How much does cloud monitoring cost?

Cloud monitoring ranges from $0 (open-source self-hosted, free vendor tiers) to $200,000+ per month for enterprise deployments. The median mid-market team running 100 hosts with full observability spends $3,000 to $15,000 per month. Costs are driven primarily by host count, log volume, custom metric cardinality, and APM coverage. Verify current pricing on each vendor's pricing page before purchasing.

What is the cheapest cloud monitoring tool?

Self-hosted Prometheus and Grafana is the cheapest in pure license terms (free), but requires platform engineering capacity. Among managed services, Grafana Cloud has the most generous free tier and lowest paid-tier pricing. New Relic's 100 GB free data ingest is the next most generous. Datadog and Dynatrace are positioned at the higher end of the market.

What percentage of cloud spend goes to monitoring?

Industry research from independent and vendor sources puts the median at 7 to 8 percent of cloud infrastructure budget. Below 3 percent typically signals under-monitoring. Above 15 percent signals overspend and is a common trigger for cost-reduction projects. Microservices and Kubernetes-heavy stacks land at the higher end of the range.

Why is my Datadog bill so high?

Bill spikes usually trace to one of: custom metrics generated from high-cardinality labels (Kubernetes pod, container, namespace), log indexing charges on top of ingest charges, APM span indexing above the included 1M per host, retention upgrades beyond the 15-day default, or container counting that bills each pod as a fractional host. See vendor pricing pages and our hidden costs page for the underlying mechanics.

How can I reduce monitoring costs?

The highest-impact strategies in order: filter and sample logs at the source (saves 30 to 50 percent), control custom metric cardinality (saves 20 to 40 percent), sample APM traces at 5 to 10 percent (saves 15 to 30 percent), right-size retention to actual query patterns (saves 10 to 20 percent), and consolidate or migrate to open source where the team has capacity (saves 40 to 90 percent).

Vendor comparison

Datadog vs Splunk 2026: cost and capability compared

Verified April 2026

Two enterprise observability platforms with very different histories and strengths. Datadog grew up on per-host APM with bolt-on log management. Splunk grew up on log analytics with bolt-on observability via SignalFx. The right answer depends heavily on whether your dominant workload is operational logs or security analytics.

TL;DR

Datadog wins for pure operational observability up to ~1 TB per day of logs. Splunk wins for security analytics, SIEM, and large-scale log workloads above 1 TB per day where workload pricing plus Cisco EA bundling becomes competitive. For organisations needing both observability and serious SIEM, Splunk plus Splunk Enterprise Security is the typical choice; standalone Datadog requires adding Datadog Cloud SIEM at premium rates.

The pricing model collision

Per-host plus indexing vs per-GB or workload pricing

Datadog and Splunk arrived at the cloud monitoring market from opposite directions and their pricing models reflect those origins. Datadog grew up as an APM and infrastructure monitoring platform with logs added later, and the per-host plus per-add-on pricing model encodes that history. Each meter is independent; the customer pays per host for infrastructure, per host for APM, per gigabyte for log ingestion, per million for log indexing, per session for RUM, and so on. The model rewards homogeneous fleets and punishes log-heavy or high-cardinality workloads.

Splunk grew up as a log analytics platform and the pricing has evolved through several generations. The legacy per-gigabyte ingest model, with list rates of $150 to $200 per gigabyte per day, dominated the 2010s and remains in place for many long-term customers. The workload pricing model, introduced in 2021 and dominant for new customers since 2023, replaces the per-gigabyte meter with workload packs sized for ingest, search, and concurrent-user load. Workload pricing is structurally cheaper than legacy ingest at any reasonable scale.

For pure operational log management at small to mid scale (under 200 GB per day), Datadog is typically cheaper because the per-gigabyte ingest rate of $0.10 is lower than the Splunk workload pricing per equivalent capacity. The key word is typically; once Datadog log indexing kicks in, the bill compounds quickly, and a team that indexes all logs without exclusion filters can match or exceed Splunk pricing on the same volume.

For security analytics and SIEM workloads, the comparison shifts. Splunk Enterprise Security plus SPL plus the Common Information Model is the dominant operational platform for large security operations centres, and Datadog Cloud SIEM (launched 2021) is improving rapidly but lags meaningfully on operational maturity. Customers who need serious SOC capabilities typically standardise on Splunk for security data even if they use Datadog for operational observability.

Three scenarios, side by side

Where the bills actually land

Scenario

Mid-market (50 hosts, 50 GB/day logs)

Datadog

$3,500 to $7,000

Infra $900, APM $1,550, log ingest $150 plus indexing $20K-equivalent depending on retention. Indexing dominates.

Splunk

$5,000 to $12,000

Workload pricing medium pack. Splunk APM separate at $22 per host. Far cheaper than legacy ingest pricing at $150 per GB per day.

Cheaper at this scale: Datadog

Scenario

Enterprise (1,000 hosts, 1 TB/day logs)

Datadog

$80,000 to $150,000

Heavy log indexing dominates. Negotiated rates apply at this scale; per-GB indexing typically drops below list.

Splunk

$60,000 to $120,000

Workload pricing large pack plus Splunk Observability. Cisco EA bundling typically saves another 20 to 40 percent.

Cheaper at this scale: Splunk

Scenario

Banking enterprise (5K hosts, 5 TB/day logs + SIEM)

Datadog

$300K to $600K

Cloud SIEM is a separate Datadog product line at premium rates. Total includes Datadog logs plus Cloud SIEM plus enterprise APM.

Splunk

$300K to $600K

Workload pricing XL pack plus Splunk Enterprise Security plus IT Service Intelligence plus Splunk SOAR. Cisco EA bundle discount applies.

Cheaper at this scale: Splunk

Capability comparison

Where each platform leads

Datadog leads on operational observability ergonomics. The agent auto-discovers running services, the integration catalogue covers most operational stacks, and the dashboard builder produces production-quality dashboards in minutes rather than hours. APM is mature across major language runtimes. Database Monitoring at the query level, Network Performance Monitoring at the flow level, and CI Visibility for build pipelines are differentiated capabilities Splunk does not match feature-for-feature outside of the security domain.

Splunk leads on log analytics depth and security operations maturity. SPL is more powerful than Datadog log query syntax for complex correlation and aggregation. Splunk Enterprise Security with the Common Information Model and 15 plus years of pre-built security use cases is the dominant SIEM platform for large enterprises. IT Service Intelligence (ITSI) provides service-oriented monitoring with KPI-based service trees that no peer matches at the same operational maturity. Splunk SOAR (security orchestration, automation, and response) integrates security alert investigation and response automation tightly into the platform.

On core APM, Splunk Observability (the SignalFx-derived APM platform) is competitive with Datadog APM but does not lead. Splunk customers usually buy Splunk APM for stack consolidation rather than because it beats Datadog APM on capability. On core infrastructure monitoring, Splunk Observability is competent but not differentiated; Datadog has more polish at the hub-and-dashboard level.

Customer profile fit

Who picks each vendor and why

Pick Datadog if

Your dominant workload is operational observability with modest log volume and no serious SIEM requirement.
You want one platform for infrastructure, APM, and logs with the same UX.
You value the deep add-on ecosystem (DBM, NPM, CI Visibility) that Splunk does not match outside security.
Your team is already on Datadog and the migration cost to Splunk would be substantial.

Pick Splunk if

You run a serious SOC and need Splunk Enterprise Security plus SOAR for security operations.
Your log volume exceeds 1 TB per day and Splunk workload pricing plus Cisco EA bundling becomes competitive.
You need IT Service Intelligence for service-oriented monitoring at enterprise scale.
You have existing Splunk dashboard, alert, and SPL investment that is expensive to migrate.

The Cisco context

What the Splunk acquisition changes

Cisco closed the Splunk acquisition in March 2024 for $28 billion. The strategic logic is the bundling of Splunk security analytics with the existing Cisco security portfolio (Umbrella, Duo, Talos threat intelligence) and the operational integration with the existing AppDynamics observability portfolio. Two years into the integration, several real changes have landed.

First, Splunk now ships inside Cisco Enterprise Agreement frameworks. Customers with established Cisco networking and security relationships can bundle Splunk into a single multi-year EA with consolidated billing, unified support, and meaningful cross-product discount frameworks. Customers with new Splunk procurement and existing Cisco EA relationships report 20 to 40 percent savings on bundled deals versus standalone Splunk procurement.

Second, AppDynamics and Splunk Observability are tightening their integration story. The product roadmap suggests eventual consolidation, with Splunk Observability as the dominant brand for new sales. AppDynamics renewals continue but feature velocity has visibly slowed compared to Datadog and Dynatrace.

Third, the threat-intelligence integration with Cisco Talos is a meaningful security-side capability that strengthens Splunk Enterprise Security. Talos signal feeds directly into Splunk ES correlation rules without third-party integration cost. For SOC teams considering Splunk versus Microsoft Sentinel or Elastic Security, the Talos integration is a real differentiator.

Verify before you commit

Citation and pricing-page references

All pricing in this comparison is verified against published vendor pricing pages and public customer commentary in April 2026: datadoghq.com/pricing and splunk.com/en_us/products/pricing.html. Both vendors discount substantially at enterprise scale; Splunk pricing is highly negotiable and Cisco EA bundling adds meaningful additional discount potential.

Cross-references

/datadog-pricing

Datadog pricing breakdown

/splunk-pricing

Splunk pricing breakdown

/log-management-pricing

Log management pricing across vendors

/log-management-cost-1tb

Log management cost for 1 TB/day

/datadog-vs-new-relic

Datadog vs New Relic

/comparison

Six-vendor comparison

/calculator

Multi-vendor cost calculator

/hidden-costs

Hidden costs that never appear on a pricing page

/methodology

How we research pricing

Frequently asked

Is Datadog or Splunk cheaper for log management?

It depends on log volume and whether security analytics matters. At under 100 GB per day of pure operational logs, Datadog is typically cheaper because the ingest rate ($0.10 per GB) is lower than Splunk workload pricing per equivalent capacity. Above 1 TB per day, Splunk workload pricing becomes competitive and sometimes cheaper, particularly when Cisco Enterprise Agreement bundling applies. For SIEM workloads (security analytics, threat hunting, compliance reporting), Splunk Enterprise Security is the more mature platform, and the cost premium is usually justified by the operational maturity gap.

Why is Datadog log indexing so expensive?

Datadog separates log ingestion ($0.10 per GB) from log indexing ($1.70 per million indexed events on the Enterprise tier). Each indexed event makes the log searchable in the Datadog Logs UI. A 100 GB per day deployment indexing all logs at average 4 million events per gigabyte is 12 billion events per month, billing $20,400 per month for indexing alone. Most teams reduce this by configuring index exclusion filters that drop low-value logs (DEBUG, structured access logs) before indexing, recovering 60 to 80 percent of the indexed-events cost.

Does Splunk have APM?

Yes. Splunk acquired SignalFx in 2019 and integrated it as Splunk APM (now part of Splunk Observability Cloud). Splunk APM is sold separately from Splunk Cloud (the log platform) at roughly $22 per host per month list, with additional charges for trace volume and high cardinality. Capability is competitive with Datadog APM and Dynatrace, with strong OpenTelemetry support. Most Splunk customers buy log management and APM together but they are separately licensed product lines.

Should I use Datadog Cloud SIEM or Splunk Enterprise Security?

Splunk Enterprise Security has 15 plus years of dedicated SIEM development, mature Common Information Model schemas, hundreds of pre-built security use cases, and the SPL search language that security analysts already know. Datadog Cloud SIEM, launched in 2021, is improving rapidly but lags Splunk on operational maturity for serious SOC workloads. For organisations with dedicated security operations teams and serious threat-hunting requirements, Splunk ES remains the dominant choice. For organisations wanting basic security signal correlation alongside operational observability, Datadog Cloud SIEM is competitive and avoids the second platform.

Can I use Datadog for compliance log retention like Splunk?

Datadog Flex Logs (introduced 2023) provides cheaper long-term retention specifically for compliance and audit use cases. Logs are stored in a query-on-demand tier that is significantly cheaper than indexed logs. Splunk SmartStore provides similar S3-backed cold storage. For pure compliance retention (HIPAA, SOX, PCI DSS audit logs that are rarely queried), both platforms offer competitive cold storage. For active investigation logs that need to be searchable on a daily basis, Splunk's hot indexing and SPL search remain operationally superior, particularly for security analyst workflows.

How much does it cost to migrate from Splunk to Datadog?

The migration is operationally substantial. Each Splunk dashboard, alert, and saved search has to be rebuilt in Datadog, and the SPL search language differs meaningfully from Datadog's log query syntax. Plan for 3 to 12 months depending on dashboard inventory. Run both platforms in parallel for at least 3 months to preserve historical context for incident investigation. Most successful migrations follow a workload-by-workload approach (operational logs to Datadog first, security logs stay on Splunk longer or move to dedicated SIEM) rather than a big-bang switch. Budget the engineering time explicitly; the cost-savings analysis often shows a 12 to 18 month payback once migration cost is included.

Datadog vs Splunk 2026: cost and capability compared

Per-host plus indexing vs per-GB or workload pricing

Where the bills actually land

Mid-market (50 hosts, 50 GB/day logs)

Enterprise (1,000 hosts, 1 TB/day logs)

Banking enterprise (5K hosts, 5 TB/day logs + SIEM)

Where each platform leads

Who picks each vendor and why

What the Splunk acquisition changes

Citation and pricing-page references

Related pages

Frequently asked