Self-host Splunk

Log management + SIEM · Category: observability & analytics

Splunk is the enterprise log-and-events platform — ingests gigabytes per day, indexes everything, runs SPL queries, drives alerts and dashboards. The self-hostable replacements all do log ingest + index + query + alert; the depth of Splunk's SIEM analytics and the breadth of its app marketplace are the parts that don't carry over for free.

Splunk pricing anchor: Workload pricing from $1500/mo (5GB/day); Enterprise rises to $20k+/mo at scale.

Graylog Graylog2/graylog2-server alive

GitHub: ★ 8.03k · last commit 1d ago · 2026 open issues
License: SSPL-1.0
Graylog moved from GPL to SSPL in 2024; self-host is unrestricted, but reselling as a managed service is restricted.
Setup time: 30min docker-compose (Graylog + OpenSearch + MongoDB)
Monthly cost: $30-100/mo VPS — OpenSearch is the heaviest component; budget by daily ingest GB.

Migration sketch. Use the official compose at docs.graylog.org. Configure inputs (Syslog, GELF, Beats, raw TCP) — Splunk's universal forwarder maps to Filebeat or NXLog shipping to Graylog's Beats input. Splunk SPL queries don't port; rewrite as Graylog's query language (Lucene-syntax). Dashboards rebuild manually.

Good fit forCentralized log management for a single team or org with strong SIEM needs (built-in alerting, RBAC, audit trail).

Weak atOpenSearch ops overhead — sharding, snapshots, version upgrades are non-trivial at scale.

Grafana Loki grafana/loki alive

GitHub: ★ 28.2k · last commit today · 1693 open issues
License: AGPL-3.0
Setup time: 30min docker-compose (Loki + Promtail + Grafana)
Monthly cost: $10-50/mo VPS — Loki is index-light by design; storage backed by S3 stays cheap.

Migration sketch. Use the official `loki-stack` chart or compose. Promtail (or Grafana Alloy) replaces Splunk Universal Forwarder — ship logs from your hosts. LogQL replaces SPL: `{job="app"} |= "error" | json | level="error"` is the rough equivalent of `index=app error level=error`. Visualize and alert in Grafana.

Good fit forTeams already running Prometheus/Grafana that want logs in the same UI without bringing up an ELK-class index.

Weak atFree-text search across high-cardinality fields is slower than Elasticsearch/OpenSearch — Loki indexes labels, not content.

OpenObserve openobserve/openobserve alive

GitHub: ★ 18.8k · last commit today · 544 open issues
License: AGPL-3.0
Setup time: 15min single-binary or docker run
Monthly cost: $15-50/mo VPS; S3-backed storage scales independently of compute.

Migration sketch. `docker run -d -v $HOME/openobserve:/data -p 5080:5080 public.ecr.aws/zinclabs/openobserve:latest`. Ship logs via Fluent Bit, Vector, or OTLP collector. OpenObserve replaces both index and storage with columnar Parquet on S3 — order-of-magnitude cheaper at high ingest volumes than Splunk or OpenSearch. Built-in alerting + dashboards.

Good fit forCost-conscious teams ingesting >100GB/day who can't justify Splunk's per-GB price.

Weak atNewer than Graylog/Loki — fewer SIEM-specific features; thinner third-party app ecosystem.

In a terminal? npx os-alt splunk prints this table — how the CLI works →