Three years ago there were seven credible enterprise SIEM vendors. Today there are effectively three: Microsoft Sentinel, Splunk (now Cisco), and CrowdStrike Falcon LogScale. Every other vendor is either niche, declining, or being absorbed. If you're running a non-Microsoft, non-Splunk SIEM today, your replacement planning should be active, not theoretical.
The Consolidation Drivers
Data volume is the forcing function. Modern environments generate 10-100x the log volume of five years ago — cloud workloads, containers, API traffic. Legacy SIEM architectures weren't built for this. Vendors who couldn't modernize their ingest pipeline lost the technical argument. The ones who survived did so by rebuilding on top of columnar storage or cloud-native data planes.