CloudWatch Logs Insights cost optimization (reduce GB scanned)

Logs Insights pricing is usually a function of GB scanned. To reduce cost, you reduce how many bytes your queries scan. The highest leverage fixes are almost always about query shape and log organization, not about deleting logs blindly.

Step 0: measure before optimizing

  • Identify the top 10 queries by GB scanned (dashboards + ad-hoc investigations).
  • Measure scanned GB/day for a representative week, including incident days.
  • Identify which log groups drive scanning (noisy vs high-signal).
Logs Insights cost Logs Insights pricing

High-leverage levers

  • Time-bound every query: avoid “last 30 days” defaults; start with 15–60 minutes and expand only if needed.
  • Filter early: restrict by service, path, status code, or request id before expensive parsing and sorting.
  • Split noisy logs: keep debug/verbose logs separate so you don’t scan them during normal operations.
  • Reduce repeated scans: dashboards should query small windows; incident playbooks should avoid scanning “all time” repeatedly.
  • Make queries reusable: save “golden queries” that are scoped and time-bounded to avoid ad-hoc broad scans.

Query patterns that usually scan less

  • Start narrow: 15 minutes, one log group, one service, then widen if the signal is missing.
  • Filter before parsing: restrict by a simple substring or status code early, then parse JSON fields.
  • Split debug logs: keep verbose logs in separate groups so normal queries don’t scan them.
  • Use “top N” sparingly: sorting large ranges can encourage bigger scans; scope first.

Example query shape (pseudocode):

fields @timestamp, @message
| filter @message like /ERROR/
| filter service = "payments"
| sort @timestamp desc
| limit 50

Operational guardrails

  • Dashboards: default to short windows (15m/1h) and avoid auto-refresh on long ranges.
  • Incident playbooks: prefer “narrow then widen” steps instead of repeated “search everything”.
  • Ownership: track who owns the top scanning dashboards and review them quarterly.

Common cost traps

  • Wide time ranges: scanning 7 days vs 1 hour can be a 168× jump in scanned GB.
  • Dashboards as scanners: auto-refresh dashboards can re-scan the same large dataset all day.
  • Unbounded search patterns: “find error anywhere” across all groups becomes expensive at scale.
  • Noisy log groups: high-volume success logs dominate scan volume for simple questions.

Validation checklist

  • For every “optimized query”, compare scanned GB before vs after.
  • Confirm dashboards are time-bounded and do not scan long ranges on auto-refresh.
  • Confirm noisy logs are separated or sampled so routine queries scan high-signal data.
  • After changes, validate incident workflows still work (debug ability preserved).

Sources

Related guides

CloudWatch Logs Insights pricing: what to model (GB scanned)
A practical Logs Insights pricing checklist: the core unit is GB scanned. Model scanned GB from query habits, avoid dashboard re-scan traps, and validate with a measured baseline.
Estimate Logs Insights scanned GB (from query habits)
How to estimate CloudWatch Logs Insights cost: model GB scanned per query, query frequency, and time range. Includes a quick calculator workflow and common pitfalls.
AWS CloudWatch Metrics Pricing & Cost Guide
CloudWatch metrics cost model: custom metrics, API requests, dashboards, and retention.
CloudWatch dashboards pricing: what to include (dashboard-month + API)
A practical guide to CloudWatch dashboard costs: dashboard-month charges plus the hidden drivers (metrics API requests, alarms, and high-cardinality metrics).
CloudWatch metrics cost optimization: reduce custom metric sprawl
A practical playbook to reduce CloudWatch metrics costs: control custom metric cardinality, right-size resolution, reduce API polling, and validate observability coverage.
Estimate CloudWatch metrics API requests (dashboards and polling)
How to estimate CloudWatch metrics API request volume for cost models: derive requests from dashboards and tooling polling, include refresh rates, and validate with measured usage.

Related calculators

Log Cost Calculator
Estimate total log costs: ingestion, storage, and scan/search.
Log Ingestion Cost Calculator
Estimate monthly log ingestion cost from GB/day or from event rate and $/GB pricing.
Log Retention Storage Cost Calculator
Estimate retained log storage cost from GB/day, retention days, and $/GB-month pricing.
Log Search Scan Cost Calculator
Estimate monthly scan charges from GB scanned per day and $/GB pricing.
Metrics Time Series Cost Calculator
Estimate monthly metrics cost from active series and $ per series-month pricing.
CloudWatch Metrics Cost Calculator
Estimate CloudWatch metrics cost from custom metrics, alarms, dashboards, and API requests.

FAQ

What drives Logs Insights cost?
GB scanned by queries. Frequent broad queries over long time ranges are the fastest way to create a large bill.
How do I reduce GB scanned without losing debug ability?
Make queries time-bounded, filter early, split noisy logs into separate groups, and avoid dashboards that re-scan large ranges continuously.
Last updated: 2026-01-27