Loki vs Elastic vs Splunk

Three log backends. Decision criteria.

Loki

Loki is the cheap, Kubernetes-native option. Label-based indexing on object storage gives you single-digit dollars per GB/month at the cost of weaker full-text search.

• Label-based indexing. Indexes labels only; log content sits on object storage; $1-5/GB/month at typical retention.
• Best for K8s plus Grafana. Cost-sensitive Kubernetes-heavy fit; structured logs with label-based query patterns are the natural workload.
• Weak full-text trade-off. Content searches scan rather than index; query-time cost on long retention periods can be significant.
• Bounded label set per cluster. Curated labels preserve the cost model; uncurated labels send Loki cardinality the wrong direction.

Elasticsearch

Elasticsearch is the full-text option with a mature ecosystem. Powerful queries, the Kibana surface, and a rich plugin ecosystem at the cost of real operational complexity.

• Full-text search and ecosystem. Kibana, Beats, Logstash, ML features all integrate with the same cluster; mature operational pattern.
• Best for full-text and regulated industries. Mature Elastic operational practice fits regulated workloads with serious retention requirements.
• Cost $20-50/GB/month. Higher than Loki; operational complexity is real; Index Lifecycle Management policies are essential rather than optional.
• ILM policy per cluster. Hot/warm/cold tier management; without ILM the cluster bloats and queries slow.

Splunk

Splunk is the enterprise-scale, premium-priced option. Industry-standard at large enterprises with deep search capability and budget for it; the licence model rewards careful planning.

• Enterprise-grade and powerful. Industry-standard option at large enterprises; SPL is more expressive than most alternatives at scale.
• Best for orgs already on Splunk. Compliance-heavy and very-large-scale operations benefit; the licence justifies itself if you actually use the depth.
• Cost significantly higher. Daily-ingest pricing model; budget carefully and watch the ingest cap.
• Named ingest budget per org. Daily-ingest cap that on-call honours during incidents; surprise overages are the operational pattern that ends Splunk relationships.

Decision matrix

The pick is shape-driven. Kubernetes-heavy and cost-sensitive, mid-market with full-text needs, or enterprise with compliance scope each point to a different default answer.

• Cost-sensitive, K8s-heavy, on Grafana. Loki wins on TCO at Kubernetes scale; the limitations rarely matter for that workload shape.
• Mid-market with full-text needs. Elasticsearch's ecosystem pays back the operational cost; mature ELK practice handles most workloads cleanly.
• Enterprise with budget and compliance scope. Splunk for the compliance-and-scale combination; Elastic when Splunk cost is unjustified by usage.
• Documented driver per decision. "Why this stack" rationale captured; "we just kept what we had" produces lock-in nobody chose.