[OldOneEye]

At high volumes, at my job, we have yet to find a good third-party log SaaS that performs not only better than self-managed Elastic but actually to perform good enough to be used.

New Relic could not handle the query aspect of having at around 5TB+ terabytes of logs (I know, a ludicrous amount of logs, but that's what it is) per day. Their architecture does not really allow for that. For small volumes I guess it would be enough. Not to ingest, that it did fine, but to query them under a reasonable time frame without a timeout, that's where it couldn't handle the high volume.

Also, their support service, while trying to win us over, that is, in their best moment, was nothing really stellar. Favouring sending us sales/presales people to solve technical problems.

It didn't leave us a good aftertaste.

[pfarrell]

Not advocating for this decision, but did you investigate Splunk? In my experience, that’s the paid logging service that competes with ELK. It will be expensive, so you have to consider the total cost of ownership (e.g., ELK requires some experienced people to run it at your volumes) but it works AFAIK.

[baq]

there's expensive and then there's splunk.

but you get what you pay for. splunk will handle your load unless you're google.

[sethammons]

I love splunk. Our clusters process 10s of billions of structured log events daily. We have search, reports, PagerDuty integration, dashboards, etc. It is crazy expensive but is the best system I've used in this space. We are having to save costs with so much data, so we are lowering retention time and moving the data to snowflake for data older than a week. More and more, we are leveraging Looker for reporting out of Snowflake and relying more on Prometheus monitoring for alerting. But Splunk would still be my ideal service if we had less total data.

[fn1]

I second that. I love splunk as well.

Costs can also be reduced by spending some development-effort into abbreviating logs and being smart about deciding what to log and where.

[VectorLock]

> Our clusters process 10s of billions of structured log events daily.

Whats that run you?

[piaste]

> there's expensive and then there's splunk.

This got me curious, so OK, Splunk's pricing pages are very obtuse and they are really pushy about getting you to contact sales directly to get bleeded, but I managed to get to this "actually has a number in it" page for their Log Observer services[0], and... it looks cheaper than NewRelic, especially at scale?

NR charges $0.25 per ingested GB after the first 100 free GB; Splunk apparently only charges a flat $0.10, if you choose ingest pricing.

I guess that NR includes (a free tier of) a bunch of alerts, monitoring etc. features in their package, while they're separate packages for Splunk. Still, that doesn't seem wildly expensive at a glance. Where's the catch?

[0] https://www.splunk.com/en_us/software/pricing/faqs/devops.ht...

[mrweasel]

Primary issue with using Splunk is that pretty much all other solution will seem inferiour. Great product, terrible business partner.

[therealdrag0]

Yep. We’re using a Splunk with TBs of logs a day and it’s been great.

[VectorLock]

>At high volumes, at my job, we have yet to find a good third-party log SaaS that performs

Not even just performs but the costs are always astronomically higher.

[sateesh]

I think for slightly lesser volumes Sumologic can be a choice. The kind of search queries, regex, and capture options give the feel of log parsing on a *nix box.