It has been almost a year and a half since Cisco Systems Inc. acquired Splunk Inc. At the time, investors were happy because it was a good financial move. Cisco spent $28 billion and would get back about $4 billion a year in revenue that was accretive to profit margins. Splunk revenue is primarily subscription-based, which would accelerate Cisco’s march toward this model.

However, the endgame for Cisco and Splunk was not just about the financials. At the time of the deal, I talked with Cisco leadership and the goal was to take the Splunk assets and use them to accelerate Cisco’s transformation to a platform company that could provide meaningful differentiation in the artificial intelligence era.

Historically Cisco has had good products but there was very little integration between them, so the value of “Cisco” was limited to brand and purchase order consolidation. In the AI era, infrastructure needs to be performant and resilient, which is one of the primary value propositions of the Cisco platform.

At the same time, Cisco data is being used to bolster the Splunk platform. Historically, Splunk has centered its data ingest around security and observability, but the inclusion of network telemetry will add a new dimension to Splunk’s products.

I went to Splunk’s user event, .conf this past week to see how much progress Cisco had made in bringing the two companies together and was genuinely surprised at the payload of products announced that were co-developed between Cisco and Splunk.

Here are some of the more meaningful announcements that highlighted Cisco and Splunk and their “better together” story:

Cisco Data Fabric

Perhaps the biggest announcement at .conf25 was the launch of the Cisco Data Fabric, a new architecture built on Splunk Enterprise and Cloud Platform. This will move organizations closer to minimizing the gaps in infrastructure, data and trust by making machine data easier and less costly to manage. Machine data is constantly generated by systems, networks, devices and apps, but it’s too messy and fragmented to use. During his keynote, Chief Product Officer Jeetu Patel (pictured) shared a datapoint that over 55% of data generated will be machine data.

Though there are many general-purpose data fabrics, Cisco built this specifically to be a machine data solution with a focus on operational resilience use cases. Cisco Data Fabric is built around four main areas. The first is data at the edge, where information is captured and processed close to where it’s created. The second is data in the cloud, which connects workloads and analytics across public cloud platforms. The third is data in hybrid environments, which bridges on-premises and multicloud systems, so they can be managed as one. Finally, machine data management brings together logs, telemetry and other operational data in a more organized way to support AI apps.

Beyond unifying data, the new architecture introduces intelligent edge management, which filters and shapes data before it moves. This feature also includes federated search for organizations that want query across systems such as Amazon S3, Snowflake and Microsoft Azure. In the future, Cisco plans to add a time-series foundation model to improve anomaly detection, forecasting and root-cause analysis. Cisco Data Fabric core capabilities are already available, with more features rolling out through 2026.

Also, Cisco AI Canvas will integrate with Splunk Cloud Platform to provide a collaborative, AI-driven workspace for security and information technology operations teams. Scheduled for availability in 2026 as part of the new Cisco Data Fabric, this integration will enable users to leverage AI agents and a unified interface to orchestrate analytical workflows and accelerate incident resolution. Acting as a “virtual war room,” the canvas will allow teams to co-investigate issues in real time by aggregating and correlating data from Splunk with other sources.

What I like most about AI Canvas is that it’s designed to allow engineers to continue to work in the tools they like, such as Meraki and Splunk, but then shift to AI Canvas when multidomain workflows are required. Eventually all Cisco management roads will lead to AI Canvas, but Cisco is taking a nondisruptive operational path.

AI tools for security operations

Security has been and continues to be a major focal point for Splunk and Cisco. During his portion of the keynote, Mike Horn, senior vice president and general manager of Splunk security products, highlighted an AI-powered triage agent in development that automates the routine steps security teams normally follow when investigating an alert. Horn also pointed out Cisco’s recent SnapAttack acquisition, which strengthens the company’s detection management.

“We’ve got an agent that’s in development right now where we’re starting to get some early customer feedback,” said Horn. “It’s really about automating the investigation process. How can I take a customer set of standard investigation procedures, perform that automatically on their behalf, and apply AI reasoning during that process?”

These developments came into sharper focus at .conf25, with Cisco’s formal announcement of Splunk Enterprise Security Essentials Edition and Premier Edition. The two new offerings, within Splunk Enterprise Security 8.2, put agentic AI at the core of security operations. Premier is a comprehensive package that combines Enterprise Security with Security Orchestration, Automation, and Response, or SOAR, with User and Entity Behavior Analytics, or UEBA, and Splunk’s AI Assistant. Essentials is a lighter package that includes Enterprise Security with the AI Assistant.

Cisco also introduced a broader set of AI security features that will roll out over time. One feature is a malware reversal agent that can break down malicious code. Another is an AI playbook authoring feature that translates natural language into automated workflows. These advancements are part of its Cisco’s vision for an agentic security operations center that can handle routine tasks, so teams can focus on higher-level decisions.

“Our security offerings unify detection, investigation, and response into a single, intuitive workspace, eliminating tool fragmentation and significantly boosting efficiency.” said Horn. “Built-in AI can help cut alert noise and reduce investigation time from hours to minutes.”

Cisco is also bringing in deeper integrations from its wider security portfolio. One example is support for Isovalent’s extended Berkeley Packet Filter or eBPF runtime security. Isovalent, which is now part of Cisco, has a Linux kernel technology for running custom programs. Now, Splunk users will have a deeper understanding of what workloads are doing inside Linux environments, so they can pinpoint malicious activity as it happens.

Observability in the AI era

Observability has been a core part of Splunk’s strategy for years, but now, it’s being repositioned in the AI era. Upcoming Splunk observability updates will include hybrid application monitoring, which gives organizations visibility into both on-premises and cloud services. Splunk is also introducing user journey analytics to show how performance issues affect end users.

On a grander scale, Cisco and Splunk are deepening their observability portfolio with agentic AI. New troubleshooting agents are launching in Splunk Observability Cloud and AppDynamics. They will use agentic AI to analyze incidents and identify potential root causes. Splunk is also adding new ways to observe AI systems themselves, including the performance, cost and security of large language models, AI agents and the infrastructure that supports them.

To tie it all together, Cisco is unifying Splunk Observability Cloud, Splunk AppDynamics and Cisco ThousandEyes to give teams a more complete view of applications and networks. This includes deeper insights into business processes, richer digital experience analytics, support for both hybrid and cloud-native apps, and more. For instance, a new AppDynamics agent based on OpenTelemetry will allow customers to send data to either AppDynamics or Splunk Observability Cloud, depending on their platform of choice.

With these features — some of which are available now and others rolling out over the next year — Splunk is positioning observability as more than a troubleshooting tool. The goal is to help organizations “put AI applications and agents to work,” while having full visibility and control, according to Patrick Lin, senior vice president and general manager of Splunk Observability.

Lin emphasized the importance of Splunk Observability Cloud and AppDynamics on a prebriefing. “When you think about the core constructs that people deal with in AppDynamics… really, it’s the concept of business transactions,” he said. “That’s the concept that we’ve brought into the Observability Cloud experience. Then we rounded out the other things that you need to understand application performance.”

Prior to Splunk, Cisco’s observability story was built around product silos, most notably Thousand Eyes and AppDynamics. Splunk is the connective tissue that was missing to bring all Cisco observability data together and then find the insights in it to make the data actionable.

Final thoughts

Given the hefty price tag Cisco paid for Splunk, it’s good to see the rapid integration that brings value to both set of customers.  One aspect of the integration I believe is important is that Cisco has let Splunk continue to be “Splunky.”

I chatted with many of the customers at the event and many were worried that Cisco would, as one engineer described, “corporate up” Splunk, but that hasn’t been the case. The Splunk community is what gives the company its strong position and Cisco has done a nice job of adding to the community instead of trying to change it.

We got a heavy dose of the combination of Cisco and Splunk at Cisco Live, and now at .conf and I’m expecting the same at the Cisco Partner Summit, the company’s annual reseller event, in November.

Zeus Kerravala is a principal analyst at ZK Research, a division of Kerravala Consulting. He wrote this article for SiliconANGLE. 

Photo: Splunk/livestream