Comparison: Logging Platforms¶
Category: Observability Last meaningful update consideration: 2026-03 Verdict (opinionated): Loki for K8s-native teams on a budget — it is the Prometheus of logs. Splunk if enterprise budget allows and you need powerful search. ELK if you need full-text search and are willing to operate it.
Quick Decision Matrix¶
| Factor | ELK (Elasticsearch + Logstash + Kibana) | Loki | Splunk | CloudWatch Logs |
|---|---|---|---|---|
| Learning curve | High | Low-Medium | Medium | Low |
| Operational overhead | Very High | Low-Medium | None (Cloud) / High (self-hosted) | None |
| Cost at small scale | Free (self-hosted) | Free (self-hosted) | Expensive | Low (pay-per-ingest) |
| Cost at large scale | High (storage + compute) | Low (object storage) | Very expensive | Expensive at volume |
| Community/ecosystem | Massive | Growing (Grafana Labs) | Large (enterprise) | AWS-only |
| Hiring | Easy | Growing | Enterprise ops teams | AWS engineers |
| Query language | KQL / Lucene | LogQL | SPL | CloudWatch Insights |
| Full-text search | Excellent (inverted index) | Limited (labels only) | Excellent | Basic |
| Storage model | Inverted index (expensive) | Chunks + label index (cheap) | Proprietary index | AWS-managed |
| K8s integration | Filebeat / Fluentd + ES | Promtail / Grafana Alloy | Splunk Connect for K8s | CloudWatch Agent |
| Correlation | Kibana dashboards | Grafana (metrics + logs) | Splunk SOAR, SIEM | CloudWatch dashboards |
| Retention | Configurable (ILM) | Configurable + S3/GCS | Configurable | Up to 10 years |
When to Pick Each¶
Pick ELK when:¶
- You need powerful full-text search across log content (not just labels)
- Your use case includes security analytics (SIEM), application search, or log correlation
- You have a dedicated team to operate Elasticsearch clusters
- You want Kibana's visualization and exploration capabilities
- Log volume is moderate and you can afford the storage costs
Pick Loki when:¶
- You are already using Grafana for dashboards and Prometheus for metrics
- Cost efficiency is critical — Loki's object storage backend (S3/GCS) is dramatically cheaper than Elasticsearch
- Your querying pattern is "find logs for this pod/service/namespace in this time range" (label-based)
- You want to correlate logs with metrics in the same Grafana dashboard
- K8s-native deployment is important (Helm chart, small footprint)
Pick Splunk when:¶
- Enterprise budget is available and approved
- You need a mature SIEM solution alongside log management
- Compliance requirements demand certified log retention and audit trails
- Your security team needs SPL for threat hunting
- You want professional support and SLAs
Pick CloudWatch Logs when:¶
- You are 100% AWS and want zero operational overhead
- Your log volume is low to moderate (costs spike at high volume)
- You want native integration with Lambda, ECS, and other AWS services
- You need basic log search but not sophisticated analytics
- You are using CloudWatch for metrics already and want one console
Nobody Tells You¶
ELK¶
- Elasticsearch is a memory and CPU hog. Production clusters need beefy nodes — plan for at least 3 master nodes, 2+ data nodes, each with 16GB+ RAM.
- Index lifecycle management (ILM) policies are essential but complex. Without them, old indices pile up and your cluster runs out of disk. With them, you have a new system to debug when rollover fails.
- Elasticsearch version upgrades are nerve-wracking. Major version jumps require index reindexing, and the mapping between Logstash/Filebeat versions and ES versions must be maintained.
- OpenSearch (the AWS fork) exists because Elastic changed its license. The ecosystem is now split. Know which fork you are running and which documentation applies.
- The "ELK stack" is really "EFK" now (Fluentd instead of Logstash) for most K8s deployments. Logstash is heavy and Java-based; Fluentd/Fluent Bit are lighter.
- Elasticsearch shard management is a dark art. Too many shards kills performance, too few reduces parallelism. The "one shard per 50GB" rule is a starting point, not a law.
- Kibana is powerful but overwhelming. Most teams use 10% of its features and wish it were simpler.
Loki¶
- Loki does NOT index log content. It only indexes labels. If your query is "find all logs containing
NullPointerException" across all services, Loki scans every chunk for every matching label set. This is slow at scale. - Label cardinality matters as much in Loki as metric cardinality in Prometheus. High-cardinality labels (pod name, trace ID) in Loki stream selectors will kill performance and increase cost.
- The LogQL
|= "string"filter works but is a brute-force scan. Plan your label strategy so you rarely need to grep across wide time ranges. - Loki's microservices mode (split read/write path) is needed at scale but adds significant operational complexity. Start with monolithic mode and split when necessary.
- Chunk storage on S3/GCS is cheap but query performance depends on chunk size and compaction. Poorly tuned compaction leads to either slow queries or high IOPS bills.
- The Promtail agent is being replaced by Grafana Alloy. Migration is straightforward but documentation lags.
Splunk¶
- Splunk pricing is based on daily ingest volume (GB/day). At scale, this becomes the largest line item in your observability budget.
- SPL (Search Processing Language) is powerful but proprietary. Skills do not transfer to any other platform. Analysts who learn SPL develop a dependency.
- Splunk Cloud exists but is essentially hosted Splunk with the same complexity. It is not a SaaS-simple experience.
- Splunk acquisitions and product sprawl (SOAR, ITSI, Observability Cloud) have made the product matrix confusing. Know which product you are actually using.
- Splunk was acquired by Cisco in 2024. The long-term product direction under Cisco ownership is still crystallizing.
CloudWatch Logs¶
- CloudWatch Logs Insights is SQL-like but limited. Complex aggregations that Splunk or ELK handle easily require workarounds or are impossible.
- Log groups have a 5GB/day ingest limit by default. You must request a limit increase for high-volume services.
- Cross-account log aggregation requires specific IAM configurations and is not automatic. Multi-account AWS organizations need to plan this.
- CloudWatch pricing at high volume surprises teams. Ingest ($0.50/GB), storage ($0.03/GB/month), and Insights queries ($0.005/GB scanned) compound.
- There is no good way to export CloudWatch Logs to non-AWS tools. You end up building Lambda functions or Kinesis Firehose pipelines.
Migration Pain Assessment¶
| From → To | Effort | Risk | Timeline |
|---|---|---|---|
| ELK → Loki | Medium | Medium | 1-3 months |
| ELK → Splunk | Medium | Low | 1-2 months |
| Loki → ELK | Medium | Medium | 1-3 months |
| Splunk → Loki | High | Medium | 3-6 months |
| Splunk → ELK | Medium-High | Medium | 2-4 months |
| CloudWatch → Loki | Medium | Low | 1-2 months |
| CloudWatch → ELK | Medium | Low | 1-3 months |
Log migration is less about data migration (old logs can stay in the old system until retention expires) and more about pipeline reconfiguration, dashboard recreation, and alert rule migration. Run both systems in parallel during the transition.
The Interview Answer¶
"I'd pick Loki for K8s-native environments because it complements Prometheus and Grafana perfectly and keeps costs manageable by only indexing labels, not content. But if your team needs full-text search for security analytics or application debugging, ELK's inverted index is the right tool. The important thing is matching the query pattern to the storage model — Loki is 'find logs for this service in this time window,' ELK is 'find every log containing this error string across all services.' Splunk does both well but at a price that only enterprises can sustain."
Cross-References¶
- Topic Packs: Logging, Elasticsearch, Log Pipelines
- Related Comparisons: Metrics Platforms, Tracing Platforms, Alerting & Paging