By Stig Andersen | 1,054 words | Read time: 6 minutes
Boston is buzzing this week with thousands of Splunk enthusiasts gathering under one roof for .conf25. We are soaking it all in – from the conversations in the hallways to the packed keynote sessions, the atmosphere is uniquely Splunk – and with this post we will try our best to relay the main points from the first two days of this year’s .conf.
Day 1: Boston energy and a vision for the AI era
The highlight of day 1 was undoubtedly the keynote from Jeetu Patel. His message was clear: Splunk is no longer just a log management solution. It’s positioning itself as the Machine Data Fabric of the AI era. A strategic and forward-looking statement that reframes Splunk’s role from a tool for searching and analyzing data to a foundational infrastructure that fuels modern, operational AI.
The core of his message was a new three-pillar model for building Agentic Operational AI.
Pillar 1: Data integration and federation
The first pillar is all about breaking down data silos to create a unified data fabric. The key announcement was the new Splunk Federated Search for Snowflake.
This integration allows users to directly query data residing in Snowflake’s data cloud from the Splunk interface.
This is a significant technical leap because it allows operations, security, and IT teams to correlate their high-velocity machine data from Splunk with valuable business and customer data in Snowflake – all without having to move the data.
This creates a much richer context for analysis, enabling teams to tie operational issues directly to business outcomes. The move signals a commitment to an open data ecosystem, allowing Splunk to act as the single pane of glass for both operational and business insights.
Pillar 2: The operational LLM
The second pillar focuses on building a new type of large language model (LLM) specifically for business operations.
Unlike generic, consumer-facing LLMs, Splunk is developing an Operational LLM that is trained on a massive, anonymized corpus of machine data.
This model is designed to understand the unique language of IT, security, and business operations – from logs and metrics to traces and alerts. This operational LLM will be embedded directly into the Splunk platform, enabling it to perform tasks like:
- Natural language to SPL (Search Processing Language): Automatically generating complex Splunk search queries from plain English descriptions.
- Root cause analysis: Synthesizing data from multiple sources to suggest the most likely cause of an outage or security incident.
- Predictive insights: Anticipating system failures or security threats before they occur by identifying subtle patterns that human analysts might miss.
This pillar is about creating a specialized, in-platform AI that understands the operational context of an organization’s data.
Pillar 3: Agentic AI augmenter
The final pillar introduces the concept of Agentic AI augmenters to supercharge human operators.
The most notable technical feature here is the new AI Canvas, a collaborative workspace where humans and AI agents work together.
The AI Canvas provides a virtual ‘war room’ experience where an AI agent can act as a tireless assistant, automating the most tedious parts of an investigation.
For example, an AI agent could:
- Automatically gather all relevant logs and metrics from disparate sources.
- Generate summaries of incident data for a fast, high-level overview.
- Suggest potential next steps for an investigation based on best practices.
This isn’t about replacing humans; it’s about giving them an AI-powered co-pilot that handles the grunt work, freeing up skilled personnel to focus on complex problem-solving and strategic decision-making.
The Agentic AI augments human expertise, making teams more efficient and resilient in the face of increasingly complex digital environments.
Day 2: Innovation in action
Day 2 shifted gears into a high-energy, deep-dive into the technical future of the platform. The morning’s Product Keynote didn’t just showcase features – it revealed the engineering muscle behind Splunk’s vision.
In a rapid-fire session of innovation, we saw how the core platform is evolving to meet the demands of an AI-driven world.
A standout of the day was the new Ingest processor, a major evolution of the Edge Processor. This gives administrators unprecedented control over data streams at the source.
This allows for real-time data transformations, filtering, and routing before the data even hits the index – a massive win for efficiency and cost control.
We also got a closer look at the new AI Assistant in Enterprise Security, designed to transform SOC operations.
From summarizing security alerts in natural language to generating SPL queries from plain English and automating incident reports, this promises to bring significant speed and clarity to security teams.
Hands-on learning and deep dives
The true impact of these revelations became clear during the day’s product deep dives.
Our team moved between sessions and workshops, going hands-on with the features we had just seen unveiled.
We went from sessions on Observability, where we saw how the new platform capabilities would streamline troubleshooting across hybrid and multi-cloud environments, to practical workshops on SOC operations.
In practical sessions, we worked through scenarios for Splunk Enterprise 10 upgrades, dissecting the architectural shifts that make the new version more performant and scalable.
AI in practice
And of course, AI was a thread running through everything. We got a closer look at the AI integrations learning how the new operational LLM and AI Canvas can be applied in practice to build more resilient, automated workflows for customers.
The day was a whirlwind of technical exchange and learning, from deep-level architectural discussions to hands-on exercises. It was a powerful reminder of the platform’s incredible depth and the relentless pace of innovation.
Connecting with peers
As the sun set on day 2 – a day packed with technical insights, the focus turned to connections. The evening closed with an exclusive EMEA reception, where we had the chance to meet Splunk leadership and partners from across the region.
Conversations ranged from strategy to shared challenges, building relationships that will drive success in the coming year -reinforcing the collaborative spirit that makes .conf such a unique gathering.
The energy remains high, and the roadmap ahead is becoming clearer. Day 3 promises leadership forums and another round of sessions; the perfect opportunity to cement strategies and turn vision into action.
If you’d like to talk about how these innovations can be applied in your organization, reach out to Stig Andersen, our CPO, at stiga@trifork.security.