How much does cloud monitoring cost?

Cloud monitoring ranges from $0 (open-source self-hosted, free vendor tiers) to $200,000+ per month for enterprise deployments. The median mid-market team running 100 hosts with full observability spends $3,000 to $15,000 per month. Costs are driven primarily by host count, log volume, custom metric cardinality, and APM coverage. Verify current pricing on each vendor's pricing page before purchasing.

What is the cheapest cloud monitoring tool?

Self-hosted Prometheus and Grafana is the cheapest in pure license terms (free), but requires platform engineering capacity. Among managed services, Grafana Cloud has the most generous free tier and lowest paid-tier pricing. New Relic's 100 GB free data ingest is the next most generous. Datadog and Dynatrace are positioned at the higher end of the market.

What percentage of cloud spend goes to monitoring?

Industry research from independent and vendor sources puts the median at 7 to 8 percent of cloud infrastructure budget. Below 3 percent typically signals under-monitoring. Above 15 percent signals overspend and is a common trigger for cost-reduction projects. Microservices and Kubernetes-heavy stacks land at the higher end of the range.

Why is my Datadog bill so high?

Bill spikes usually trace to one of: custom metrics generated from high-cardinality labels (Kubernetes pod, container, namespace), log indexing charges on top of ingest charges, APM span indexing above the included 1M per host, retention upgrades beyond the 15-day default, or container counting that bills each pod as a fractional host. See vendor pricing pages and our hidden costs page for the underlying mechanics.

How can I reduce monitoring costs?

The highest-impact strategies in order: filter and sample logs at the source (saves 30 to 50 percent), control custom metric cardinality (saves 20 to 40 percent), sample APM traces at 5 to 10 percent (saves 15 to 30 percent), right-size retention to actual query patterns (saves 10 to 20 percent), and consolidate or migrate to open source where the team has capacity (saves 40 to 90 percent).

Cost by data volume

Log management cost for 100 GB/day

Verified April 2026

At 100 GB/day, the same log volume costs $300 on Datadog ingestion-only or $20,000 on Datadog with full indexing. Loki bills $1,400. Splunk workload pricing lands at $5,000 to $12,000. The architectural choices each vendor has made for log search are the dominant cost variable, not the volume itself.

TL;DR

New Relic Logs at ~$870 to $1,000/mo. Grafana Cloud Loki at ~$1,400 to $1,500/mo. Datadog full-indexing at $15,000 to $20,000/mo. Splunk workload at $5,000 to $12,000/mo. Self-hosted Loki at ~$300 to $800/mo. The 50x spread between cheapest and most expensive on the same volume is real and reflects log-search architecture choices.

Seven options at 100 GB/day

The realistic monthly bill

Each vendor priced for 100 GB/day of log ingestion (3,000 GB/month) with average 4 million events per gigabyte, 30-day retention, and standard searchability. Verify on each vendor's pricing page.

Option	Monthly cost	Note
Self-hosted Loki	$300 to $800	Cloud cost only; engineering time excluded.
Grafana Cloud Loki	$1,400 to $1,500	100 GB/day is 3,000 GB/month above 50 GB free; ~2,950 GB at $0.50/GB.
New Relic Logs	$870 to $1,000	100 GB/day is 3,000 GB/month above 100 GB free; ~2,900 GB at $0.30/GB.
Elastic Cloud	$2,000 to $4,000	Resource-based deployment sized for 100 GB/day ingestion; varies by retention.
Datadog Logs (no indexing)	$300	Ingestion only at $0.10/GB; logs are not searchable in Logs UI.
Datadog Logs (full indexing)	$15,000 to $20,000	Adds indexing at $1.70/M events; ~4M events/GB on average.
Splunk Cloud (workload)	$5,000 to $12,000	Workload pricing medium pack sized for ~100 GB/day.

The architectural choices that drive cost

Why log search is so expensive

Log management cost variation at the same volume reflects fundamental architectural choices each vendor has made for log search. The choices are largely invisible to the customer until the invoice arrives, but they explain the 50x cost spread between cheapest and most expensive at 100 GB per day.

Splunk pioneered the full-text inverted-index approach to log search in the early 2000s, and the architectural choice has defined the platform's pricing ever since. Every log line is parsed at index time, every word becomes an entry in the inverted index, and search queries run against the index rather than the raw log data. The trade-off is fast free-text search at the cost of expensive index storage. Splunk's legacy per-GB ingest pricing of $150 plus per gigabyte per day was justified by this architectural choice. Workload pricing has narrowed the cost gap but the underlying architecture remains.

Datadog inherited a similar architectural model for log indexing and exposed it through separate billing meters: ingest at $0.10 per gigabyte (cheap, because no indexing happens) plus indexing at $1.70 per million events (expensive, because the inverted index is built and maintained). Most customers want logs searchable, so the combined cost is what matters; the separate meters create the impression of cheap log management until the indexing line item appears on the invoice.

Loki took the opposite architectural choice in 2018. Rather than indexing log content, Loki indexes only labels (the metadata attached to each log stream: service name, host, severity). Search queries are scoped by label first, then scan the raw log data within the matching streams. This trades search performance (slower for free-text queries on large datasets) for storage cost (5 to 10 times cheaper than full-text indexing). For operational logs where queries are typically scoped by service or host, the trade-off is favourable.

New Relic uses a hybrid approach with a single ingest meter for all telemetry types. Logs benefit from automatic parsing into structured fields without explicit per-event indexing charges, which makes the cost predictable and competitive with Loki at typical mid-market volumes. The trade-off is less control over which logs are searchable and which are archived.

The reduction levers

Three ways to cut 100 GB/day

Filter at the source

Drop DEBUG and INFO logs at the application or log shipper. A 100 GB/day deployment often drops to 30 to 50 GB/day with no operational impact. Saves 60 to 80 percent on any vendor and is the single highest-impact cost lever.

Sample access logs

Ingest 10 percent of HTTP access logs and rely on application metrics for the aggregate. Recovers 30 to 50 percent of total log volume in many deployments. Use stratified sampling to preserve error visibility while reducing happy-path noise.

Route to cold storage

Send compliance-only logs (audit logs that are rarely queried) directly to S3 or equivalent object storage rather than to the observability backend. Recovers 50 to 90 percent of long-tail log cost without compromising compliance access.

The pipeline tools

Cribl, Edge Processor, and Vector

Three log pipeline products dominate the source-side log reduction market. Cribl Stream, the most established commercial offering, transforms log data at the agent before it reaches any observability backend. Cribl reduces ingestion by 30 to 60 percent on most workloads through a combination of filtering, sampling, redaction, and routing. The Cribl pipeline costs roughly $2 to $5 per gigabyte processed at typical pricing, which means a 100 GB per day deployment pays Cribl $6,000 to $15,000 per month for the pipeline. The Cribl cost makes economic sense only when the downstream backend savings exceed the pipeline cost; for Datadog or Splunk customers this is usually true with substantial margin.

Splunk Edge Processor is Splunk's native equivalent, introduced in 2023. It performs the same source-side transformations as Cribl but is bundled into Splunk subscriptions. For Splunk-only customers, Edge Processor is the obvious choice; the additional integration value is real. Customers running multi-vendor pipelines (Splunk plus Datadog plus Loki) tend to prefer Cribl because it is vendor-agnostic.

Vector, the open-source alternative from Datadog (acquired Timber.io in 2021), runs as a self-hosted log shipper with similar transformation capabilities to Cribl. Vector is genuinely free at the licence level but requires platform engineering capacity to operate at scale. For teams comfortable with self-hosted observability infrastructure, Vector is the cost-leading option for log pipeline transformation. For teams that want managed pipeline infrastructure, Cribl or Edge Processor are easier paths.

The economic case for pipeline tooling is strongest for Datadog customers with heavy log indexing and Splunk customers with legacy ingest pricing. For Loki and New Relic customers at 100 GB per day, the savings from pipeline transformation rarely exceed the pipeline cost; the underlying log management is already cheap enough that source-side reduction is not worth the additional moving part.

Cross-references

/log-management-pricing

Log management pricing across vendors

/log-management-cost-1tb

Log management cost for 1 TB/day

/datadog-pricing

Datadog pricing breakdown

/splunk-pricing

Splunk pricing breakdown

/grafana-cloud-pricing

Grafana Cloud pricing breakdown

/datadog-vs-splunk

Datadog vs Splunk

/calculator

Multi-vendor cost calculator

/comparison

Six-vendor comparison

/reduce-monitoring-costs

Twelve cost-reduction strategies

Frequently asked

Why is the cost range so wide for 100 GB/day?

Because the same volume can be billed very differently depending on how the vendor structures its log management product. Datadog separates ingestion ($0.10 per GB) from indexing ($1.70 per million events), and the indexing line item is 50 to 100 times the ingestion line item for typical event densities. Loki indexes labels rather than full text, which is structurally cheaper than Splunk-style indexing on the same volume. New Relic charges through a single ingest meter without separate indexing. The $300 to $20,000 spread reflects which architectural choices a vendor has made for log search, not which vendor is fundamentally more expensive.

What is the difference between log ingestion and log indexing?

Ingestion is the process of accepting log data into the platform. Indexing is the process of making the log data searchable in the UI. Datadog separates these two billing meters: $0.10 per gigabyte ingested plus $1.70 per million events indexed (on the Enterprise tier). Most teams want all logs searchable, so the combined cost is what matters; for a 100 GB per day deployment with average 4 million events per gigabyte, the combined cost is $300 ingestion plus $20,400 indexing, totalling $20,700 per month at default indexing settings. Configuring index exclusion filters that drop low-value logs (DEBUG, structured access logs) before indexing recovers 60 to 80 percent of indexing cost.

Is Loki really 5 to 10x cheaper than Splunk for log management?

On equivalent log volumes, yes, but with capability trade-offs. Loki indexes only labels (typically 5 to 20 labels per log line), not full text, which makes log storage roughly 5 to 10 times cheaper than Splunk-style full-text indexing on the same volume. The trade-off is search latency; Loki has to scan the underlying log data at query time rather than serving from an index, which is slower for ad-hoc text search. For operational logs that are queried by label (host name, service, error type) rather than by free-text content, Loki is structurally cheaper and operationally fine. For SIEM and security analytics workloads where free-text search across petabytes of data is the primary use case, Splunk's full-text indexing is the right tool despite the cost premium.

What is the cheapest option for 100 GB/day?

Self-hosted Loki on a small Kubernetes cluster is the cheapest in pure cloud cost (around $300 to $800 per month for the storage and compute). New Relic Logs at $870 to $1,000 per month is the cheapest hosted option, since the single-meter ingest model absorbs 100 GB/day at the standard $0.30 per GB rate. Datadog ingestion-only (without indexing) is technically the cheapest hosted option at $300 per month, but the logs are not searchable in the Datadog Logs UI without indexing, which makes ingestion-only effectively useless except for archive-and-forward use cases.

What is the right way to reduce 100 GB/day log volume?

Three levers in order of impact. First, filter at the source: drop DEBUG and INFO level logs at the application or log shipper before they enter the observability platform. This typically reduces ingestion by 60 to 80 percent. Second, sample high-volume access logs: instead of ingesting every HTTP access log, ingest 10 percent and rely on application metrics for the aggregate. Third, route low-value logs to cheap object storage (S3, GCS) for compliance retention rather than to the searchable observability backend. Cribl Stream, Splunk Edge Processor, or a custom Vector pipeline can perform all three transformations at the agent.

What about retention cost?

Retention is the second axis after volume. Default retention on Datadog is 15 days for indexed logs; moving to 30 days roughly multiplies indexed-log cost by 1.5x, 60 days by 2.5x, 90 days by 4x. Loki and New Relic price retention more flexibly with cold-tier storage options. Splunk SmartStore enables S3-backed cold storage at significantly lower cost than indexed retention. For compliance retention (12 to 36 months for SOX, HIPAA, PCI DSS audit logs), use cold-tier storage with on-demand recall rather than indexed retention; this is typically 80 to 95 percent cheaper than full indexed retention.