Two Splunk shops, same revenue, a 4-turn gap
Picture two Splunk partners going to market this year. Both do roughly $12M in services revenue. Both have respectable Net Revenue Retention. On a spreadsheet they look like twins. One gets a sheet at 9x EBITDA. The other gets a competitive process and clears 13x. The difference isn't size or growth rate — it's what the revenue is made of.
The first shop is a log-management and SIEM practice. It runs Splunk Enterprise deployments, manages the renewal cycle, tunes correlation searches, and bills for the same dashboard work it billed for three years ago. Buyers read that as a maintenance annuity: sticky, yes, but commoditized and structurally exposed to vendor consolidation. That's the 8x to 10x lane, and it's getting more crowded as Cisco rationalizes the licensing motion underneath it.
The second shop sells outcomes. It runs full-stack observability — APM, infrastructure monitoring, digital-experience telemetry — and sits between the DevOps and SecOps teams instead of just feeding the security analysts. When that partner walks into a renewal, the conversation isn't "do you want to keep your logging tool," it's "your checkout latency is costing you conversions, here's the trace." That's the 12x to 14x lane. Per Splunk's State of Observability 2025 report, organizations with leading observability practices are far likelier to say those tools move revenue and shape the product roadmap — and acquirers are paying for the partners who can manufacture that outcome on demand, not the ones who keep the lights on.
What the Cisco deal actually did to your diligence file
When Cisco closed the $28B Splunk acquisition, it didn't just change the logo on your partner portal. It rewrote the strategic thesis a buyer applies to your practice. Cisco is betting on convergence — network telemetry, security data, and application observability collapsing into one platform alongside AppDynamics and ThousandEyes. A partner who can only do standalone SIEM is now sitting outside the deals that thesis creates, which means the most strategic enterprise opportunities route around you.
Here's where it shows up in a process. I've watched diligence teams treat Cisco-portfolio fluency as a separate line item — effectively an add-back for partners who've cross-pollinated their Splunk depth into AppDynamics APM and ThousandEyes network-path visibility. A Splunk practice that can't correlate a Log Observer Connect signal with an APM trace across a hybrid environment is, by the buyer's math, leaving 30-40% of the addressable deal off the table. That gap doesn't get split with you in the multiple. It gets priced as risk, against you.
The integration question every buyer is really asking
Reselling licenses is table stakes and buyers know it. The thing they're trying to validate is whether your engineers can actually execute the unified view — take a customer's mess of hybrid-cloud signals and produce one coherent picture of what's slow, what's broken, and what it's costing. Partners who can put a real cross-platform implementation on the table — Splunk feeding AppDynamics feeding a single correlated dashboard — are clearing two to three turns above their single-product peers. The observability platforms market forecast through 2035 tells the buyer the demand is durable; your integration evidence tells them you can capture it.
The OpenTelemetry test, and the 18-month fix
If you want the cleanest predictor of which lane a Splunk partner lands in, look at how they instrument. In 2026 diligence, "Observability as Code" has quietly become the maturity tell. A buyer's technical reviewer will ask to see your instrumentation. If the answer is engineers clicking through the UI to hand-build dashboards on each engagement, that's not a service line — it's a labor model that doesn't scale, and it gets repriced as technical debt against your exit. The State of Observability 2025 report ties the top-performing organizations to "often or always" using OpenTelemetry — and the highest-value service partners share that trait because OTel decouples them from proprietary, heavy-weight agents and from the platform-lock risk Cisco now controls.
The partners who clear 14x treat observability as an engineering discipline. They embed instrumentation directly into the customer's CI/CD pipeline, which means the telemetry ships when the code ships. That "shift left" move plants the partner inside the software lifecycle and creates switching costs a renewal contract never could — rip out a partner who instruments your deploy pipeline and you've broken your own release process.
If you're taking a Splunk partner to market inside 18 months
Three moves, in order of how much they shift the multiple:
- Re-mix the revenue. Get observability and APM use cases to at least 40% of services revenue and shrink pure-play SIEM. Buyers underwrite the mix, not the headline number.
- Make OTel verifiable, not aspirational. Certify the engineering team in OpenTelemetry and modern instrumentation, and keep evidence a reviewer can audit — not a slide claiming it.
- Quantify customer ROI in revenue terms. Build references that show a deployment cut downtime cost or lifted conversion — not "we detected more threats." The first sentence sells the outcome thesis; the second sells a logging tool.
Run all three and you stop arguing about a discount and start running a process about a premium.
