Getty Images/iStockphoto

Splunk-Cribl lawsuit yields mixed result for both companies

Cribl did infringe on Splunk's copyright, a California jury found, but awarded damages of only $1. Both sides declared victory, and Splunk vowed to seek injunctive relief.

A judge and jury returned verdicts in the Splunk-Cribl lawsuit last week that represented both victory and defeat for each company.

Splunk filed the lawsuit against Cribl in 2022, alleging that the log management startup, founded by a former Splunk employee, had based its products on stolen Splunk IP. The suit initially sought injunctions against Cribl for patent and copyright infringement, unfair competition and interference with prospective business relations, but the patent complaints were dismissed in 2023. By the time the case went to trial this month, it centered around allegations of breach of contract and copyright infringement.

The jury's verdicts came in two phases. The first, on April 17, found that Cribl could not viably interoperate with Splunk's log management forwarders and indexers without reverse-engineering its Splunk to Splunk (S2S) protocol. It further found that this reverse-engineering fell under a transformative use of the code.

Based on these findings of fact by the jury, the judge in the case ruled that Cribl's "copying and uses of the Splunk Enterprise copyrighted software for the purpose of reverse engineering the uncopyrighted S2S protocol was fair use," according to a jury instructions document. The judge also found that Cribl's use of Splunk Enterprise software for testing and troubleshooting fell under fair use.

The combined judge and jury verdicts followed a precedent set by the Supreme Court in its 2021 ruling on Google LLC v. Oracle America Inc., in which a jury reached verdicts on the facts of the case of alleged copyright infringement, while a judge ruled on whether those findings fell under fair use.

In the second phase, delivered April 22, the jury found that Cribl had copied Splunk Enterprise for something other than fair use in violation of that copyright. It also found that Cribl had violated the Splunk General Terms contract, which prohibited anything other than use for "internal business purposes."

The judge's instructions and jury verdict forms did not detail what usage by Cribl violated copyright, but Cribl founder and CEO Clint Sharp said in an interview with TechTarget Editorial on Tuesday that it had to do with "instances of Splunk Enterprise in our marketing sandboxes."

Splunk wins … $1

Splunk sought damages of $155 million against Cribl for the ways it claimed Cribl's LogStream product, which reduced the amount of log data sent to Splunk's back end, cut into its revenues.

On this question, when asked in the first phase, "Would Splunk have earned more money had Cribl not copied and pasted Splunk Enterprise?" the jury foreperson hand wrote unknown on the jury verdict form. In the second phase, a handwritten response on the second verdict form awarded Splunk damages of just $1. The judge had instructed the jury to award that amount if it found Splunk had not proven that it should be awarded its damages claim.

A Splunk spokesperson did not respond to a request for comment, but the company published an official blog post saying it intends to seek further injunctions against Cribl based on the copyright infringement and breach of contract verdicts.

"We are pleased with the verdict that the jury reached, which recognizes Cribl's willful and unlawful actions," the post stated. "Cribl's actions … created a harmful situation for our customers and the software industry at large."

Meanwhile, Sharp also said he's satisfied with the verdict, and called it a win for interoperability in the observability market.

"Our product is to continue the way it always has," he said. "Reverse engineering for the purposes of interoperability is a very important thing for the industry."

However, a legal expert said the case is unlikely to set a strong precedent for further cases of copyright in tech, especially given that Splunk's patent infringement claims were dismissed.

"The judge's order dismissing the patent claims is almost more important than the … copyright verdict," said Brad Frazer, a partner at law firm Hawley Troxell in Boise, Idaho. "If the jury had found direct copyright infringement and awarded $10 million in damages, that might have sent a message not to try, even carefully, to copy another company's source code. But here, the jury says, in effect, 'Some kinds of copying are OK.'"

Splunk Cribl verdict screenshots
A jury awarded damages of $1 to Splunk for Cribl's infringement of its copyright, shown here in excerpts from the jury's verdict forms.
Splunk Cribl verdict screenshots

Verdict's final impacts remain unclear

The tech world is already significantly different now than when Splunk filed the suit, said Gregg Siegfried, an analyst at Gartner.

"Splunk is no longer an independent company, [and] Cisco may have a different view of the value of Splunk's IP," Siegfried said. "Things like OpenTelemetry end up being a much more important way to encapsulate telemetry as it moves from place to place, which may reduce the need to implement Splunk's line protocols."

The details of Cisco's observability integrations with Splunk following the close of its $28 billion acquisition of the company last month have yet to be determined. But Cisco has already standardized its Full-Stack Observability product line on OpenTelemetry. Cribl has changed as well, adding federated search and data lake products.

Still, there are plenty of legacy Splunk deployments that use its S2S-based log forwarders and indexers, which is where Cribl will continue to capitalize, Sharp said.

"The trend is toward more open data collectors," he said. "But I don't expect to see enterprises, which have been baking these agents into their images for years, suddenly replacing all of them."

This case has not been fully resolved, either, said Andi Mann, global CTO and founder of Sageable, a tech advisory and consulting firm in Boulder, Colo., who also served as chief technology advocate at Splunk from 2015 to 2021.

Here, Mann cited Splunk's vow to seek injunctive relief. Furthermore, while the judge indicated his decision on the S2S copyright claims in jury instructions, he has yet to issue an official order.

"As a layman, it seems like this was a procedural step, like they needed to award something so they could finalize the trial and send the jury home, but an actual final penalty is yet to be decided," Mann said.

One of the most important items from the ruling in this case is that it affirms the principle that interoperability is essential for technological advancement and reiterates the importance of fair use in innovation.
Morvareed SalehpourBusiness and technology lawyer, Salehpour Legal

It's unlikely an appeal would be heard on the verdicts, given the Supreme Court ruling in the Google vs. Oracle case, said Morvareed Salehpour, a business and technology lawyer at Los Angeles-based Salehpour Legal.

"One of the most important items from the ruling in this case is that it affirms the principle that interoperability is essential for technological advancement and reiterates the importance of fair use in innovation," she said. "It will be interesting to see how Splunk chooses to move forward."

In the court of public opinion, Splunk has not emerged victorious, Mann said. He disagreed with Splunk's blog statement that Cribl's actions harmed customers.

"From all the comments I am hearing from clients and in forums, customers are unhappy with Splunk, not Cribl," Mann said. "If anything, Splunk has inflicted damage on customers and the market by stalling or at least chilling the development of new and innovative technology, refusing to integrate a key vendor and technology that their customers rely on, and all in order to protect their high pricing, stall their competition and grab their share of wallets."

Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.

Dig Deeper on IT systems management and monitoring

Software Quality
App Architecture
Cloud Computing
Data Center