Will Datadog beat Splunk in observability by 2027?
Curated by Kory White · Fractional CRO, CRO Syndicate
Direct Answer
Datadog already won the cloud-native observability category — Splunk's Cisco acquisition (closed March 2024 at ~$28B) bought time, not strategy. By 2027 Splunk is the legacy-SIEM + on-prem-log workhorse for regulated enterprises that already spent $50M+ on Splunk infrastructure they can't unwind.
Datadog wins everything that's been built since 2018: cloud-native applications, microservices, Kubernetes, multi-cloud, AI workloads. The question is no longer who wins observability — it's whether Splunk's legacy install base shrinks fast enough to matter. The four reasons Datadog already won + the one scenario where Cisco-Splunk could re-engage.
Where The Battle Stands In 2026
- Datadog FY26 revenue guide: $3.4-3.5B (~25% YoY), gross margin 81%+
- Splunk (now Cisco Splunk Business Group): ~$4B revenue at acquisition, growth post-merger reportedly low-single-digits per analyst commentary
- Gartner Magic Quadrant for APM 2025: Datadog Leader (top-right), Splunk Leader (mid-right), Dynatrace Leader, New Relic Visionary
- Cloud-native customer adoption: Datadog dominates net-new (estimated 70%+ of new logos), Splunk dominates renewals from pre-2020 customers
Why Datadog Already Won (4 Reasons)
- Reason 1: Cloud-native architecture from day one. Datadog was built post-AWS-EC2; Splunk was built for on-prem log indexing. Splunk's cloud version (Splunk Cloud Platform) feels like a port, not a rebuild. Buyers can tell.
- Reason 2: Unified data model. Datadog Logs + APM + Metrics + Traces + RUM + Synthetics + Security share a single backend. Splunk's modules (Enterprise, ITSI, Observability Cloud, Phantom, Mission Control) feel stitched together because they were acquired separately.
- Reason 3: Per-host pricing simplicity. Datadog's per-host APM pricing is predictable. Splunk's by-volume-of-data ingestion pricing punishes growth — every customer gets a quarterly sticker shock.
- Reason 4: Bits AI native integration. Datadog launched Bits AI on the unified data model — incident investigation works across Logs + APM + Traces seamlessly. Splunk AI is fragmented across the acquired-product set.
Why Splunk Stays Alive Through 2027 + Beyond
- Regulated-industry SIEM moat: financial services, federal, healthcare with compliance frameworks tied to Splunk Enterprise Security. Switching cost is years of detection rule-tuning.
- On-prem + air-gapped deployments: Splunk runs in environments Datadog doesn't (classified federal, OT/ICS, named utility-grid customers). Datadog is SaaS-only.
- Cisco bundling pressure: Cisco can bundle Splunk into Cisco Catalyst + Meraki + DNA Center deals. That's a real distribution wedge Datadog can't match.
- Splunk Observability Cloud (formerly SignalFx): still a credible APM challenger for shops already on Splunk Enterprise. Migration cost to Datadog is non-trivial.
👉 Quick Call with Kory White, Fractional CRO · See Kory on LinkedIn · CRO Syndicate
The 1 Scenario Where Cisco-Splunk Re-Engages
If Cisco actually invests $2-3B in re-platforming Splunk Cloud onto a unified data model + ships AI features that match Bits AI within 18 months, the bundling distribution wedge could compress Datadog's mid-market growth. Probability: low (~15%). Cisco's track record of integrating large SaaS acquisitions (AppDynamics, Webex) is mixed at best — usually they let the acquired product run as a portfolio asset and milk renewals.
What Datadog Should Watch In 2026-27
- Cisco-Splunk bundle wins at named accounts where Cisco infrastructure is already deployed (AT&T, Verizon, named federal)
- Splunk Cloud price-cut campaigns to defend renewals (signal that Cisco is treating Splunk as cash-cow, not growth bet)
- Microsoft Sentinel + Azure Monitor compressing the SIEM category from below — a bigger threat than Splunk by FY28
- Anthropic / OpenAI / Mistral choosing Datadog vs Splunk for their own internal observability (signal of category leadership in AI workloads)
A Markdown Table — By Use Case
| Use case | Datadog fit | Splunk fit | 2027 winner | Notes |
|---|---|---|---|---|
| Cloud-native APM | Excellent | Mediocre | Datadog | Game over, has been since 2022 |
| Kubernetes monitoring | Excellent | Weak | Datadog | Kubernetes-native instrumentation |
| Multi-cloud observability | Excellent | Adequate | Datadog | Splunk siloed by cloud |
| Legacy + on-prem logging | Adequate | Excellent | Splunk | Datadog SaaS-only limitation |
| Federal + air-gapped SIEM | None | Excellent | Splunk | FedRAMP High + classified deployments |
| Modern SIEM (Cloud SIEM) | Good | Excellent | Splunk (legacy) / Datadog (net-new) | Splits by deployment age |
| AI workload monitoring | Excellent (LLM Observability) | Mediocre | Datadog | Bits AI native; Splunk lags |
| Network observability | Adequate | Good (Cisco bundle) | Splunk | Cisco wedge wins here |
| OT / ICS / utility | None | Good | Splunk | Datadog doesn't compete |
| Customer-facing RUM | Excellent | Mediocre | Datadog | Datadog RUM more mature |
A Mermaid Decision Flow — Buyer Choice
Bottom Line
Datadog already won cloud-native observability — Splunk became a legacy-renewal business the day the Cisco deal closed. By 2027 the meaningful question isn't Datadog vs Splunk, it's Datadog vs Microsoft Sentinel + Azure Monitor at the SIEM compression front, and Datadog vs AI-native challengers (Honeycomb, Grafana, Helicone) at the developer-experience front.
Splunk is a footnote in the 2027 observability deck. (See also: q1669)
Tags
Datadog, splunk-comparison, observability, cloud-siem, bits-ai, cisco-splunk, gartner-mq-apm, gtm-strategy, federal-observability, llm-observability
FAQ
What did the Cisco-Splunk acquisition actually buy? Cisco closed its Splunk acquisition in March 2024 at roughly $28B, but the analysis argues that bought time, not strategy. Splunk had about $4B revenue at acquisition, with post-merger growth reportedly in the low-single-digits, leaving it the legacy-SIEM and on-prem-log workhorse for regulated enterprises that already sank $50M+ into Splunk infrastructure.
What are the four reasons Datadog already won? Cloud-native architecture from day one (Splunk's cloud version feels like a port, not a rebuild), a unified data model across Logs, APM, Metrics, Traces, RUM, Synthetics, and Security, predictable per-host pricing versus Splunk's by-volume ingestion that punishes growth, and Bits AI built natively on the unified data model while Splunk AI is fragmented across acquired products.
Why does Splunk stay alive through 2027 and beyond? A regulated-industry SIEM moat in financial services, federal, and healthcare tied to Splunk Enterprise Security, on-prem and air-gapped deployments (classified federal, OT/ICS, utility-grid) that SaaS-only Datadog can't serve, Cisco's ability to bundle Splunk into Catalyst, Meraki, and DNA Center deals, and Splunk Observability Cloud (formerly SignalFx) remaining a credible APM challenger for existing Splunk shops.
What is the one scenario where Cisco-Splunk re-engages? If Cisco invests $2-3B to re-platform Splunk Cloud onto a unified data model and ships AI features matching Bits AI within 18 months, the bundling wedge could compress Datadog's mid-market growth. Probability is rated low at about 15%, given Cisco's mixed track record integrating AppDynamics and Webex — usually it runs acquisitions as portfolio assets and milks renewals.
By 2027, who is Datadog's more important competitor? Not Splunk but Microsoft Sentinel plus Azure Monitor compressing the SIEM category from below — called a bigger threat by FY28 — and AI-native challengers like Honeycomb, Grafana, and Helicone on the developer-experience front.
The analysis concludes Splunk became a legacy-renewal business the day the Cisco deal closed.
Sources
- Https://investors.datadoghq.com/
- Https://www.cisco.com/c/en/us/about/corporate-strategy-office/acquisitions/splunk.html
- Https://www.gartner.com/en/documents/apm-magic-quadrant
- Https://www.datadoghq.com/product/bits-ai/
- Https://www.splunk.com/en_us/products/observability.html
- Https://www.bvp.com/atlas/state-of-the-cloud-2026
- Https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001561550
- Https://www.datadoghq.com/product/llm-observability/