Log Cost Autopsy

12 questions about your log analytics spend.
Answer to estimate your volume waste and cost overhead

Section 1
Volume Awareness
1.
How many TB/day do you ingest into your primary log analytics platform?
Check your vendor's usage or billing dashboard.
Healthy
< 2 TB/day
Warning
2 – 5 TB/day
Critical
> 5 TB/day
2.
What percentage of your log volume comes from your top 5 event types?
In many environments, the top 5 event types account for 50–80% of total volume.
Healthy
< 50% (diversified)
Warning
50 – 80%
Critical
> 80% (noisy neighbor)
3.
Are health checks, heartbeats, or readiness probes logged at INFO level? At what volume?
500 pods with 10-second health checks produce ~86 GB/month of zero-value logs.
Healthy
No, or < 1% of volume
Warning
1 – 5% of volume
Critical
> 5% of volume
4.
How many distinct log structures (unique formats/shapes) does your environment produce?
Healthy services emit fewer than 20 core log structures. Counts above 50 per service usually indicate schema sprawl.
Healthy
< 50 total
Warning
50 – 150
Critical
> 150
Section 2
Cost Structure
5.
What's your current monthly spend on log ingestion/indexing?
Include your primary vendor invoice (Splunk license, Datadog ingestion, ES compute + storage).
Healthy
< $25K/month
Warning
$25K – $100K/month
Critical
> $100K/month
6.
What's your effective $/GB? (Total monthly spend ÷ total monthly GB ingested)
Above $1.50/GB is premium territory. Below $0.50 is achievable with optimization.
Healthy
< $0.50/GB
Warning
$0.50 – $1.50/GB
Critical
> $1.50/GB
7.
How much of your retention is compliance-driven vs. operationally useful?
Compliance requires retention, not hot indexed access. S3 at $0.023/GB vs $0.30–1.70/GB indexed.
Healthy
< 30% compliance-only
Warning
30 – 60% compliance-only
Critical
> 60% compliance-only
8.
What's your log volume growth rate quarter-over-quarter?
If log volume grows faster than 15–25% QoQ — especially faster than traffic growth — costs are outpacing value.
Healthy
< 15% QoQ
Warning
15 – 30% QoQ
Critical
> 30% QoQ
Section 3
Operational Drag
9.
How many hours/week does your team spend maintaining parsing rules, grok patterns, or log pipelines?
True cost of log management is typically 1.5–3x the vendor invoice when you add engineering time.
Healthy
< 2 hrs/week
Warning
2 – 8 hrs/week
Critical
> 8 hrs/week
10.
How often do parsing configs break when a team ships a new log format?
Weekly breakage often means silent data loss is occurring without anyone noticing.
Healthy
Quarterly or less
Warning
Monthly
Critical
Weekly or more
11.
Have you evaluated any log optimization or pipeline tools in the last 12 months? What happened?
Healthy
Evaluated and implemented
Warning
Evaluated but stalled
Critical
No evaluation
12.
When is your next vendor renewal? Is there budget pressure to reduce costs before then?
Rushed renewals with less than 3 months lead time lock in 30%+ higher rates.
Healthy
> 6 months away
Warning
3 – 6 months
Critical
< 3 months + pressure
Your Results

Click a threshold for each question to see your score.

0 – 5
Healthy
< 10% overspend
6 – 11
Warning
10 – 25% overspend
12 – 17
High Risk
25 – 40% overspend
18 – 24
Critical
40 – 60%+ overspend
Volume Awareness
Answer questions 1–4 to see your volume awareness score.
Cost Structure
Answer questions 5–8 to see your cost structure score.
Operational Drag
Answer questions 9–12 to see your operational drag score.