The log backend decision shapes ops cost more than almost any other observability choice. Elastic was the default for a decade; Loki and ClickHouse-based stacks (Signoz, Plausible-style) shifted the trade-off in 2024-2026. Pick by knowing what each is optimized for.
Elastic — full-text search default
Inverted index on every field. Lightning-fast for 'find logs matching string X'. Storage cost: 1-3x raw log volume. Index management is the ops burden. Right for: investigation-heavy SREs, security search, low-cardinality.
Loki — label-indexed, log-blob-stored
Indexes labels only; stores log lines as compressed blobs. Storage cost: ~0.3x raw (with chunks). Query: filter by labels, then grep the blobs. Right for: high-volume logging where you mostly query by service/env labels and only sometimes drill into content.
ClickHouse — columnar, SQL-queryable
Columnar storage with high compression. Storage cost: ~0.1-0.2x raw. Query: SQL — joins, aggregations, time-series math, full-text via skip indexes. Right for: aggregation-heavy 'how many 500s by route in last hour' queries.
Cost picture at 10TB/day
Elastic: ~$50K-100K/mo cluster cost. Loki: ~$5K-15K. ClickHouse: ~$5K-20K. The order-of-magnitude difference is the whole story for budget-constrained ops.
When NOT to switch
If your team is fluent in Kibana, has runbooks built around Elastic queries, and budget isn't the constraint — Elastic remains fine. Migration cost is real (queries, dashboards, alerts to rewrite).