Knowledge Library · datadog
Current Quality5/10?
Is Datadog Logs still strategic in 2027?
Direct Answer
YES — Datadog Logs is MORE strategic in 2027 than it was in 2024, not less. Logs has quietly become the data plane that makes the entire Datadog AI plane work: Cloud SIEM detections, Bits AI investigations, LLM Observability traces, and the new Workflow Automation engine all read from the same indexed log estate. Roughly 20-25% of revenue today, Logs is the connective tissue that lets Datadog cross-sell three SKUs off one ingest pipeline. The 4 reasons it stays strategic: (1) AI investigations need raw log context to be useful, (2) Cloud SIEM cross-sell is the cleanest land-and-expand motion in the portfolio, (3) named flagship customers (Samsung, Comcast, Whoop) are consolidating Splunk + ELK onto Datadog Logs, and (4) the per-event pricing layer (Flex Logs) finally fixed the volume-economics complaint. The 1 risk: open-source Loki + Cribl Stream are compressing per-GB pricing power from below — Datadog must either match Cribl-style routing or lose the volume-tier customer.
What Datadog Logs Is Today
- Ingest + Index + Archive — three-tier model with Flex Logs (queryable archive at archive prices) launched 2024 to compete with Cribl/Splunk SmartStore.
- ~20-25% of revenue — second-largest module after Infra, fastest-growing of the established SKUs.
- Feeds 6 downstream products — Cloud SIEM, Bits AI, LLM Obs, Audit Trail, Workflow Automation, Sensitive Data Scanner.
- Per-GB ingest + per-million-events index — pricing model that has drawn the most customer volume complaints historically.
- Live Tail + Logging Without Limits — the original "index what you query, archive the rest" architecture that defined the category.
Why Logs Becomes MORE Strategic In 2026-27
- AI investigations need log context — Bits AI cannot do root-cause without the full log stream; Logs is the substrate, not a side product.
- Cloud SIEM cross-sell — every Logs customer is a one-click Cloud SIEM upsell; Datadog's fastest-converting attach motion in 2025-26.
- LLM Observability — prompt/response logs are *log data*, indexed and searched through the same plane.
- Splunk Cloud renewals 2026-27 — Cisco price hikes are pushing mid-market Splunk customers to Datadog Logs as the consolidation target.
- Named flagship wins — Samsung, Comcast, Whoop, 1Password publicly consolidated Splunk + ELK onto Datadog Logs in 2024-25.
- Flex Logs fixed the volume problem — queryable archive at $0.05/GB blunts the Cribl pitch for cold-tier data.
The Competitive Threats
- Grafana Loki — open-source, label-based indexing, cheap object-store backend; eating the cost-conscious DevOps tier.
- Cribl Stream — sits in front of Datadog Logs and routes 40-60% of volume to S3, compressing Datadog's GB-billed revenue.
- Splunk Cloud (Cisco) — wounded but not dead; large enterprise renewals 2026-27 are battlegrounds.
- Microsoft Sentinel + Azure Monitor Logs — bundled into E5, free-ish for Microsoft-heavy estates.
- Elastic Cloud — open-core resurgence post-AGPL relicense; strong in EU + regulated verticals.
- AWS CloudWatch Logs Insights + OpenSearch — good-enough for AWS-only shops, free with the bill.
What Logs Needs To Win Through 2027
- Cribl-style native routing — let customers tier hot/warm/cold inside Datadog without Cribl in front; capture the routing margin.
- Bits AI natural-language log search — "show me 5xx spikes correlated with the deploy" without writing a query.
- Named-vertical Logs solutions — FedRAMP High Logs, PCI Logs, HIPAA Logs as packaged SKUs with pre-built parsers.
- Per-event pricing for high-cardinality logs — kill the per-GB complaint for K8s and microservice estates.
- Logs-to-Metrics + Logs-to-Traces — automatic correlation so Logs sells the Infra and APM upsell, not just SIEM.
- Open-telemetry log ingest at parity — own the OTel logs path so Loki cannot claim standards leadership.
Where Datadog Should Pivot Resources
- Flex Logs marketing — tell the volume-economics story louder; most prospects still think Datadog Logs is GB-priced only.
- Cribl-displacement playbook — sales motion specifically aimed at Cribl customers paying twice.
- Cloud SIEM bundling — make Logs + Cloud SIEM the default starter SKU for security teams.
- AI-native query layer — Bits AI as the primary log search interface, not a side tab.
- Federated search across archives — query S3/GCS/Azure Blob archives without rehydrating.
The Honest Bear Case
- Cribl + Loki compress per-GB pricing power — Datadog cannot hold $1.50/GB ingest indefinitely.
- OTel commoditizes the ingest path — agent lock-in weakens as customers standardize on OpenTelemetry collectors.
- Microsoft Sentinel bundling — E5 customers get "free" SIEM, hard to displace with a paid SKU.
- Splunk-on-Cisco gets aggressive on price — Cisco may discount Splunk Cloud 30-40% to retain the install base.
- Logs gross margin compression — storage tier price wars reach Datadog by FY27.
Logs Capability Scorecard
| Capability | FY26 Status | Strongest Competitor | FY27 Priority | Investment |
|---|---|---|---|---|
| Hot ingest + index | Leader | Splunk Cloud | Maintain | Medium |
| Cold archive (Flex Logs) | Strong | Cribl + S3 | Expand | High |
| Cloud SIEM attach | Leader | Microsoft Sentinel | Bundle harder | High |
| AI-native search (Bits AI) | Emerging | None yet | Ship to GA | Highest |
| Volume routing | Behind | Cribl Stream | Build native | Highest |
| OTel log ingest | At parity | Grafana Loki | Lead the spec | Medium |
| Per-event pricing | Partial | Honeycomb | Expand to all SKUs | High |
| Compliance Logs (FedRAMP/PCI/HIPAA) | Partial | Splunk Cloud | Vertical SKUs | High |
Logs Evolution Path
graph LR
A[Logs FY24<br/>per-GB ingest, index, archive] --> B[Flex Logs FY25<br/>queryable archive at archive price]
B --> C[Bits AI Logs Search FY26<br/>natural-language query]
C --> D[Native Routing FY26-27<br/>Cribl-style tiering inside DD]
D --> E[Cloud SIEM Bundle FY27<br/>Logs+SIEM as one SKU]
E --> F[Strategic Outcome 2027<br/>Logs is the data plane for AI plus SIEM plus Obs]
G[Threat: Loki + Cribl] -.compress per-GB.-> A
H[Threat: Splunk Cloud renewals] -.battleground.-> E
Bottom Line
Datadog Logs is not a mature module coasting toward commoditization — it is the substrate that makes Bits AI, Cloud SIEM, and LLM Observability work. The strategic question is not whether Logs stays relevant; it is whether Datadog can fight off Cribl + Loki on volume economics fast enough to keep the gross margin that funds the AI investments. Ship native routing, ship Bits AI search, bundle SIEM harder. The data plane wins the AI plane.
See also: [q1683 — Is Datadog overpriced for what you get?](/lab/cheap-100/q1683) · [q1684 — Can Datadog defend against Grafana?](/lab/cheap-100/q1684) · [q1693 — Is Datadog Cloud SIEM credible vs Splunk?](/lab/cheap-100/q1693)
Tags
datadog, logs, cloud-siem, cribl, grafana-loki, splunk-cloud, observability, log-management, bits-ai, flex-logs
Sources
- https://www.datadoghq.com/product/log-management/
- https://www.splunk.com/en_us/products/splunk-cloud-platform.html
- https://grafana.com/oss/loki/
- https://cribl.io/stream/
- https://www.forrester.com/report/the-forrester-wave-security-analytics-platforms-q4-2024/
- https://investors.datadoghq.com/news-releases/news-release-details/datadog-announces-first-quarter-2026-financial-results
- https://www.datadoghq.com/product/cloud-siem/
- https://docs.datadoghq.com/logs/log_configuration/flex_logs/
Download:
Was this helpful?
Sources cited
datadoghq.comhttps://www.datadoghq.com/product/log-management/splunk.comhttps://www.splunk.com/en_us/products/splunk-cloud-platform.htmlgrafana.comhttps://grafana.com/oss/loki/cribl.iohttps://cribl.io/stream/forrester.comhttps://www.forrester.com/report/the-forrester-wave-security-analytics-platforms-q4-2024/investors.datadoghq.comhttps://investors.datadoghq.com/news-releases/news-release-details/datadog-announces-first-quarter-2026-financial-resultsdatadoghq.comhttps://www.datadoghq.com/product/cloud-siem/docs.datadoghq.comhttps://docs.datadoghq.com/logs/log_configuration/flex_logs/Deep dive · related in the library
datadog · ae-quota-2027Will Datadog AEs hit quota in 2027?datadog · net-revenue-retentionWhat is Datadog net revenue retention in 2026?datadog · revenue-modelHow does Datadog make money in 2027?datadog · bits-aiIs Bits AI working for Datadog?datadog · growth-decelerationWhy did Datadog growth slow in 2024-25?datadog · splunk-comparisonWill Datadog beat Splunk in observability by 2027?datadog · 5b-playbookWhat is Datadog playbook for the next $5B in revenue?datadog · churn-mathWhat does Datadog churn math look like under AI pressure?datadog · bull-case-2027What is the bull case for Datadog 2027?datadog · bear-case-2027What is the bear case for Datadog 2027?More from the library
volume-cronWhat replaces Airtable's sequencing if AI agents handle outbound?volume-cronSnowflake vs Clari — which should you buy?salesloft · video-acquisitionShould Salesloft acquire a video tool in 2027?volume-cronShould Clari acquire Drift in 2027?outreach · bear-caseWhat is the bear case for Outreach 2027?volume-cronIs a Workato Sales Engineer role still good for my career in 2027?landscaping · small-businessHow do you start a landscaping business in 2027?creator-economy · content-businessHow do you start a content creation business in 2027?bakery · small-businessHow do you start a bakery business in 2027?volume-cronSnowflake vs Lavender — which should you buy?salesloft · cadence-relevance-2027Is Salesloft Cadence still relevant in 2027?volume-cron · machine-generatedWhat replaces SDR teams if AI agents replace SDRs natively?salesloft · sequencing-to-orchestrationShould Salesloft pivot from sequencing to AI orchestration?stripe · account-executiveIs a Stripe AE role still good for my career in 2027?outreach · org-structureWhat is Outreach right org structure in 2027?