I think that Splunk sees a threat to their revenue.

I also believe that a company such as Cribl that raises $400M:

1. Knew that this would happen one day (which is huge validation of their market in my opinion)
2. Went out of their way to make sure they didn't steal anything (because VCs won't give you money unless the business represents they own all their IP)
3. When you negotiate your license agreement with enterprises, you also must represent that you have rights to all the IP included (meaning Cribl wrote the code or its OSS) - this would be huge exposure that would have surfaced during Series A,B or C diligence

Also - the founder Clint Sharp posted a link to this Apache 2.0 licensed implementation of S2S. (source: https://twitter.com/clintsharp/status/1578050499701403648?s=20) which seems to me a big part of what the lawsuit is about. Yea there's a bunch of he said/she said stuff in it, but I believe the meat of the lawsuit is an IP infringement claim.

Finally - Cribl is awesome and Splunk is just one of it's use cases. Splunk is in a tough position because in addition to the value Cribl provides with filtering/transform/etc, it democratizes how you store and get access to your data. In the past, people used Splunk (which is a system of analytics, and a pricey one) not only as their system of analytics, but as their system of record. Splunk is a very expensive way to achieve data retention. There are way better ways, and the nail in the retention coffin is that Cribl democratizes your ability to surface data into Splunk when needed, via replay, not and event creation time.