations and file system changes as well. It also leverages a little known (but I think soon to be much more popular) Splunk search command called diff. Diff lets you easily compare two search results and returns a single result that is the different between the two. You can compare values of specific fields of results as well as every line of multi line events and files. This makes it really easy to compare configurations across lots of locations. Splunk for Change Management leverages these capabilities and brings integrated change audit, change detection and change validation.

Now your can detect unauthorized changes by indexing your trouble tickets and ticketing system logs together with your service, device and application events and configurations. We use Jira internally and find indexing our Jira tickets enables us to immediately know if a change was authorized or not. No more jumping between redundant and siloed consoles searching for the answer or writing all kinds of complicated data transformation scripts to compare the output of different management systems.

And for the first time we introduce to the industry the concept of Change Validation. Today many of us have the ability to blast out patches to hundreds of servers and device automatically. But how do we know that the changes had the desired effect? By observing the state and events generated by the actual patched systems we can now compare the before and after actual behavior. Splunk brings change audit events and configuration data together with activity and error logs so you can connect change with actual system and user behavior.

The app includes:

• Out-of-the-box dashboards with over 40 reports showing changes across all datacenter components including applications, servers and network devices.
• Predefined alerts that detect unauthorized change on the basis of configuration variances and correlation with service desk systems.
• Predefined searches to help identify service-impacting changes quickly.
• Integration with service desk systems to close the loop on change management by validating the effect of change on system behavior.

Splunk for Windows Management App

This new app integrates Microsoft’s System Center Operations Manager’s command-and-control view of a Windows infrastructure with Splunk’s IT Search. The latest version of Splunk now indexes all IT data generated by Windows servers and applications — event logs, registry keys, performance metrics and application log files. Everything is searchable from a single place to resolve service-impacting incidents faster, enhance monitoring coverage, and validate service levels.

What’s really cool is Splunk searches can be launched through Tasks in the System Center Operations Manager Console on any aspect of the infrastructure being monitored, and can be expanded to include far-flung elements of the IT infrastructure for additional context – regardless of platform or technology. Its super fast to identify information across the Windows Event Log, the Windows

This week we’re at FOSE 2008 demonstrating how we’re collaborating with US Federal Agencies. A number of agencies have already joined the Splunk community including:

Many of these customers are applying Splunk to extreme applications with large data volumes from many different disparate sources. As you can imagine the complexity of security and compliance concerns, agency interactions and a sophisticated web of outsourcing to federal system integrators provides fertile ground for IT Search as a new way of solving all kinds of problems.

Typically our collaboration involves operations, security and compliance people from both the agency and system integrator sides. Agencies continue with their pursuit to cut costs and outsource while being driven with a host of new projects every year. And system integrators continue to search for new ways to bid more competitively by demonstrating new ways to more efficiently develop, deploy and manage technology. This means the business of managing our nations IT infrastructure is significantly more complex and dynamic than ever.

As an example, the current state of the world demands a serious risk management approach to Federal Government systems. All agencies have implemented some type of security in-depth strategy with firewalls, vulnerability and IDS scans. While these technologies are effective in their particular function they generate a tremendous amount of data making it impossible to get a holistic view. These extreme customer environments generate more data and are more dynamic that traditional system and security management approaches can handle. Traditional database and SEIM approaches just don’t scale.

Our own Bill Hornish, who attempted for decades to implement these traditional approaches at several large agencies has put together a really nice video explaining the challenges of risk management in Federal environments and how Splunk can help.

We’re learning a lot by working with these extreme customers and believe they can teach us a lot about what the rest of the Splunk community will eventually experience when applying IT Search to larger, more dynamic environments in the commercial sector as well.

Without a doubt the past week has been the most amazing week in Splunk history. The crazy coast to coast multi-city launch left us all exhausted and electrified. A few of the things that stick in my mind…

First Splunk 3.2 including Splunk for Windows went live on our download page last Saturday and more than 40% of our downloads in the past week have been for our new Windows version. Then Nick Selby of 451 Group wrote an analyst brief on us. He said, “Splunk is awesome: it’s multiplatform, easy to install and easy to use. And with an abstraction layer of logs, configuration files and system messages, traps and alerts, it’s seriously useful.” 451 has a reputation for ripping vendors, so we’re flattered.

Dana Gardner, analyst with Interarbor wrote a very eloquent analysis of our platform launch on ZD Net. “Splunk has created the means to offer developers easy access to that data and the powerful inferences gleaned from comprehensive IT search. That means the data can go places no log file has gone before,” says Dana. Developers are certainly doing some way cool things with Splunk.

I’ve seen a couple of neat visualization applications including this one called Replay. It shows you a live or time lapsed view of your event streams. Here you can see the replay application hooked up to our internal wiki showing who’s doing what over a 24 hour period. Click on the image for the movie.

As for our own applications, the Splunk for PCI app drew tremendous interest at our series of splunk> live! events this past week. It’s just one example of how a business person with domain knowledge can package their own Splunk configuration as an application. If you haven’t seen Raffy’s video on the PCI Application, check it out here.

We also showed the Splunk for Change Management application as well. Seeing someone touch a file and watching the Splunk dashboard update instantaneously is an awesome display of how flexible Splunk has become. Check out the developer program for yourself and get your goods up on SplunkBase so we can all check em out.

Recently, Johnvey Hwang wrote a post called Standing on Our Own Platform. He was the first one at Splunk to break the ice and use the “P” word. Now it’s out there. What do we see when we stand on our own platform? While only you and the future will tell us — there are a few things we hope to see on the horizon.

First, it’s our belief there’s a lot of money out there wasted on point products for managing networks, servers, applications … even security. A lot of these systems redundantly collect, transmit and store much of the same machine generated data. Think of the network, storage and administration resources duplicated on all this stuff. By providing a platform where the same IT data can be managed once, resources can be freed for other projects.

Second, none of these products work together. If you’re running a network manager to collect and look at SNMP and netflow data you know it doesn’t integrate with your log management system and of course neither talks to your SIEM, SOA, virtualization or application framework monitoring consoles. Building a dense index of data from all of these tools enables correlation across all your silos of instrumentation.

Third, and perhaps most important, isn’t it frustrating to spend so much time getting a new tool running only to discover, it doesn’t do what you need? Allowing, as Johnvey calls it the “intrepid” sysadmin or the creative developer to build on top of our IT Search engine means you can make Splunk do exactly what you want and share it with others if you so desire.

We’re not just jumping on the bandwagon here. Sure everyone seems to have a platform play. It feels like Web 3.0. Google has the mobile phone thing. Facebook, MySpace and Ning have social networking. Salesforce.com has AppExchange and force.com. For interesting reading on the phenomenon check out Marc Andreessen’s post from a few months ago on the topic.

Everyone here hopes to convince you that the thoughtfulness by which we’re going about this will yield much more than a bunch of hype. Ultimately the goal is to allow anyone to unleash their creativity to devise their own way to use Splunk.

Much more to come for sure. If you have thoughts or want to get involved — let us know anytime.

The US economy is heading into a recession and technology spending is in for a steep decline in 2008. So every major prognosticator and news outlet from the Wall Street Journal to the Financial Times would have us believe.

Are these people watching the same movie I am? There are two problems I have with this economic hyperbole. Yes that’s what it is. I guess it sells newspapers and gets people to watch things like CNBC. But boy is it misleading.

First of all, in macroeconomics, a recession is a decline in any country’s gross domestic product (GDP), or negative real economic growth, for two or more successive quarters of a year. Yet nobody that I’ve read is forecasting negative growth. They’re forecasting a potential slow down in growth from the current 3.5% per quarter to 1.5 to 2.5% per quarter. But the news outlets feel compelled to use the “R” word just to get attention. Totally irresponsible.

On to my second gripe. With regards to technology and IT spending, I believe, based on what I see, we are in beginning of a long-term gradual increase in IT spending within large enterprises that started eighteen to twenty four months ago.

Sure the current credit crisis may have a short-term impact on budgets within Financial Services companies, but I don’t see any slow down yet. The major consumer, commercial and investment banks we work with have so many critical, revenue generating IT projects in backlog I fail to see how spending is going to slow at all. The telecommunication sector is finally back on the mend after the post early 2000’s bubble and hangover.

Social media, online shopping and the always on dimension of the Internet have online services and large Internet sites like MySpace and Amazon accelerating software, hardware and services spending just to keep up. And security, privacy and compliance initiatives and mandates have companies, service providers and government agencies increasing spending on these items by some 20% or more in 2008 to try and limit their exposure and risk.

Just a month ago the Financial Times had a great piece entitled “What’s on CIO wishlists?” Here’s a quick summary.

1. Business alignment and strategy
2. Hiring and retaining the best staff
3. IT innovation/new methodologies
4. Security
5. Collaboration technologies
6. Controlling costs
7. Compliance and regulation
8. Virtualisation
9. Customer service
10. Mobility (Green issues came 11th)

Doesn’t look like a slow down to me.

I’ve written previously about our experience this year raising a $25M Series C round of venture financing. Venture Diaries: Part One discusses why you want to think before you act and investigate who to target as potential investor partners. Venture Diaries: Part Two looks at how to perform your investigation. In this third part, I look at how to handle the horse race that inevitably develops once you get a few term sheets.

For me it all started when the first term sheet came in. Funny how some VCs still use fax machines. I had to go figure out where ours was. In the current seller’s environment (yes that’s what you are, a seller of equity in your company) one thing to keep in mind is your first term sheet will just be a starting point. Expect that it will probably be lower (perhaps significantly lower) than where you want to end up. Also expect once the first term sheet comes in things will really start to heat up. Nobody wants to miss out on a good investment and VCs are just egotistical enough to really help your cause. However, you should realize each VC has their own style. Some will try to move first in hopes of stealing the deal from others. Others will try to wait till the end and trump any offer — figuring the last hand in has the best chance.

This is where the entrepreneur’s job gets difficult. You want to put everyone on notice that you have a term sheet. This way things really get moving and you can quickly figure out who is really interested and who is just playing along. But what process should you use? How do you maintain your integrity when everyone is asking you for information.

The analogy of selling a home comes to mind. Some sellers will run a sealed bid process. “All offers are due on Tuesday by 5pm and the top offer wins.” This tends to work better in real estate because you already have an asking price. Buyers know what minimum price you expect. In addition, most markets have an established bid/ask ratio where homes get sold (unless your in a rapidly declining or accelerating market which isn’t often the case).

When you’re selling equity in your company to venture capitalists the number one rule is don’t, under and circumstances signal an asking price.

You will get hammered by investors wanting to know what your expectation is for your company’s valuation. There is one and only one correct way to answer this question every time. “We believe we’ve made significant progress since the last round, but the market will price the deal.” This way you signal you’re expecting a nice increase over the last round price but you don’t set a ceiling on this round’s price. Trust me they will all ask you over and over and over again, but don’t give in!

Back to process. Sealed bidding doesn’t work. So what does? I call it the Road Runner strategy. Remember how the Road Runner used to always chase Wile E. Coyote to the edge of the cliff and then watch him fall off?

This is what you need to do with each of your potential investors. To maximize your terms and perhaps most importantly figure out what it will be like to work with each of the potential VCs you have to push them to the edge of their comfort zone. While sometimes uncomfortable the process will show you what your potential new board member and investor is really like. Chances are the way they handle a competitive negotiation is the same way they’ll handle themselves in difficult board meetings.

Start out by telegraphing the fact that you have a term sheet to the other investors looking at your company. Be careful not to disclose any of the terms, but tell them it is a competitive offer. If the terms are clean, telegraph that as well. In my case I found it helpful at this point to set a deadline a week or two out whereby everyone must wrap up their due diligence and get you a term sheet. It’s actually a good idea to have a soft deadline communicated in your first meeting with each investor. This way nobody is surprised when you reinforce the deadline. You’re deadline will be soft, but make it seem firm without being pushy.

This is the point where you need to be in constant communication with each interested investor. Return phone calls and emails within an hour. Make sure everyone knows you are available to get them any information they need.

Chances are the VCs will really start selling you at this point. Remember all those tricks Wile E. Coyote had? Most of them some type of Rube Goldberg device manufactured by Acme Corporation. Like the Coyote’s tricks, most of the VC’s points about why they’re the best are somewhat fictitious and sometimes totally outlandish. But none the less they’ll try. You’ll hear all sorts of stories about why you should take a lower offer and how each investor needs to own a certain portion of your company in order to dedicate the time to sitting on your board. Listen attentively, thank them all and then remind them of the deadline and ask them to make their best offer.

According the National Venture Capital Association (NVCA), there are 798 venture capital firms managing more than $235B in the United States. These are long-term, professional investors who specialize in funding and building new, innovative companies.

So how do you figure out who to approach for funding? This is the area where I find entrepreneurs make the biggest mistakes. Most of us approach investors we know. Perhaps you have a friend who knows a VC or you have a friend who is a VC. How do you know if your friend or the person you get introduced to is the right investor for you? Most likely they’re not. Not all VCs are alike. Some are geared for early stage and some are not. Some are suited for late stage investments while others just say they are.

You can’t always trust what an investor says their appetite is either. I’ve pitched to investors who say, “yeah we do Series A” only to be barraged by questions like, “how many paying customers do you have that we can talk to.” On the other hand, I’ve presented to wanna be later stage investors that were only prepared to pay an early stage price.

You need to do your own research. Venture capitalists are for the most part, creatures of habit. They don’t change investment philosophies much. Often within a firm it will take a generation before new blood arrives and can affect major change. In addition to the succession challenges, VCs are bound by the structure and economics of their business. Venture funds are seven to ten year financial vehicles. VCs raise the money for their funds based on an investment strategy which takes several years to play out.

I suggest doing your own primary research. Identify eight to ten prospects with a track record of backing entrepreneurs like you. Look for a history of focusing on your market and the stage your company is at and the type of involvement you want. Suspend your judgment during the your data gathering. Just get the data and avoid acting surprised or judgmental. Get specific data on the number of projects and stages of investment each firm has completed recently.

When we raised a Series C round earlier this year, I identified eight firms to approach based on their past investment history. Specifically, I was looking for firms and partners that had done a majority of their investments in late stage, infrastructure software companies over the past eighteen months. I wanted to focus on VCs who demonstrated a track record of paying a fair price to invest in revenue generating companies that need capital to accelerate growth. I gathered data on how many investments each VC made, how many of the investments were later stage and how many later stage investments they actually led versus just participated in. My goal was to focus on investors with the highest percentage of later stage deals led as a function of total investments made.

Of the VCs I researched the percentage of Series C or later deals led ranged from 15% to 95% of the total deals invested in during the prior 18 month period. Surprisingly the firm with the 15% invested in far more deals and far more later stage deals than anyone else. But the participation in later stage deals was mostly follow on investments in their existing portfolio. This was not the type of later stage investor I was looking for to lead our financing.

There were two VCs that approached us and pitched themselves as later stage investors. But the data just didn’t support their claims. The one had a 19% rating and the other a 17% rating. Despite showing great interest both of these investors dropped out of the financing process when we had several term sheets and commented, “the price is too high for us, we can’t dedicate our time to the project unless we can own more of the company.” At which point the leopard really showed his stripes.

The core set of later stage VCs I focused on had ratings ranging from 50% to 95% indicating they had led a significant number of later stage investments in the past 18 months. Every one of these investors delivered us a term sheet at a competitive price.

How do you find this information? The brute force way is to visit a number of firm’s websites and go through their portfolios. This takes a while but can yield the information you’re looking for if you put in the time. It is certainly a lot less time consuming (and less humiliating) than pitching investors that will never invest in your profile situation. There are a variety of venture capital databases that can make your research much faster and easier. If you have a friend that’s a VC they likely have access to one or more of these sources. If the answers about a particular firm are vague drill down and get the real story. If you can’t figure it out, move on. You’ve got 798 firms to choose from.

Last week I was in NYC for Interop 2007. Interop in NY is a significantly smaller conference than the big brother Interop in Vegas. I’d say there were 7,500 to 8,000 people at Interop NYC this year, compared to 18,500 in Vegas back in May. Somehow though I always find the New York show more interesting. Perhaps it’s the lack of constant firefighting in the NOC that gives us all more time to have meaningful conversations about the latest networking technologies. Plus somehow New York just seems to have more substance than Vegas. Call me crazy but…

This was also the first Interop where we had a chance to apply the magic of Splunk genre 3.0. We had a record number of searches in the NOC (despite the smaller show). I’m not surprised. 3.0 is so cool the way it automatically extracts fields out of data streams from all kinds of networking gear.

Now there are lots of people who know more about networking and security than I do, but here’s a simple investigation I did with Splunk.

1. I started with a simple search for “failed password.” This picks up firewall and router hacking attempts (typically ssh) sent to Splunk using syslog forwarding.

2. I was then able to quickly see the top “source IP”. Because the source IP field automatically gets extracted with each search I’m able to quickly click and see the list of top source IPs for the time frame in question. A single click and I’ve added the top offender to my search parameters.

3. Just a click away and I can geolocate this IP. With field actions in Splunk I can now drive workflow items right from the search results. Here I just need to click on the menu next to any IP address and I can geolocate the address with any number of free web based services. It was interesting to watch the hackers and bots travel around the world and with more time would have been fun to write a little Flash application to call the Splunk API and map things in real-time.

4. Reporting on top source_IPs every hour was easy. Like any IT guy without a bunch of time, I went for the low road. I just clicked report on all source_IPs from the field action menu and I got a nice looking flash report. It was really easy to save the report and run it on a schedule every hour. Now anyone on the NOC team alert list can get it right in their email or log into Splunk and check out the dashboard with a few other useful security searches.

You can split the same report series by user and see how a lot of these hacker bots try to use common software package and open source default configuration usernames and passwords.

If you want to check it out yourself, send me mail and I’ll let you know where you can access the server. It’s kinda fun to search on your own machine name and see all the times you were on the network at the show. You can drill down into each DHCP transaction and see all the events.

I’m not sure if it’s the start of a new quarter, the full moon or my two seven year old boys that have me thinking about this, but we seem to be blowing a lot of things up lately. A few examples…

1. We blew up our product development process
2. We blew up lots of our software
3. We blew up our business planning process

When I say we “blew ________ up” (enter your own thing here) I mean we decided to take another course of action, look in the other direction, put other people in charge or just plain start over from scratch. Combustibles are exciting for lots of reasons (especially to second graders) but as a new type of business tool?

I’ve written in previous posts about our move to an Agile product development process. This required us to literally discharge our old way of taking input from customers, scoping features, planning releases and testing. Of course it also meant we had to ignite our underlying work flow and tools supporting product development. It all made me a tad nervous : { For more than a month I couldn’t tell you what would appear in our next release or when the release might be available for download. If you use Splunk, you know that we live and die by our product road map and release schedule. During that month our engineering, qa and product management teams went through a metamorphoses. They moved from being top down, planning driven to bottom up, innovation driven. We had reached the point where we couldn’t plan or prioritize features. The old process of having a team set out a plan and working towards a release wasn’t working anymore. So we blew it up. Now we have a process where by parallel scrum teams work on various facets of the product and they do the planning, constantly. It’s interesting how nobody, but yet everybody is in charge. The initial results are just in. Splunk 3.1 will soon be available for download in a mere eight weeks after Splunk 3.0 was posted. And Splunk 3.2 will be released in beta eight weeks from now. That may not sound like much but when you look at the amount of innovation in each release, the speed with which we’re moving enhancement requests from the field into features and the improved quality of each release it appears remarkable from where I stand.

Detonating software is always dangerous. Will it ever come back together again? Were we right about the surface area becoming too large or the architecture verging on too complex? Stay tuned. We’re in the process of blowing up a lot of our software. For example, we’ve realized our past approach to administration just doesn’t scale. Early on we built a nice UI for editing lots of the configuration properties of a Splunk server. But over time our ability to quickly add features outstripped the surface area of the UI. So we’ve been making configuration parameters available in editable configuration files. Now that is all fine and good but it’s not very discoverable and it’s completely out of context with the task at hand when you’re using the product. Definitely a candidate for explosives. Sometime in the near future you’ll see the administrative side of Splunk blasted for a much more scalable, discoverable and in context design we call “search based administration.” This is one small example of how we’re constantly blowing up our software.

Recently we’ve also been lighting the fuse on our business planning process. It used to be we’d have a few days at the beginning of our quarter when each department in the company (sales, marketing, engineering, customer support etc) would get together and have their own planning process. As we’ve doubled in size since the beginning of the year our old way of planning wasn’t working. Despite our completely open work environment (we have no cubicles or offices) communication across groups had slowed to the point where it was causing a lack of effective planning. You guessed it. We blasted it. Started over. Asked everyone what would make for a better planning process. This quarter we started with a full day of conversations. Everyone was invited to run a one hour discussion forum on any topic they wanted. The only rule was you had to publish it a week a head of time and provide a brief description of the topic on our internal wiki. We had 15 discussion forums run by people all over the company. That was it. Our Q4 planning. A bunch of conversations. We’ll see how far it gets us ; )

BTW, I heard someone at Splunk say in response to blowing things up,

“perhaps companies that don’t blow things up often enough end up blowing up themselves.”

Certainly food for thought. I’m keeping my dynamite close by.