ELK / OpenSearch / Loki · Observability & Performance Deep Dive

Anatomy

The Pipeline

App emits log

→

Agent (Fluent Bit / Filebeat / Vector)

→

Buffer (Kafka / Redis)

→

Indexer (Elastic / OpenSearch / Loki)

→

Query UI (Kibana / OpenSearch Dashboards / Grafana)

Side-By-Side

Stack	Strength	Watch out for
ELK (Elasticsearch + Logstash + Kibana)	Mature, full-text search at scale, rich aggregations, alerts, ML add-ons.	License pivot to ELv2/SSPL in 2021; cluster ops are real work.
OpenSearch	Apache 2.0 OSS fork led by AWS; managed offering on AWS; mostly drop-in for ELK.	Versions diverging slowly from Elastic; some plugins differ.
Grafana Loki	Indexes only labels (cheap); stores chunks in S3-class object storage. Tight Grafana integration.	No full-text index — slow for needle-in-haystack searches without good labels.

Hard-Won Habits

Structured (JSON) logs. Lines like {"ts":..., "level":"error", "trace_id":...} beat free-text every time.
Correlation IDs / trace IDs on every log line — you'll thank yourself when you need to follow a request.
Sampling at high volume. Sample successful requests, keep all errors.
Sensitive-data filters at the agent — never log raw tokens, PII, full payloads.
Retention tiers. 7 days hot, 30 days warm, 90 days cold/object-store. Costs balloon if everything is hot.
Don't log inside hot loops. A stray log.info in a 100k req/s path can dominate your bill.

Tradeoffs

Logs are expensive. Index, store, and (in many platforms) ingest are all metered.
Search-everything sounds great until your bill or cluster crashes.
Self-hosting Elasticsearch at scale is a full-time platform-team responsibility.
"Just log it" is not observability. Pair with metrics + traces; don't make logs do all three.
Audit logs are different. Compliance retention & tamper-evidence belong on a separate path.

Continue