Loki vs Elasticsearch for Logs: A Decision Framework
Logging tool choice is mostly about how you query. Loki and Elasticsearch optimize for different query shapes.
What each indexes
Loki indexes labels (service, level, env). Body is stored as compressed text. Query: filter by labels first; grep the body.
Elasticsearch indexes everything by default. Query: full-text search on any field.
Query patterns where each wins
- Loki wins for ‘show me logs from service X with level=error in the last hour.’ Cheap because the index is tiny.
- Elasticsearch wins for ‘find any log mentioning user_id 12345 anywhere in the body.’ The index makes this fast.
The cost gap
Loki: 10-100x cheaper at storage because the index is small. Trades query flexibility for cost.
Elasticsearch: bigger index, faster ad-hoc search, higher storage bill.
At 100 GB/day: Loki $200-500/mo; Elasticsearch $1,500-3,000/mo.
When ClickHouse beats both
ClickHouse-based logging (Vector to ClickHouse, Quickwit) is the up-and-comer. Compressed columnar storage; SQL queries; very cheap and very fast.
Best when your team is comfortable with SQL and willing to operate ClickHouse.
Antipatterns
- Elasticsearch for low-budget teams. The bill arrives.
- Loki without a query strategy. Wide grep on huge bodies is slow.
- Three log backends in parallel. Pick one; commit.
What to do this week
Three moves. (1) Trial the candidate tool against one workload for two weeks. (2) Compare against your current using the four criteria above. (3) Plan the migration only if the trial shows real wins, not theoretical ones.