 from San Francisco, it's theCUBE. Covering RSA Conference 2019, brought to you by Forescout. Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're at the RSA Conference in downtown San Francisco, Moscone Center. They finally finished the remodel. We're excited to be in the Forescout booth. We've never been in the Forescout booth before. It's like that they invited us in, but we've got an old-time CUBE alumni and a special company in my heart was my very first CUBE event ever. It was Splunk.com 2012. I did not know that, Jeff. Yeah, so we're glad. I'm gonna have Doug Meridon, he's the CEO of Splunk. Doug, great to see you. Thanks, Jeff, good to see you again also. Yeah, so we've been doing Splunk.com since 2012 at the Cosmo Hotel, and it was pouring rain after that week. That was the third year. Probably the third year? Second year, yeah, a long time ago. So it's grown, 2012 wasn't that big, but this is a crazy show. So just, and you've become here for a while, security's such an important part of the Splunk value proposition. Just general impressions of RSA as you've been here for a couple of days. Yeah, I'd say it's amazing to see how the show's grown over the years. Security's gone from this kind of backwater thing that a few weird people did in the corner to that only understood the cyber landscape to something that boards care about now. And that obviously has helped with this show with having to know what the attendee numbers are like, but tens of thousands of people, and you can't walk down a hallway without bumping into 10 brand new companies that were launched in the past year in the security space. And they had the biggest challenge that people, that I have, and I think other people have is, how do you tell different companies, what is, where's the wheat from the chaff? What is really important in security and how do you tell different companies and different trends apart so you can actually focus on what matters? Right, I just feel for the CISOs, right? I mean, you guys have a big ecosystem at .conf, but those are all kind of complementary things around the core Splunk solution. This is, you've got co-opetition, competition, how does somebody navigate so many options? Because at the end of the day, you don't have unlimited resources, you don't have unlimited people to try to figure all these pieces of the puzzle out. Yeah, and CISOs have got a really tough job. Their average CISOs got well over 100 different vendors you're dealing with, and with Splunk, what we are very focused on and where I think we had value is that we become, if we're done right, we become the abstraction layer that creates a brain and nervous system that allows all those different products and all of them have got unique capabilities. When you think about the complexity of all the networking, all the compute, all the storage, all the in-point landscapes, that's only getting worse with the cloud because now there's more services with more varieties across more cloud vendors. How do you get visibility on that? Right, right. And you need products at those different junctures because protect and prevent and defend is still an important function for CISOs, but when we know that you can't prevent everything, and things will go wrong, how do you know that that is actually occurring? And what the Splunk value prop is, we don't have as much of a point of view on any one product, we aggregate data from all the products, which is why so many people are partners, and then help companies with both raw investigations, given that something goes wrong with our schema-less data structure, but then also with effective monitoring and analytics that's correlating data across those tens, hundreds, or thousands of different technologies so you can get a better feel for what are the patterns that make sense to pay attention to. Like, you just gave me like 10 questions to ask just in that answer, you covered it all, because the other thing, there's also IoT now, and OT and all these connected devices, so the in-points, the surface area, the throughput is only going up by orders of magnitude. It's crazy. That's, I saw some stats there today that globally at this point, I may get these off by one digit, but let's say there's 80,000 servers that are the backbone of the entire internet, there's already over 11 billion connected devices going back to that IoT theme, so the ramifications of the edge and what that means are so profound, and companies like FourScout as a key partner of Splunks help make sure that you're aware of what are all the different elements that are ever hitting my network in any way, and what they look like, and what should I be doing as different things pop on and pop off, and again, we're trying to be the interpretation and brain layer for that so that they are more and more intelligent in the actions they're taking given their depth of domain, their deep knowledge of what a camera should look like or what a Windows PC should look like or what a firewall should look like given the configurations that are important to that company. Before we turn on the cameras, you made an interesting comment. We used to talk about a schema on read versus schema on write. That was the big data theme, and you guys are sitting on a huge data flow, but you had a really different take because you never really know, even a schema on read assumes you know what the schema is, but in today's changing environment, you're not really sure what it is you're going to be looking for next, right, and that can evolve and change over time. So you guys have kind of modified that approach a little bit. Yeah, I think we are, this year you'll see us really re-emphasizing that core of Splunk, that the reason you'd have an investigative lake, and I don't think most people know what a schema, the schema is, period, much less read or write, so my new terminology is hey, you need a very thorough investigative lake. Going back to the discussion we're having with so much surface area, so many network devices, so many servers, so many endpoints, what tool do you have that's reading in data from all of those, and they all are going to have crazy formats. The logs around those are not manageable. To say you can manage logs and centralized logs I get manages that those words don't work together. Logs are chaotic, by nature, you're not going to manage them. You're not going to force every developer and every device to adhere to a certain data structure so it can neatly fit into your structured database. It's too chaotic, but more importantly, even if you could, you're going to miss a point, which is once you structure data, you are limited with the types of questions you can ask, which means you had to visualize what the questions are going to be in the first place. In this chaotic environment, you don't know what the questions are going to be. The dynamics are changing way too quickly, so the investigative lake is truly our index is non-schematized in any way so you can ask a million questions once versus a schematized data store where it is, I ask one question a million times. And that's super efficient for that, but the uniqueness of Splunk is the investigative lake is the fabric of what we do. And where I think our customers almost have forgotten about Splunk is read all that data in. I know we've got a volume-based licensee model that we're working on, customers. We're working to solve that for you. That's not the, I'm not trying to get data in so we can charge more, I'm trying to get data in so that everybody has got the capacity to investigate because we cannot fail in answering what, why, when, where, how. That stuff will go wrong. If you can't answer that, man, you're in big trouble. And then on top of that, let's make sure you got the right monitoring capability, the right predictive analytics capability. And now with tools like Phantom, and we bought a company called VictorOps, which is a beautiful collaboration tool. Let's make sure you've got the right automation and action frameworks so that you can actually leverage people's skills across the investigative monitoring and analytical data stores that Splunk, we help with all four of those. Right, right. Again, you touch on a lot of good stuff. We could go for hours, but we don't have you all day. But I want to follow up on a couple of things because one of the things that we hear over and over and over is the time to even know that you've been breached, right? The time to even know that you have a problem. And again, by having all that data there, you can now start adjusting your questions based on the way you now know. But I think what's even more kind of intriguing to me is as nation-state have become more active as we've seen the politicalization of a lot of things, you know, what is valuable today is a much varied, much more varied answer than just, you know, tapping into a bank account or trying to steal credit card numbers. So it really supports kind of this notion that you're saying, which you don't have a clue what the question is that you're going to need to ask tomorrow. So how do you make sure you're in a position when you find out what the question is that you can ask it? And that's the design architecture I like about Splunk as a company, is that our orientation is if you're dealing with a world of chaos, allow that chaos to exist and then find the needles and the haystack, the meaning from that chaos. And when you find the meaning, now you know that a monitor is worthwhile because you've validated root cause and that exists. And when you monitors kicked a few times and you know it's legit, build a predictive routine because you now know that it's worth trying to predict because you've seen this in trip a number of times, which inverts the way that most people, that all of us were taught, which is start with the end in mind because garbage in equals garbage out. So be really thoughtful in what you want and then you can structure everything. It's like, well, that's not the way the world works. What if the question we asked 15 years ago was what if you couldn't start with the end in mind? What would you have to do? Well, you'd have to have a schemalist storage vehicle and a language that allows you to ask any question you want and get structure on the question. But then you still need a structure. So you're going to structure one way or the other. How do you make sure that you've got high quality structure in our dynamic landscape that's always going to change? So you can have a... Well, the good news is 2020 next year so we'll all know everything. We'll have the hindsight. The last thing before I let you go is really to talk about automation and just the quantity and volume and throughput of these systems again. One, escalating just because it's always escalating, but two, now adding this whole connected devices and IoT and this whole world of operational technology devices. You just, you can't buy your way out of it. You can't hire your way out of it. You have to have an increasing level of automation. So how are you kind of seeing that future evolve over the next couple of years? I've been meeting with a lot of customers obviously this week and one of them said, the interesting part about where we are now is you can't unsee what you've seen. And where we were five years ago, as most people in security and IT which are natively digitized, they still didn't know how to wrap their arms around the data. So they just didn't see. They're like the ostrich. Now with tools like Splunk, they can actually see the data. So, but now what do I do with it? When I've got a billion potential events per day, how do I deal with that? And even if I could man have fine enough manpower, the skills are going to be changing on such a constant basis. So I think this security orchestration automation response sore area. And we were fortunate enough to form a great relationship with Phantom a couple of years ago and add them to the Splunk fold exactly a year ago as I think the best of the sort of vendors. But it's a brand new category because companies have not yet had that unseeing moment of, holy cow, what do I do? How do I even deal with this amount of information? And adding in automation, intelligent automation, dynamic automation with the right orchestration layer is an absolute imperative for these shops going forward. And when I look at the combination of Phantom and their competitors, there's still less than a thousand companies in a sea of a million plus corporate entities globally that have licensed these products. So we're at the very beginning of this portion of the wave, but there's no way that companies will be able to be successful without beginning to understand what that means and wrapping their minds around how to use it. And what we're so excited about with Splunk is traversing, investigate, monitor, analyze and automate up and down continuously. We think is a key to getting the best value from this really, really diverse and chaotic landscape. And having Phantom as part of the fold helps a lot because you can get signal on, did I do the right automation? Did it actually achieve the goal that my brain told me to do or not? And if not, what do I adjust in the brain? Do I go after different data? Do I structure data in a different way? But that up and down the chain of check and balance, am I doing the right stuff is something that- And do it continuously, right? And do it continuously. So we're sitting in the four-scout booth to talk about how four-scout plays. I mean, you guys have been sitting on those log data, you've been sitting on really fundamental core data. They're really kind of an opening up, a whole different set of data. So how is that kind of working out? Yeah, so really, I'm really thankful for the relationship. Mostly because they're a great company and I love their CEO, but most of you go customer back. It's a very important relationship, which is the proliferation of devices, of elements, continues to grow. And most companies aren't even aware of the number of devices that exist in their sphere, much less how they should look and then what vulnerabilities might exist because of changes in those devices. So the information flow of here's what is in the ecosphere of a customer into Splunk is really helpful. And then the correlation that Splunk drives so that four-scout gets even more intelligent on what corrective actions or what type of actions period do I take across as CEO devices is a really important and beneficial relationship for our customers. Excellent, so I'll give you the last word, little plug for us, Splunk.conf coming up in October. Yeah, I'm really excited about Conf. I'm excited to have you guys here again. We've been on a really intense innovation march in the past few years. This last Conf, we introduced 20 products at Conf which was a record. We're trying to keep the same pace for Conf 2019. And I hope that everyone gets a chance to come because we're going to both be moving forward with those products that we talked about but I think really surprising people with some of the directions that we're taking, the investigate, monitor, analyze, and act capabilities both as a platform and for security IT and or other key buying centers. All right, well we'll see you there, Doug. Thanks for stopping by. Great seeing you. He's Doug, I'm Jeff. You're watching theCUBE. We're in the four-scout booth at RSA Conference 2019. Thanks for watching. We'll see you next time. Thank you.