DCT
3:22-cv-07611
Splunk Inc v. Cribl Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Splunk Inc. (Delaware)
- Defendant: Cribl, Inc. (Delaware) and Clint Sharp (California)
- Plaintiff’s Counsel: Fish & Richardson P.C.
- Case Identification: 3:22-cv-07611, N.D. Cal., 12/02/2022
- Venue Allegations: Venue is alleged in the Northern District of California based on Defendants having a regular and established place of business in the district, being residents of California, and a substantial part of the events giving rise to the claims having occurred there.
- Core Dispute: Plaintiff alleges that Defendant’s data observability products, developed by former Splunk employees, infringe five patents related to network data capture, transformation, parsing, and processing, in addition to claims of copyright infringement and trade secret misappropriation.
- Technical Context: The technology at issue addresses the challenges of capturing, processing, and analyzing large volumes of machine-generated data ("big data") from distributed and cloud-based computing environments for IT operations and security analysis.
- Key Procedural History: The complaint alleges that Defendant Cribl was founded by former senior Splunk employees who misappropriated Splunk's proprietary source code to build their competing products. It further alleges that Cribl was a member of Splunk's Technology Alliance Partner (TAP) program until Splunk terminated the agreement in November 2021, a fact which may be relevant to allegations of knowledge and willfulness.
Case Timeline
| Date | Event |
|---|---|
| 2014-04-15 | U.S. Patent No. 9,762,443 Priority Date |
| 2014-07-28 | U.S. Patent No. 9,208,206 Priority Date |
| 2015-04-29 | U.S. Patent No. 9,838,467 Priority Date |
| 2015-12-08 | U.S. Patent No. 9,208,206 Issue Date |
| 2016-10-31 | U.S. Patent No. 10,255,312 Priority Date |
| 2017-01-01 | Defendant Clint Sharp allegedly posts derivative of Splunk code online |
| 2017-05-01 | Defendant Cribl, Inc. incorporated |
| 2017-09-12 | U.S. Patent No. 9,762,443 Issue Date |
| 2017-12-05 | U.S. Patent No. 9,838,467 Issue Date |
| 2018-01-01 | Cribl joins Splunk's TAP Program |
| 2018-10-01 | Cribl releases its first software product, "LogStream" |
| 2019-04-09 | U.S. Patent No. 10,255,312 Issue Date |
| 2019-07-01 | U.S. Patent No. 10,805,438 Priority Date |
| 2020-10-13 | U.S. Patent No. 10,805,438 Issue Date |
| 2021-11-02 | Splunk terminates Cribl's membership in the TAP Program |
| 2022-11-09 | Cribl announces support for Splunk's S2S v4 protocol |
| 2022-12-02 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 9,762,443, “Transformation of Network Data at Remote Capture Agents,” issued September 12, 2017
The Invention Explained
- Problem Addressed: The patent’s background describes the difficulty of deploying and configuring traditional physical network capture appliances in modern, virtualized, and cloud-based computing environments ('443 Patent, col. 1:42-50). It notes that conventional approaches are often "fixed" in their implementation and "cumbersome" for handling the large volumes of data in distributed systems (Compl. ¶97; '443 Patent, col. 1:26-41).
- The Patented Solution: The invention proposes a system of software-based "remote capture agents" that can be deployed in distributed environments and are centrally configured by a "configuration server" over a network ('443 Patent, col. 2:15-23). These agents receive configuration information that enables them to capture network traffic, segment it into timestamped events, and perform data transformations locally before transmitting the processed event data ('443 Patent, col. 9:26-49).
- Technical Importance: This approach provided a mechanism for streamlining network data capture in the increasingly prevalent cloud and virtualized IT landscapes, moving beyond the limitations of physical hardware appliances (Compl. ¶¶96-98).
Key Claims at a Glance
- The complaint asserts at least Claim 1 (Compl. ¶120).
- Independent Claim 1 is a computer-implemented method performed by a remote capture agent, comprising the essential elements of:
- Obtaining configuration information from a configuration server over a network, where the information is usable to generate and transform timestamped event data.
- Monitoring network traffic comprising a plurality of network packets.
- Generating, based on the configuration information, timestamped event data from network packets, which includes segmenting a packet into events and associating each event with a timestamp.
- Transforming the timestamped event data into transformed event data based on the same configuration information.
U.S. Patent No. 10,805,438, “Configuring the Protocol-Based Generation of Event Streams by Remote Capture Agents,” issued October 13, 2020
The Invention Explained
- Problem Addressed: The patent addresses the challenge of managing and configuring network capture technology in distributed environments, where conventional products are often "built from scratch" for specific purposes and "preclude modification" to address changing needs ('438 Patent, col. 1:59-64).
- The Patented Solution: The invention describes a method performed by a configuration server that facilitates the control of remote capture agents ('438 Patent, col. 2:20-23). The server receives input specifying a protocol and event attributes to be extracted, generates configuration data based on that input, and sends this data to the remote agent, thereby causing the agent to generate a specific event stream from monitored network traffic ('438 Patent, Abstract).
- Technical Importance: This technology centralizes and simplifies the dynamic configuration of how remote agents should parse and process different network protocols, enhancing the adaptability of a distributed data capture system (Compl. ¶101).
Key Claims at a Glance
- The complaint asserts at least Claim 1 (Compl. ¶148).
- Independent Claim 1 is a computer-implemented method performed by a configuration server, comprising the essential elements of:
- Receiving input that requests the creation of an event stream, where the input includes an indication of a protocol and a selection of an event attribute to be extracted.
- Generating configuration data based on the received input.
- Sending the configuration data to the remote capture agent, with the data causing the agent to generate the event stream according to that configuration.
Multi-Patent Capsule: U.S. Patent No. 9,208,206
- Patent Identification: U.S. Patent No. 9,208,206, “Selecting Parsing Rules Based on Data Analysis,” issued December 8, 2015 (Compl. ¶102).
- Technology Synopsis: The patent addresses the problem that improper or ineffective parsing rules for machine data can lead to "ineffective index data," which reduces the quality of search results ('206 Patent, col. 1:32-40). The solution is a method for previewing how a selected parsing rule will process a sample of raw data, displaying the resulting time-stamped events in a graphical user interface, and then, in response to user input, applying that validated rule to the larger data source (Compl. ¶¶104, 176).
- Asserted Claims: At least Claim 1 (Compl. ¶175).
- Accused Features: The "Data Preview" functionality within Cribl's Stream and Edge products, which allegedly enables users to sample incoming data, view it as events, and apply processing rules (Compl. ¶180).
Multi-Patent Capsule: U.S. Patent No. 9,838,467
- Patent Identification: U.S. Patent No. 9,838,467, “Dynamically Instantiating Dual-Queue Systems,” issued December 5, 2017 (Compl. ¶105).
- Technology Synopsis: The patent addresses performance issues in systems that handle high-velocity streams of live data, which can be "generated faster than they can be handled" ('467 Patent, col. 1:25-38, 8:47-59). The invention provides for a "dual-queue" system where, upon receiving live data for an entity, a dual-queue node is dynamically instantiated with a "live data queue" for immediate processing and a "stale data queue" to store a persistent backup, ensuring data is not dropped during periods of high traffic (Compl. ¶¶106-107, 205).
- Asserted Claims: At least Claim 1 (Compl. ¶204).
- Accused Features: The "Persistent Queues" feature in Cribl's Stream and Edge, which allegedly implements a dual-queue system comprising an in-memory queue for live data and a persistent, disk-based queue that acts as a backup (Compl. ¶¶213-214).
Multi-Patent Capsule: U.S. Patent No. 10,255,312
- Patent Identification: U.S. Patent No. 10,255,312, “Time Stamp Creation for Event Data,” issued April 9, 2019 (Compl. ¶108).
- Technology Synopsis: The patent addresses the complexity of indexing time series data that arrives from multiple sources asynchronously, out of order, and with an "almost unlimited number of formats" for timestamps ('312 Patent, col. 2:6-19). The solution is a method that segments raw data into events, detects if time information is present, extracts it, determines a time zone, and generates a normalized timestamp. If a timestamp is not present, the method calculates one based on previously processed events to ensure all events can be indexed chronologically ('312 Patent, Abstract; Compl. ¶¶111-112).
- Asserted Claims: At least Claim 1 (Compl. ¶227).
- Accused Features: The "Event Breakers" and "Auto Timestamp" functionalities in Cribl's software, which are alleged to segment data into events and detect, extract, or calculate timestamps for them (Compl. ¶¶234, 236).
III. The Accused Instrumentality
Product Identification
- Defendant Cribl’s “Stream” and “Edge” software products (Compl. ¶120).
Functionality and Market Context
- The accused products are deployed in a distributed architecture comprising three types of nodes: Leader Nodes, Worker Nodes, and Edge Nodes (Compl. ¶125). The complaint alleges that Leader Nodes function as central configuration servers that manage and send configuration information to Worker and Edge Nodes (Compl. ¶127). The Worker and Edge Nodes are alleged to function as remote agents that perform data capture and processing based on the configuration received from the Leader Node (Compl. ¶127). This architecture is shown in a Cribl marketing diagram, which depicts a Leader Node managing and communicating with multiple Worker Nodes that receive data from various sources (Compl. p. 33). The complaint asserts that Stream and Edge are "substantially similar and are identical in material aspects" with regard to the patented technologies (Compl. ¶128). These products are marketed to Splunk customers to, among other things, filter data before it is sent to a Splunk Enterprise instance (Compl. ¶¶45-46).
IV. Analysis of Infringement Allegations
'443 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A computer-implemented method performed by a remote capture agent coupled to a network, comprising: | Cribl's Worker and Edge Nodes allegedly perform the method and are described as remote agents coupled to a network (Compl. ¶¶123, 126). | ¶123 | col. 9:26-28 |
| [1a] obtaining configuration information from a configuration server over a network... | Worker and Edge Nodes are "fully managed by ... Leader Node[s]" and receive configuration information from them over the network before taking any actions on data (Compl. ¶130). | ¶130 | col. 9:32-35 |
| [1b] monitoring network traffic comprising a plurality of network packets; | Stream and Edge are alleged to monitor incoming network traffic delivered over packetized network communication protocols, such as TCP (Compl. ¶133). | ¶133 | col. 9:44-45 |
| [1c] generating, based on the configuration information, timestamped event data from at least one network packet...wherein generating the timestamped event data includes segmenting the at least one network packet into a plurality of events and associating each event...with a respective timestamp; | Stream and Edge use "Event Breakers" to parse incoming raw data into discrete events and associate a timestamp with the newly created events, based on configuration information (Compl. ¶¶131, 135). A Cribl screenshot shows a ruleset for breaking data from various sources into events (Compl. p. 37). | ¶135 | col. 9:46-52 |
| [1d] and transforming, based on the same configuration information, the timestamped event data into transformed event data... | Worker and Edge Nodes apply "Functions" to the timestamped event data based on configuration information received from the Leader Node, transforming the data contained within each event (Compl. ¶¶136-137). | ¶137 | col. 9:53-59 |
Identified Points of Contention:
- Scope Questions: A central question may be whether Cribl's "Worker Node" and "Edge Node" architecture falls within the scope of the term "remote capture agent" as used in the patent. Similarly, the analysis will question if the "Leader Node" meets the definition of a "configuration server."
- Technical Questions: Does the accused system's use of "Event Breakers" to create timestamped events and subsequent application of "Functions" constitute the distinct steps of "generating" and "transforming" as recited sequentially in the claim, or are these functionalities part of a single, integrated processing step?
'438 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A computer-implemented method performed by a configuration server coupled to a remote capture agent... | Cribl's Leader Node allegedly performs the method and functions as a configuration server coupled to Worker/Edge Nodes (remote capture agents) via a network (Compl. ¶¶152-153). | ¶152 | col. 10:41-44 |
| [1a] receiving input requesting creation of an event stream... the input including: [1b] an indication of a protocol... and [1c] a selection of an event attribute... | Leader Nodes are controlled via a user interface and API, and receive input that includes the protocol of the network traffic and selections of attributes to extract via features like "Event Breakers" (Compl. ¶¶155, 158, 160). An architectural diagram shows inputs being processed by the Leader Node (Compl. p. 43). | ¶155, ¶158, ¶160 | col. 10:45-56 |
| [1d] generating configuration data based on the input; and | Leader Nodes are described as centrally authoring and generating configuration information for the Worker and Edge nodes based on the input received from the user interface and API (Compl. ¶162). | ¶162 | col. 10:57-58 |
| [1e] sending the configuration data to the remote capture agent, the configuration data causing the remote capture agent to generate the event stream... | The Leader Node sends the generated configuration data to the Worker and Edge Nodes, which then begin generating event streams based on the instructions received in that data (Compl. ¶¶163-164). | ¶164 | col. 10:59-64 |
Identified Points of Contention:
- Scope Questions: Does user interaction with Cribl's UI/API, which in turn directs the Leader Node, constitute the Leader Node itself "receiving input" as required by the claim? The infringement theory depends on the actions of the user being imputed to the server.
- Technical Questions: What is the specific content of the "configuration data" sent from the Leader Node to the Worker Nodes, and does it contain sufficient instruction to "cause" the generation of the event stream in the manner claimed, or do the Worker Nodes operate with more autonomy than the claim allows?
V. Key Claim Terms for Construction
For the '443 Patent:
- The Term: "remote capture agent"
- Context and Importance: The entire method of the asserted independent claim is performed by this entity. The infringement analysis will depend on whether Cribl's "Worker Nodes" and "Edge Nodes" are properly characterized as "remote capture agents." Practitioners may focus on this term because the defendant's product architecture must map onto the claimed architecture for a finding of direct infringement.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes the agents as being deployable in "distributed computing environments (such as cloud computing environments)" ('443 Patent, col. 2:15-17), suggesting a software-based, non-physical character that could encompass various distributed nodes.
- Evidence for a Narrower Interpretation: The background section frames the problem in the context of replacing "physical network capture devices and infrastructure" ('443 Patent, col. 1:42-43). A defendant could argue this context suggests the "agent" must be a direct software replacement for a physical appliance, potentially to create a distinction.
For the '438 Patent:
- The Term: "configuration server"
- Context and Importance: This term defines the entity that performs the claimed method. Infringement requires Cribl's "Leader Node" to be construed as a "configuration server." The dispute will likely focus on whether the Leader Node's functions, as described in the complaint, align with the patent's definition.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent functionally describes the invention as providing "mechanisms for streamlining the deployment and configuration of network capture technology" ('438 Patent, col. 2:19-21), a role the complaint alleges the Leader Node performs by centrally authoring and deploying configurations (Compl. ¶164).
- Evidence for a Narrower Interpretation: A defendant may argue that specific descriptions of the server's operations in the detailed description (e.g., how it processes GUI input or generates configuration files) create limitations that the accused Leader Node does not meet. For instance, the specification describes a GUI for obtaining configuration information ('438 Patent, FIG. 8), and any alleged differences in how Cribl's UI/API interacts with its Leader Node could be a point of dispute.
VI. Other Allegations
Indirect Infringement
- The complaint alleges both induced and contributory infringement for all five patents-in-suit. Inducement is based on allegations that Cribl publishes instructions and promotional materials that encourage and direct its customers to use the Stream and Edge products in an infringing manner (e.g., Compl. ¶140, ¶167). Contributory infringement is based on allegations that the accused products are especially made to be used in an infringing way and have no substantial non-infringing uses (e.g., Compl. ¶141, ¶168).
Willful Infringement
- Willfulness is alleged for all five patents. The complaint bases this on the assertion that Cribl's co-founders are former senior Splunk employees, several of whom were inventors on Splunk patents and were allegedly aware of Splunk’s patent portfolio and its patent marking webpage prior to the lawsuit (Compl. ¶¶89-93, 115-116). This alleges pre-suit knowledge of the patents and the infringing nature of the accused activities.
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of architectural equivalence: can the accused "Leader Node" and "Worker/Edge Node" system, as it actually operates, be mapped onto the "configuration server" and "remote capture agent" architecture recited in the claims? This will involve both claim construction and a detailed factual comparison of the systems' functionalities.
- A second key question will be one of causation and control: for claims directed to the configuration server (like in the '438 patent), does user interaction with Cribl's interface, which then instructs the Leader Node, satisfy the claim requirement that the server itself "receives input" and "generates configuration data"? This will test the legal boundaries of how user actions are attributed to a server's operation under patent law.
- A dispositive factual question will be one of knowledge and intent. Given the extensive allegations regarding the defendants' history at Splunk and alleged awareness of its intellectual property, the willfulness claims are central to the dispute. The case will likely involve significant discovery into the defendants' state of mind and pre-suit knowledge of the specific asserted patents.