Log Ingestion Controls Explained

Log ingestion controls are tools that help businesses manage the flow of log data into systems like Datadog. For small and medium-sized businesses (SMBs), these controls help reduce costs, improve performance, and meet compliance requirements. Without them, businesses risk high expenses and system overload due to the massive volume of logs generated daily.

Here’s what you need to know:

• Cost Management: Datadog’s pricing can escalate quickly. For example, ingesting logs starts at $0.10 per GB per month, while indexing costs $1.06 per million log events. Controls like exclusion filters and sampling reduce unnecessary spending.
• System Performance: Tools like rate limiting and throttling prevent log surges from overwhelming your system while ensuring critical data is captured.
• Compliance Needs: Retention policies help store logs for required durations, ensuring regulatory standards are met without overloading storage.

Datadog’s features, such as Logging without Limits™, allow all logs to be ingested upfront and filtered later, offering flexibility to manage costs and access critical data. SMBs can optimize budgets by prioritizing important logs, using exclusion filters, and leveraging cost-effective options like Flex Logs.

Key Takeaway: Effective log ingestion controls ensure SMBs can monitor systems efficiently while keeping costs under control.

Using Log Patterns to Create Log Exclusion Filters | Datadog Tips & Tricks

Log Ingestion Controls in Datadog

Datadog provides tools to help small and medium-sized businesses manage log flow efficiently. These controls work together to prevent system overload, keep costs in check, and ensure that essential data remains accessible while filtering out unnecessary logs. Below, we’ll break down each control and how it contributes to managing log ingestion.

Rate Limiting

Rate limiting sets a cap on the number of logs that can be sent within a specific time frame, such as per second or per minute. This prevents sudden surges in log volume from overwhelming your system or leading to unexpected expenses.

To make the most of rate limiting, it’s important to understand your typical log patterns. Log throughput often fluctuates, so establishing clear thresholds for different scenarios - like normal, moderate, and peak traffic - can help you maintain a steady flow. This approach ensures your system can handle temporary spikes without exceeding predefined limits.

Throttling

Throttling works differently from rate limiting by temporarily slowing down log ingestion during high-volume periods instead of outright rejecting logs. This dynamic control helps maintain system stability while still capturing critical data.

Throttling becomes especially useful during events like incidents or deployments, where log output tends to spike. For businesses dealing with unpredictable traffic or seasonal surges, throttling ensures that essential logs are ingested without compromising system performance.

Exclusion Filters

Exclusion filters allow you to specify which logs should be excluded from ingestion or indexing, helping reduce storage costs. Even though these logs aren’t stored in searchable indexes, they can still be used for metrics or archival purposes via Livetail.

By default, logs matching an index’s filter are ingested, but exclusion filters can be configured to omit non-critical data. For example, in development environments, environment variables like IS_PULL_REQUEST or RENDER_SERVICE_ID can help decide whether certain logs should be sent. This strategy ensures visibility without overloading your system with unnecessary data.

Indexes and Retention Policies

Indexes and retention policies further refine how logs are stored and analyzed after filtering. These tools determine which logs are indexed for analysis and how long they’re retained, balancing cost and performance.

Different types of logs may require different retention periods. For instance, security logs might need to be stored longer to meet compliance standards, while debug logs may only be needed for a short time. Creating separate indexes with customized retention policies ensures that each log type is stored appropriately without incurring extra expenses.

Datadog’s Logging without Limits™ adds another layer of flexibility, allowing teams to adjust policies as business needs change.

How Log Ingestion Controls Work in Datadog

Understanding how logs move through Datadog's system is key to managing volume, cost, and performance effectively. Let’s break down the process and the tools Datadog offers to help you stay in control.

Log Collection to Ingestion Process

Datadog’s design separates ingestion from indexing, which allows for efficient collection, processing, and storage without requiring every log to be indexed. This architecture is built to handle massive data volumes, so you can send terabytes of logs daily without worry.

When logs enter the system, they go through multiple processing stages. Datadog supports pre-configured parsing for over 200 log sources, making it easier to enrich and tag logs right away. These tags help with role-based access control, cost tracking, and usage monitoring. Once processed, you can decide which logs to index for activities like faceted search, dashboards, or correlating with other monitoring data. Logs that aren’t indexed are stored in long-term cloud archives, saving costs compared to traditional logging solutions that require upfront provisioning for daily log volumes.

For real-time monitoring, Datadog offers Live Tail, which streams logs across your infrastructure as they’re generated. This structured pipeline sets up the foundation for advanced features like filtering and the Logging without Limits™ system.

Logging without Limits™ Overview

Datadog’s Logging without Limits™ takes log management to another level. As Datadog describes:

"Logging without Limits™ means that you no longer have to choose which logs to collect, and which logs to leave behind - you can cost-effectively collect them all."

This model allows you to ingest all logs upfront and apply filters later, giving you the flexibility to adapt your strategy as your business evolves. You can decide which logs to index immediately and which to archive for long-term storage. Filters can be adjusted in real time, including sampling rates, to manage which logs are indexed and control costs.

For cost-conscious users, Datadog offers enriched log archiving at no extra charge. If you need to retrieve archived logs, Log Rehydration is available at $1.27 per million rehydrated events, while Log-Based Custom Metrics start at $5 per 100 metrics. This pricing structure ensures you’re only paying for what you need - whether it’s accessing historical data or generating metrics for deeper analysis.

Renaud Boutet, Datadog’s VP of Product Management, highlights the value of this approach:

"We built Datadog Log Management for efficient use of log data for our customers. Logging without Limits was the first step in unlocking the ability to collect all logs with real-time filtering, and with the addition of Log Rehydration and Log-Based Custom Metrics, we are unlocking many new ways to use logs in extremely cost-effective ways."

This flexibility is particularly useful for small and medium-sized businesses (SMBs), where log volumes often grow by 200–300% annually without proactive management. With Logging without Limits™, you can handle this growth without a matching rise in indexing costs, ensuring you keep control over which logs are searchable immediately and which are archived for future use.

Log Ingestion Controls for SMBs

Small and medium-sized businesses (SMBs) often face unique challenges with log management when using Datadog. Limited budgets paired with increasing infrastructure demands make it crucial to find ways to balance effective monitoring with cost efficiency. By implementing smart controls, SMBs can reduce expenses without sacrificing the quality of their monitoring.

Optimizing Monitoring Budgets

One of the most effective ways for SMBs to manage Datadog costs is by filtering out unnecessary logs. Log retention filters can automatically discard logs with minimal value, such as heartbeats or debug messages, before they are indexed. Similarly, exclusion filters can block logs from non-essential environments, like development or testing, from being ingested.

Another cost-saving method is log sampling, which minimizes expenses for high-volume services by retaining only a portion of routine logs while ensuring critical error logs are fully ingested. For older or less critical data, consider moving logs to Datadog's Log Archives using Amazon S3.

Here are a few additional strategies to reduce costs:

• Log Management: Use Flex Logs for high-volume data at $0.05 per million logs.
• Data Transfer: Opt for PrivateLink over NAT Gateways to save on transfer costs.
• Container Monitoring: Pre-pay for containers at $1 per container per month.

To further trim expenses, reduce high-cardinality tags and regularly audit unused metrics using Datadog's Metric Summary page. Committing to annual billing instead of monthly payments can save up to 20%. Regularly reviewing invoices can also help identify and eliminate unnecessary spending.

Beyond cost savings, prioritizing critical logs ensures that essential data is always accessible when needed.

Prioritizing Critical Logs

Critical logs should always take precedence to ensure key data is immediately indexed, while less important logs can be stored in archives. To streamline this process, tag your logs with relevant details like sources, associated teams, and tiering information. This makes it easier to analyze costs and make informed routing decisions.

Implement a tiered logging strategy to route low-priority logs directly to archival storage while sending high-priority logs to Datadog for immediate indexing and analysis. Adjust storage and retention policies based on specific use cases to ensure you’re only paying for the level of access you actually need.

This approach works seamlessly with Datadog's Logging without Limits™ feature, allowing you to collect all logs upfront and selectively index them based on business priorities.

Using the Log Management - Estimated Usage Dashboard

Once filters and sampling rules are in place, use Datadog's Log Management - Estimated Usage Dashboard to monitor their impact. This dashboard provides real-time insights into log volume trends, helping you catch unexpected spikes before they lead to higher bills.

Set alerts to detect sudden increases in log volume, which could indicate new services, configuration changes, or application issues. Use the dashboard to measure the effectiveness of exclusion filters and sampling rules, quantifying the cost savings they deliver.

For SMBs with dynamic environments, consumption-based pricing models can be especially beneficial. The dashboard helps ensure your pricing model aligns with actual usage, offering valuable insights for future budget planning.

Best Practices for Managing Log Ingestion in Datadog

Managing logs efficiently in Datadog isn’t just about visibility - it’s also about keeping costs under control. By following a few key practices, SMBs can strike the right balance between performance and predictable expenses.

Review Log Volumes Regularly

Understanding where your log budget is going is step one. Break down your log usage to see how each type aligns with your business priorities. This clarity helps you decide which logs should be immediately indexed and which can be stored for later use.

Use tags like source, team, and tier (e.g., hot, warm, cold, debug, compliance) to make cost analysis and routing easier. This tagging system works seamlessly with Datadog’s log ingestion tools.

Set up alerts for usage metrics by service or source to catch unexpected spikes early. These alerts act as a safeguard, helping you avoid budget surprises. Daily quotas and warning thresholds for each index can also help you monitor usage spikes. Additionally, rule-based quotas can prevent sudden surges from overwhelming your storage.

Set Up Exclusion Filters

Filtering out unnecessary logs is a game-changer. Exclusion filters let you remove low-value or noisy logs from indexes while still keeping them accessible via Livetail or for metrics generation and archival.

Datadog’s Log Patterns feature simplifies this process by identifying groups of low-value logs and generating queries automatically. You can then use these queries to create exclusion filters, limiting the indexing of logs that don’t add much value.

Another tip: filter out redundant data and standardize elements like dates, times, and IPs before logs are transmitted. This edge-level filtering reduces the amount of data sent and stored, which directly lowers costs.

Optimize Retention Policies

Not all logs are created equal, so only keep the ones that matter. A tiered logging strategy can help: send low-priority logs to archives like Amazon S3, Google Cloud Storage, or Azure blob storage, while routing critical logs to Datadog’s hot or warm storage for immediate access.

For more precise control, tailor retention and indexing policies to each log type and storage solution. This way, you’re only paying for the access level your business actually needs. Datadog’s built-in rollups are another tool for cutting costs - store only essential summaries of historical metrics instead of retaining every detail indefinitely.

Use Flex Logs for Occasional Queries

When you need to keep high volumes of data but don’t need frequent access, Flex Logs can be a cost-effective option. At just $0.05 per million logs per month, they’re ideal for compliance logs, debug data, or historical records that aren’t queried often.

For logs that don’t require detailed metadata or regular searches, consider converting them into metrics. This approach preserves analytical value while significantly reducing storage costs.

Flex Logs also shine for long-term retention of high-volume data where immediate searchability isn’t a priority. The cost savings compared to standard indexing can be substantial, especially for SMBs managing routine operational data.

To further optimize, use a log aggregation tool to reduce the volume of logs sent to Datadog. Techniques like deduplication, sampling, quotas, and log-to-metrics conversion at the edge can give you greater control over what data reaches Datadog’s billable services.

Key Takeaways

Balancing thorough monitoring with manageable costs is essential for small and medium-sized businesses (SMBs) managing log ingestion.

Understand your data to manage expenses effectively. Regularly reviewing log volumes and applying smart filtering can significantly cut costs without losing critical insights. As Prakash Janakiraman, Co-Founder and Chief Architect at Nextdoor, shares:

"Datadog's ability to filter the exact logs we need, and retain what's most valuable for specific time periods, has enabled us to cover everything within budget, allowing us to find and fix performance issues faster".

Datadog's adaptable architecture empowers SMBs to optimize their logging processes. Features like Flex Logs handle high-volume, low-frequency data, while exclusion filters and retention policies help teams focus on the most relevant information.

Automation and intelligent filtering make scaling easier. Jose Dalino Jr., Head of Engineering at Traveloka, emphasizes this:

"Datadog Flex Logs streamlined our log correlation with metrics, helping our engineers troubleshoot production issues faster. Its decoupled storage and compute streamlined log correlation, cutting costs and speeding up issue resolution".

These tools, combined with Datadog's automated filtering capabilities, enable growing businesses to scale their log management efficiently. By adopting tiered logging strategies, setting up alerts for usage spikes, and leveraging features like Log Patterns for automatic filter generation, SMBs can expand their monitoring without overburdening their teams or budgets.

Effective log ingestion controls can transform monitoring into a strategic asset. Aaron Mitti, Chief Software Architect at GE Transportation, highlights this shift:

"Datadog Log Management has changed the way we approach log ingestion and usage, allowing multiple teams to sustainably manage very large volumes of logs".

To make the most of their Datadog investment, SMBs should regularly monitor usage patterns, strategically apply filtering and retention policies, and utilize cost-efficient options like Flex Logs for less critical data. This thoughtful approach to log management allows SMBs to grow sustainably while maintaining control over their resources.

FAQs

How can exclusion filters in Datadog help SMBs reduce log ingestion costs?

Exclusion filters in Datadog help small and medium-sized businesses cut down on log ingestion costs by ensuring only essential logs are indexed. By filtering out logs that aren't crucial for monitoring, businesses can reduce the amount of data stored and processed, leading to noticeable cost savings.

This tool is particularly beneficial for SMBs aiming to manage their budgets efficiently while still keeping a close eye on system performance. By concentrating on the logs that truly matter, you can maintain effective monitoring without overspending.

What’s the difference between rate limiting and throttling in log ingestion controls?

Rate limiting establishes a maximum number of logs or traces that can be processed per second. It serves as a protective measure to ensure your system isn't overloaded by an influx of data.

Throttling works a bit differently. When the rate limit is hit, throttling temporarily slows down or pauses the intake of logs. This approach helps handle sudden surges in traffic without discarding valuable data.

Put simply, rate limiting sets a hard cap on data intake, while throttling dynamically manages the flow during traffic spikes to keep the system running smoothly.

How can SMBs manage log retention in Datadog to meet compliance needs while controlling costs?

Small and medium-sized businesses (SMBs) can streamline log retention in Datadog by prioritizing critical logs like error messages and security events for extended storage. Leveraging tiered storage options, such as Indexed Logs for quick access and Flex Storage for more affordable, long-term storage, allows businesses to strike a balance between performance and cost.

To keep expenses under control, focus on excluding less important logs, such as debug logs or routine health checks. Additionally, setting custom retention rules that align with your specific operational and compliance requirements can make a big difference. By matching retention periods to regulatory standards and concentrating on essential data, SMBs can maintain compliance while keeping storage costs under control.

Related posts

• How to Optimize Datadog for Your Business
• Avoiding Common Datadog Mistakes for SMBs
• How to Set Up Log Management in Datadog