How much does cloud monitoring cost?

Cloud monitoring ranges from $0 (open-source self-hosted, free vendor tiers) to $200,000+ per month for enterprise deployments. The median mid-market team running 100 hosts with full observability spends $3,000 to $15,000 per month. Costs are driven primarily by host count, log volume, custom metric cardinality, and APM coverage. Verify current pricing on each vendor's pricing page before purchasing.

What is the cheapest cloud monitoring tool?

Self-hosted Prometheus and Grafana is the cheapest in pure license terms (free), but requires platform engineering capacity. Among managed services, Grafana Cloud has the most generous free tier and lowest paid-tier pricing. New Relic's 100 GB free data ingest is the next most generous. Datadog and Dynatrace are positioned at the higher end of the market.

What percentage of cloud spend goes to monitoring?

Industry research from independent and vendor sources puts the median at 7 to 8 percent of cloud infrastructure budget. Below 3 percent typically signals under-monitoring. Above 15 percent signals overspend and is a common trigger for cost-reduction projects. Microservices and Kubernetes-heavy stacks land at the higher end of the range.

Why is my Datadog bill so high?

Bill spikes usually trace to one of: custom metrics generated from high-cardinality labels (Kubernetes pod, container, namespace), log indexing charges on top of ingest charges, APM span indexing above the included 1M per host, retention upgrades beyond the 15-day default, or container counting that bills each pod as a fractional host. See vendor pricing pages and our hidden costs page for the underlying mechanics.

How can I reduce monitoring costs?

The highest-impact strategies in order: filter and sample logs at the source (saves 30 to 50 percent), control custom metric cardinality (saves 20 to 40 percent), sample APM traces at 5 to 10 percent (saves 15 to 30 percent), right-size retention to actual query patterns (saves 10 to 20 percent), and consolidate or migrate to open source where the team has capacity (saves 40 to 90 percent).

Cost by data volume

Log management cost for 1 TB/day

Verified April 2026

At 1 TB per day, log management is a six-figure annual budget item and a board-visible cost. The vendor choice is consequential, the source-side filtering audit is mandatory, and self-hosted Loki with a dedicated platform engineer becomes economically competitive. The 50x spread between cheapest and most expensive at this volume is real.

TL;DR

New Relic Logs at $9K to $11K/mo. Grafana Cloud Loki at $11K to $15K/mo. Splunk workload at $30K to $80K/mo. Datadog full-indexing at $130K to $200K/mo list . Self-hosted Loki at $10K to $22K/mo total cost . Source-side filtering can reduce 1 TB/day to 250-500 GB/day on most workloads, the single largest cost lever.

Seven options at 1 TB/day

The realistic monthly bill

Each option priced for 1 TB/day (30,000 GB/month) of log ingestion with average 4 million events per gigabyte and 30-day retention. Negotiated rates apply at this scale; obtain a sales quote before basing decisions on these ranges.

Option	Monthly cost	Note
Self-hosted Loki + team	$5K to $15K	Cloud cost ($3K-$8K) plus 0.5 to 1 FTE platform engineer.
Grafana Cloud Loki	$11K to $15K	30,000 GB/month above 50 GB free; ~$15K at $0.50/GB; annual commitments discount 20 to 30 percent.
New Relic Logs	$9K to $11K	30,000 GB/month above 100 GB free at $0.30/GB; cheapest hosted option.
Elastic Cloud	$15K to $30K	Resource-based deployment with multi-AZ replication for 1 TB/day.
Datadog Logs (no indexing)	$3K	Ingestion only at $0.10/GB; logs not searchable in Logs UI.
Datadog Logs (full indexing)	$130K to $200K	Adds indexing at $1.70/M events; 4M events/GB on average. Discounts at this scale.
Splunk Cloud (workload, large)	$30K to $80K	Workload pricing large pack with Cisco EA bundling.

The mandatory audit

Source-side filtering at 1 TB/day

The single most consequential cost-management practice at 1 TB per day log scale is auditing log volume by source and severity, then filtering aggressively at the source before logs reach the observability backend. The audit typically reveals two structural facts that drive the optimisation. First, 5 to 15 percent of log sources produce 60 to 80 percent of total volume; a small number of services, applications, or infrastructure components dominate the bill. Second, DEBUG and INFO severity logs contribute 70 to 90 percent of total volume but provide marginal incremental value for incident response or operational analysis.

Once the audit is done, the optimisation is straightforward. Drop DEBUG and INFO logs at the application or log shipper. Sample high-volume access logs at 10 to 25 percent. Route audit-only logs (compliance retention with no operational use) to S3 or equivalent object storage rather than the observability backend. Implement these three transformations consistently across the top 10 to 20 log sources, and 1 TB per day typically becomes 250 to 500 GB per day with no compromise to operational visibility.

The economic impact at 1 TB per day scale is dramatic. Reducing volume from 1 TB per day to 350 GB per day (a 65 percent reduction) cuts the Datadog full-indexing bill from $200,000 per month to $70,000 per month, the Splunk workload bill from $60,000 per month to $25,000 per month, and the Loki bill from $13,000 per month to $5,000 per month. The annual savings at the Datadog scale alone are $1.5 million; at the Splunk scale, $400,000. The audit-and-filter exercise typically pays back in the first month and continues to compound across the contract term.

The most common failure mode is shipping the audit but not following through on the filtering implementation. Auditing produces a clear picture of where the volume comes from; following through requires coordination with the application teams that own the logging configurations, which often takes longer than expected. Plan for 2 to 4 quarters of structured rollout across the top 10 to 20 log sources, with quarterly progress measured in volume reduction and dollar savings.

The split-platform strategy

Why enterprises run Loki and Splunk together

Many enterprises at 1 TB per day log scale operate two distinct log management platforms in production: a cheap operational log platform (Loki, self-hosted or hosted via Grafana Cloud) for application and infrastructure logs, and a mature SIEM platform (Splunk Enterprise Security, less commonly Elastic Security or Microsoft Sentinel) for security and compliance data. The split is economically efficient and operationally clean.

The economic case is straightforward. Operational logs are typically queried by label (which service, which host, which severity) rather than by free-text content. Loki's label-indexed approach is structurally cheaper for this access pattern; the search latency trade-off is acceptable for operational debugging. Security logs are queried by free-text content (which IPs accessed which resources, which user-agents triggered which patterns, which file hashes were observed) where Splunk's full-text indexing is operationally superior despite the cost premium. Running both platforms allocates the right tool to the right workload.

The operational case is equally important. Operational logs are owned by the SRE or platform engineering team, queried during incident response, and retained for 30 to 90 days. Security logs are owned by the security operations team, queried during threat hunting and compliance investigation, and retained for 12 to 36 months for regulatory compliance. The two teams have different query patterns, different retention requirements, and different operational rhythms. Running them on the same platform forces compromises that often serve neither well.

The cost arithmetic for the split-platform strategy at 1 TB per day total volume typically looks like this. Operational logs contribute 80 to 90 percent of total volume (800 to 900 GB per day) and run on Loki at $9,000 to $13,000 per month. Security logs contribute 10 to 20 percent of total volume (100 to 200 GB per day) and run on Splunk Enterprise Security at $20,000 to $40,000 per month. Total combined cost is $29,000 to $53,000 per month, meaningfully cheaper than either Datadog full-indexing or Splunk-everything at the same total volume.

Cost reduction levers

Three things to do at 1 TB/day

Audit and filter at source

The mandatory exercise. Quarterly source-by-source audit identifying top 10 to 20 sources, then DEBUG/INFO filtering and access-log sampling. Reduces volume by 50 to 75 percent on most workloads. Saves $50,000 to $1.5 million annually depending on vendor.

Split operational and security logs

Run Loki for operational logs and Splunk for security data. Operationally cleaner and economically efficient at 1 TB/day total volume. Saves 40 to 60 percent versus running everything on a single platform.

Tier retention with cold storage

Move logs older than 30 days to cheap object storage with on-demand recall (Splunk SmartStore, Datadog Flex Logs, Loki object storage tier). Recovers 60 to 90 percent of long-tail retention cost without compromising compliance access.

Run the calculator

For a workload-specific comparison and source-side filtering economics, run the inputs through the multi-vendor cost calculator. At 1 TB/day scale, the absolute dollar accuracy matters; verify against actual sales quotes before committing.

Cross-references

/log-management-pricing

Log management pricing across vendors

/log-management-cost-100gb

Log management cost for 100 GB/day

/datadog-pricing

Datadog pricing breakdown

/splunk-pricing

Splunk pricing breakdown

/grafana-cloud-pricing

Grafana Cloud pricing breakdown

/datadog-vs-splunk

Datadog vs Splunk

/calculator

Multi-vendor cost calculator

/comparison

Six-vendor comparison

/reduce-monitoring-costs

Twelve cost-reduction strategies

Frequently asked

How much does it cost to manage 1 TB/day of logs?

Between $3,000 and $200,000 per month depending on vendor and whether logs are searchable. New Relic at $9,000 to $11,000 is typically the cheapest hosted option with full searchability. Grafana Cloud Loki at $11,000 to $15,000 is competitive. Splunk workload pricing at this scale lands at $30,000 to $80,000 with Cisco EA bundling. Datadog with full indexing crosses six figures at this volume. Self-hosted Loki with a dedicated platform engineer is competitive at $5,000 to $15,000 in total cost. The 50x spread between cheapest and most expensive on the same volume reflects log-search architecture choices rather than capability gaps.

Is 1 TB/day really enterprise scale?

Yes. 1 TB/day is the boundary where log management becomes a substantial enterprise budget item. Typical organisations producing 1 TB/day of log volume include large e-commerce platforms (high-traffic transactional logs), enterprise SaaS companies with thousands of customers, financial services with regulatory audit log requirements, and IT operations teams running thousands of microservices in production Kubernetes. Below 1 TB/day, log management is operationally important but not strategically expensive. Above 1 TB/day, log management is a board-visible budget line and requires dedicated cost-management practices.

Why is Datadog so much more expensive at 1 TB/day?

Datadog log indexing at $1.70 per million events compounds aggressively at this volume. 1 TB per day is roughly 30 TB per month, which at average 4 million events per gigabyte is 120 billion events per month, or $204,000 per month for indexing alone. Even with negotiated enterprise discounts of 30 to 40 percent off list, Datadog at full indexing is structurally more expensive than Splunk workload pricing or New Relic single-meter ingest at this scale. The remedy is configuring index exclusion filters that drop low-value logs (DEBUG, structured access logs, repetitive health-check logs) before indexing, which can recover 60 to 80 percent of indexing cost.

When does self-hosted Loki become competitive?

At 1 TB/day, self-hosted Loki with a dedicated platform engineer is competitive with all hosted options on raw cost. Cloud infrastructure for 1 TB/day Loki ingestion (Loki distributors, ingesters, queriers, plus S3 for chunk storage) typically runs $3,000 to $8,000 per month. Engineering cost is 0.5 to 1 FTE platform engineer, which at fully loaded compensation of $13,500 per FTE per month adds $7,000 to $13,500. Total cost is $10,000 to $21,500, competitive with Grafana Cloud Loki ($11,000 to $15,000) and meaningfully cheaper than Datadog or Splunk. The case is strongest for teams that have observability platform engineering as a standing capability.

Should I use Splunk or Loki at 1 TB/day?

It depends on the workload type. For pure operational logs (application logs, infrastructure logs, container logs) where queries are scoped by service or host, Loki is structurally cheaper and operationally adequate. For SIEM and security analytics workloads where free-text search across the full corpus is the primary use case, Splunk Enterprise Security plus the SPL search language is operationally more capable despite the cost premium. Many enterprises run both: Loki for operational logs (cheap, fast for label-scoped queries) and Splunk for security data (mature, full-text searchable). The split is operationally clean and economically efficient.

What is the most important thing to do at 1 TB/day?

Audit your log volume by source and severity. The single most consequential cost-management practice at this scale is understanding which sources contribute the most volume and which severity levels add the least operational value. The audit typically reveals that 5 to 15 percent of log sources produce 60 to 80 percent of volume, and that DEBUG and INFO severity contribute 70 to 90 percent of total volume with marginal incident-response value. Once the audit is done, source-side filtering can typically reduce ingestion by 50 to 75 percent without compromising operational visibility. This single audit-and-filter exercise has a higher ROI than any vendor migration at 1 TB/day scale.