DCT
1:22-cv-01313
Splunk Inc v. Cribl Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Splunk Inc. (Delaware)
- Defendant: Cribl, Inc. (Delaware) and Clint Sharp (an individual)
- Plaintiff’s Counsel: FISH & RICHARDSON P.C.
- Case Identification: 1:22-cv-01313, D. Del., 10/05/2022
- Venue Allegations: Venue is alleged to be proper in the District of Delaware because Defendant Cribl does business in and resides in the district.
- Core Dispute: Plaintiff alleges that Defendant’s data processing software infringes five patents related to distributed data capture, data parsing, timestamping, and dual-queue data handling systems.
- Technical Context: The technology operates in the "big data" observability and analytics sector, which involves ingesting, processing, and analyzing massive volumes of machine-generated data in real-time for operational intelligence and security.
- Key Procedural History: The complaint alleges that Defendant Cribl was founded by former Splunk employees, including Defendant Clint Sharp, who allegedly misappropriated Splunk's proprietary source code to build Cribl's initial product. The complaint also notes that Cribl was a member of Splunk’s Technology Alliance Partner ("TAP") program, a relationship that provided a limited license to use Splunk software, which Splunk terminated on November 2, 2021.
Case Timeline
| Date | Event |
|---|---|
| 2003-01-01 | Splunk founded |
| 2006-10-05 | Earliest Priority Date for ’312 Patent |
| 2012-08-17 | Earliest Priority Date for ’206 Patent |
| 2014-03-17 | Earliest Priority Date for ’467 Patent |
| 2014-04-15 | Earliest Priority Date for ’443 Patent |
| 2014-10-30 | Earliest Priority Date for ’438 Patent |
| 2015-12-08 | ’206 Patent Issued |
| 2017-03-24 | Defendant Clint Sharp resigns from Splunk |
| 2017-05-01 | Cribl incorporated |
| 2017-09-12 | ’443 Patent Issued |
| 2017-12-05 | ’467 Patent Issued |
| 2018-10-01 | Cribl's first product, "LogStream," released |
| 2019-04-09 | ’312 Patent Issued |
| 2020-10-13 | ’438 Patent Issued |
| 2021-11-02 | Splunk terminates Cribl's TAP membership |
| 2022-10-05 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 9,762,443 - "Transformation of Network Data at Remote Capture Agents"
Issued September 12, 2017. (Compl. ¶91).
The Invention Explained
- Problem Addressed: The patent’s background section describes the difficulty of deploying conventional network data capture products, which were typically physical hardware appliances, in modern virtualized and cloud computing environments where physical access is impossible or impractical (Compl. ¶92; ’443 Patent, col. 1:14-50). It further notes that conventional approaches are often inflexible and cumbersome for processing large volumes of data (Compl. ¶93; ’443 Patent, col. 1:26-41).
- The Patented Solution: The invention proposes software-based "remote capture agents" that can be deployed in distributed computing environments and configured remotely by a central server (Compl. ¶94). This architecture is intended to streamline the deployment and configuration of network capture technology, allowing agents to capture, process, and transform network data directly at remote locations before forwarding it (Compl. ¶94; ’443 Patent, col. 2:21-23).
- Technical Importance: This approach virtualizes the data capture function, making it manageable at scale in distributed cloud environments and adapting it to the industry's shift away from physical data centers (Compl. ¶92).
Key Claims at a Glance
- The complaint asserts independent claim 1 (Compl. ¶117).
- The essential elements of claim 1 are:
- A computer-implemented method performed by a remote capture agent coupled to a network, comprising:
- obtaining configuration information from a configuration server that is usable by the agent to generate and transform timestamped event data from network packets;
- monitoring network traffic that includes a plurality of network packets;
- generating timestamped event data from a network packet based on the configuration information, which includes segmenting the packet into events and associating each event with a timestamp; and
- transforming the timestamped event data into transformed event data based on the same configuration information by performing an operation on data within at least one event.
- The complaint does not explicitly reserve the right to assert dependent claims for this patent.
U.S. Patent No. 10,805,438 - "Configuring the Protocol-Based Generation of Event Streams by Remote Capture Agents"
Issued October 13, 2020. (Compl. ¶95).
The Invention Explained
- Problem Addressed: The patent addresses challenges in managing and configuring data capture agents in distributed networks, particularly the inflexibility of conventional systems that are often "built from scratch" for a specific purpose and "may preclude modification to address different and changing business needs" (Compl. ¶96; ’438 Patent, col. 1:49-64).
- The Patented Solution: The invention describes a system where a central configuration server dynamically manages remote capture agents (Compl. ¶97). The server receives input specifying how to process network traffic (e.g., based on protocol) and sends corresponding configuration data to the agents. This allows the agents' data filtering, transformation, and aggregation functions to be dynamically adapted to different requirements (Compl. ¶97; ’438 Patent, col. 2:20-31).
- Technical Importance: This technology provides a mechanism for centralized, dynamic control over distributed data capture agents, increasing their flexibility and adaptability in complex, large-scale data environments (Compl. ¶97).
Key Claims at a Glance
- The complaint asserts independent claim 1 (Compl. ¶145).
- The essential elements of claim 1 are:
- A computer-implemented method performed by a configuration server coupled to a remote capture agent, comprising:
- receiving input requesting the creation of an event stream, where the input includes an indication of a protocol and a selection of an event attribute to be extracted;
- generating configuration data based on that input; and
- sending the configuration data to the remote capture agent, causing the agent to generate the event stream from monitored network traffic according to the configuration data.
- The complaint does not explicitly reserve the right to assert dependent claims for this patent.
U.S. Patent No. 9,208,206 - "Selecting Parsing Rules Based on Data Analysis"
Issued December 8, 2015 (Compl. ¶98).
- Technology Synopsis: The patent addresses the challenge of accurately searching large sets of machine-generated data (Compl. ¶99). It describes how improper rules for processing raw data can "pollute" the resulting index and reduce search quality. The invention provides techniques for modifying data parsing rules to improve the quality of the index and the performance of searching and processing machine data (Compl. ¶100).
- Asserted Claims: The complaint asserts at least claim 1 (Compl. ¶172).
- Accused Features: The complaint accuses Cribl's "Data Preview" functionality, which allegedly allows users to sample data, view how it is parsed into events, and then apply a selected parsing rule to a larger data stream (Compl. ¶176).
U.S. Patent No. 9,838,467 - "Dynamically Instantiating Dual-Queue Systems"
Issued December 5, 2017 (Compl. ¶101).
- Technology Synopsis: The patent is directed to performance improvements in systems that process streams of live data, which can arrive faster than they can be handled, leading to dropped data (Compl. ¶102). The invention describes "dual-queue" techniques, involving a "live data queue" for immediate processing and a "stale data queue" for persistent backup, to manage data influx. The claims concern the dynamic instantiation and management of these dual-queue nodes in an efficient manner (Compl. ¶103).
- Asserted Claims: The complaint asserts at least claim 1 (Compl. ¶201).
- Accused Features: The complaint accuses Cribl's "Persistent Queues" feature, which allegedly implements a dual-queue system with an in-memory queue and a disk-based persistent queue to prevent data loss (Compl. ¶205, 209-210).
U.S. Patent No. 10,255,312 - "Time Stamp Creation for Event Data"
Issued April 9, 2019 (Compl. ¶104).
- Technology Synopsis: The patent addresses technical problems in processing time-series data, where data from different sources may be asynchronous or have inconsistent timestamp formats, making time-based searching difficult (Compl. ¶105-106). The invention provides techniques for improving machine data analysis by segmenting raw data into searchable events and accurately detecting, generating, or calculating timestamps for those events, enabling more efficient and granular time-based searching (Compl. ¶108).
- Asserted Claims: The complaint asserts at least claim 1 (Compl. ¶224).
- Accused Features: The complaint accuses Cribl's "Event Breakers" functionality, which is alleged to segment raw time-series data into discrete events and perform timestamping by detecting existing time information or calculating a new timestamp (Compl. ¶230, 232).
III. The Accused Instrumentality
Product Identification
- The accused instrumentalities are Defendant’s "Stream" and "Edge" software products (Compl. ¶116).
Functionality and Market Context
- The complaint alleges that Cribl Stream and Edge are software platforms that operate between a customer's sources of machine data and their data analysis system (such as Splunk Enterprise) (Compl. ¶46). The accused products are described as ingesting, filtering, and transforming this data before forwarding it, with a stated goal of reducing the volume of data sent to the downstream analysis system (Compl. ¶46). The software is deployed in a distributed architecture comprising "Leader Nodes," which act as central configuration servers, and "Worker Nodes" or "Edge Nodes," which act as remote agents performing data capture and processing (Compl. ¶121, 123). The complaint alleges that "Cribl Edge is the same technology behind Cribl Stream," scaled to run on an edge device (Compl. ¶124). A diagram from Cribl's documentation shows the Leader Node managing Worker Nodes that process data from various sources and send it to various destinations (Compl. ¶122, p. 38).
IV. Analysis of Infringement Allegations
U.S. Patent No. 9,762,443 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| [1a] obtaining configuration information from a configuration server over a network, wherein the configuration information is usable by the remote capture agent to generate timestamped event data from network packets and to transform the timestamped event data into transformed event data; | Cribl’s Worker and Edge Nodes (the alleged remote capture agents) are managed by and receive configuration information from a Leader Node (the alleged configuration server). This information instructs the Nodes to use "Event Breakers" for generating timestamped data and "Functions" for transforming it. | ¶125-127 | col. 2:21-23 |
| [1b] monitoring network traffic comprising a plurality of network packets; | The Stream and Edge products monitor incoming network traffic delivered over packetized protocols such as TCP. | ¶128-129 | col. 6:3-5 |
| [1c] generating, based on the configuration information, timestamped event data from at least one network packet...wherein generating the timestamped event data includes segmenting the at least one network packet into a plurality of events and associating each event...with a respective timestamp; | The accused products use "Event Breakers" which, based on configuration from the Leader Node, parse incoming raw data received as network packets into discrete events and associate a timestamp with each created event. A Cribl documentation screenshot shows an interface for defining rules for this process (Compl. ¶131, p. 42). | ¶130-131 | col. 6:15-20 |
| [1d] and transforming, based on the same configuration information, the timestamped event data into transformed event data, wherein transforming the timestamped event data includes performing an operation involving data contained in at least one event of the plurality of events. | Based on configuration information from the Leader Node, the Worker and Edge Nodes apply "Functions," described as code that executes on an event, to transform the data contained within the timestamped events. | ¶132-133 | col. 6:21-24 |
Identified Points of Contention
- Scope Questions: A potential issue is whether Cribl’s software-based "Worker Nodes" and "Edge Nodes" meet the definition of a "remote capture agent" as construed from the patent's specification.
- Technical Questions: The analysis may raise the question of whether the general-purpose data processing "Functions" in the accused products perform the specific act of "transforming... the timestamped event data" in the manner required by the claim, or if there is a technical distinction between the accused functionality and the claimed transformation.
U.S. Patent No. 10,805,438 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| [1a] receiving input requesting creation of an event stream to be generated by the remote capture agent, the input including: | The Cribl Leader Node (the alleged configuration server) is controlled via a user interface and API, through which it receives input from a user directing how to configure the associated Worker and Edge Nodes to generate event streams. | ¶150-151 | col. 2:47-50 |
| [1b] an indication of a protocol to be associated with the event stream, wherein the protocol is used by network traffic monitored by the remote capture agent, and | The Leader Node is provided with the specific network protocol (e.g., TCP) being used by the data sources so it can generate the correct configuration information for the Worker and Edge Nodes. | ¶153-154 | col. 6:4-6 |
| [1c] a selection of an event attribute associated with the protocol, the event attribute indicating data to be extracted from network packets... | When a user configures a data source, the Leader Node is instructed to use "Event Breakers," which contain rules that indicate what data should be extracted from the network packets. | ¶155-156 | col. 6:7-11 |
| [1d] generating configuration data based on the input; and | The Leader Node centrally authors and generates configuration information for the Worker and Edge Nodes based on the input it receives from the user via its API and user interface. | ¶157-158 | col. 6:12-13 |
| [1e] sending the configuration data to the remote capture agent, the configuration data causing the remote capture agent to generate the event stream... | The Leader Node sends the generated configuration data to the Worker and Edge Nodes, which then begin generating event streams according to the received instructions. A diagram illustrates this flow from the Leader Node to the Worker Nodes (Compl. ¶149, p. 47). | ¶159-160 | col. 6:14-19 |
Identified Points of Contention
- Scope Questions: A central question for claim construction may be whether a user's configuration of a data processing pipeline through a graphical user interface constitutes "receiving input requesting creation of an event stream" as required by the claim preamble.
- Technical Questions: The infringement analysis may turn on whether the accused products' use of "Event Breakers"—which are described as rule sets for parsing data—is technically equivalent to the claimed "selection of an event attribute indicating data to be extracted."
V. Key Claim Terms for Construction
The Term: "remote capture agent" ('443 Patent, claim 1)
- Context and Importance: This term defines the entity performing the entire claimed method. The infringement case depends on mapping Cribl’s "Worker Nodes" and "Edge Nodes" to this claim element. Practitioners may focus on this term because its definition will determine whether the accused system's distributed software architecture falls within the patent's scope.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent specification repeatedly discusses the invention in the context of "cloud computing environments" and "remote locations" where physical hardware is not feasible, suggesting the term is intended to cover software-based agents (Compl. ¶92; ’443 Patent, col. 1:42-50). The claims refer to a "computer-implemented method," which supports a software-based interpretation.
- Evidence for a Narrower Interpretation: The background section contrasts the invention with conventional "physical hardware appliance[s]" and "network capture devices" (’443 Patent, col. 1:15-18, 1:49). While the invention is presented as an improvement, a defendant may argue that the term retains some of the essential characteristics of a discrete "agent" primarily focused on "capture," rather than a general-purpose processing node.
The Term: "event attribute" ('438 Patent, claim 1)
- Context and Importance: The infringement allegation for claim 1 relies on equating the user's selection and configuration of "Event Breakers" in the accused product with the claimed "selection of an event attribute" (Compl. ¶156). The construction of this term is therefore central to whether the accused user activity meets the claim limitations.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claim language itself is general, defining the attribute simply as being "associated with the protocol" and "indicating data to be extracted" (’438 Patent, col. 25:46-49). This could be argued to broadly cover any rule or setting that specifies what data to pull from a network packet.
- Evidence for a Narrower Interpretation: The patent's detailed description and figures may provide more specific examples. For instance, Figure 4B of the patent shows a graphical user interface where specific, named fields like "dest_port," "http_method," and "http_referrer" are presented as selectable attributes. This could support a narrower construction limited to predefined, selectable fields rather than more complex, user-defined parsing rules like those allegedly in Cribl's "Event Breakers."
VI. Other Allegations
Indirect Infringement
- The complaint alleges both induced and contributory infringement for all asserted patents. Inducement allegations are based on Cribl's educational materials, website and YouTube instructions, and customer support, which allegedly direct users to operate the accused products in an infringing manner (e.g., Compl. ¶136, 163). Contributory infringement is alleged on the basis that the accused products are especially made for infringement and are not staple articles of commerce suitable for substantial non-infringing use, particularly because the Worker/Edge Nodes are allegedly designed specifically to operate based on configuration data from the Leader Node (e.g., Compl. ¶137, 164).
Willful Infringement
- Willfulness is alleged for all asserted patents. The complaint bases this on alleged actual and constructive knowledge, asserting that Cribl’s co-founders are former senior technical employees of Splunk who were heavily involved in Splunk's patent program, invented on Splunk patents, and were aware of Splunk’s patent portfolio and its patent marking webpage (Compl. ¶111-113, 135).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of architectural mapping: can the Plaintiff demonstrate that the Defendant’s "Leader Node" and "Worker/Edge Node" architecture is technically equivalent to the "configuration server" and "remote capture agent" system described and claimed in the patents? The case may depend on whether Cribl's distributed software components perform the specific functions required by the claims for these architectural elements.
- A second key question will be one of functional scope: does the act of configuring a processing rule in the accused products' user interface (e.g., an "Event Breaker" or a "Function") constitute the specific, claimed actions of "selecting an event attribute" ('438 Patent) or "transforming... timestamped event data" ('443 Patent)? The dispute may focus on whether the accused general-purpose data manipulation tools perform the particular steps recited in the patent claims.
- Given the parties' shared history as alleged in the complaint, a significant facet of the case will likely be the evidence concerning knowledge and intent. This question will be central to the allegations of willful and indirect infringement, moving beyond a purely technical comparison of the products and patents to the narrative of the defendant's alleged conduct.