observabilitydatabasescost-management

Architecting an Observability Pipeline Without Tool Bloat — Using ClickHouse as the Consolidation Layer

UUnknown

2026-03-02

10 min read

Practical guide to audit, consolidate, and centralize logs, metrics, and traces into ClickHouse to cut costs and simplify observability.

Stop the Sprawl: Consolidate Observability into a Single OLAP Layer with ClickHouse

Hook: If your team is drowning in alerts, paying multiple SaaS bills for overlapping telemetry, and spending more time integrating tools than improving applications, you have observability tool bloat. In 2026, teams are shifting from many point solutions to consolidated OLAP-based telemetry platforms — and ClickHouse is emerging as a practical consolidation layer for logs, metrics, and traces.

This article shows a pragmatic, audit-driven path to:

audit your current observability estate,
design an ingestion and schema strategy for ClickHouse, and
operate a cost-optimized, query-friendly observability pipeline that reduces tool and bill sprawl.

Why consolidate in 2026? Trends and signal

By late 2025 and into 2026, the market validated high-performance OLAP for telemetry: ClickHouse closed a large funding round, signaling strong adoption in analytics and telemetry use cases. Many organizations are rethinking expensive per-ingest SaaS pricing and tool fragmentation in favor of an owner-controlled OLAP layer that supports fast SQL analytics, retention controls, and tiered storage.

What consolidation buys you — immediate benefits for engineering and SRE teams:

Lower recurring costs — reduce per-GB SaaS ingestion fees by using commodity storage + ClickHouse compression.
Faster root-cause investigations — unified SQL across logs/metrics/traces avoids context switching and costly cross-product joins.
Predictable scaling — control retention policies, rollups, and tiering to plan infrastructure spend.
Eliminate integration drag — fewer agents, fewer exporters, simpler onboarding for dev teams.

Stage 1: Audit your observability estate

Before migrating anything, run a focused audit — this is where most consolidation projects succeed or fail. Treat the audit as a product discovery for telemetry.

Audit checklist (operational and financial)

Inventory — list agents, exporters, SaaS products (Splunk, Datadog, Sentry, New Relic, etc.), and how data flows between them.
Ingest volumes — measure GB/day by source (app logs, infra logs, APM traces, Prometheus metrics). Use a short sampling window (7–14 days) and include peak traffic.
Queries & dashboards — capture the top 50 dashboards and the queries behind them. Determine which require raw data vs rollups.
Retention policies — for each data type, note current retention, SLOs for lookback windows, and regulatory needs.
Cost mapping — match each SaaS bill to ingest volumes and query costs where possible.
Owner & workflow — who uses each tool and why? Are multiple teams using different tools for the same data?

Output: a matrix mapping data types to owners, retention, query patterns, volume, and cost. This drives what to move first.

Stage 2: Decide what to consolidate and what to keep

Not every tool must be replaced. Use the audit to prioritize low-friction, high-cost wins.

Prioritization rules

Replace tools that are high-cost per GB and low business-unique value.
Keep specialized tools that add unique functionality (e.g., deep RUM vendors if they provide proprietary SDK features you need).
Start with logs and metrics ingestion where SQL analytics and rollups provide the largest cost savings.

Stage 3: Design the ClickHouse consolidation layer

ClickHouse is not a black-box SaaS observability product — it’s an OLAP engine you can use as a durable, fast analytics store. Design for schema, ingestion, lifecycle, and query patterns.

Core design principles

Schema-on-write for hot queries — define columnar tables for common queries (SLOs, p95, error rates).
Materialized views and rollups — pre-aggregate high-cardinality metrics to reduce query cost.
Tiered storage — separate hot local SSD for recent data and object storage (S3) for cold archives.
Retention + TTLs — enforce lifecycle policies (hot 7–30 days, warm 30–90, cold archive to S3).
Use Kafka or a streaming buffer — decouple producers from ClickHouse for reliability and backpressure handling.

Example table designs

Logs (high cardinality free-text)

CREATE TABLE logs_raw (
    ts DateTime64(3),
    service String,
    host String,
    environment String,
    level String,
    message String,
    json_map String -- or Nested/Map if extracting fields
  ) ENGINE = MergeTree()
  PARTITION BY toYYYYMM(ts)
  ORDER BY (service, toDate(ts), level)
  SETTINGS index_granularity = 8192;

Notes: store raw text for the short hot window. Use a materialized view to extract fields and create a narrower analytics table for queries.

Metrics (timeseries)

CREATE TABLE metrics_agg (
    ts DateTime,
    metric String,
    service String,
    labels Nested(key String, value String),
    value Float64
  ) ENGINE = AggregatingMergeTree()
  PARTITION BY toYYYYMM(ts)
  ORDER BY (metric, service, ts);

Notes: ingest Prometheus-style samples and periodically collapse them into fixed-interval aggregates (1s/10s/1m) using materialized views.

Traces/spans

CREATE TABLE spans (
    ts DateTime64(3),
    trace_id FixedString(16),
    span_id FixedString(8),
    parent_id Nullable(FixedString(8)),
    service String,
    operation String,
    duration_ms Float64,
    tags Nested(key String, value String),
    raw_json String
  ) ENGINE = MergeTree()
  PARTITION BY toYYYYMM(ts)
  ORDER BY (service, toDate(ts), duration_ms DESC);

Notes: store normalized columns for common queries (p95, slow spans) while keeping raw_json for full reconstruct when needed. Consider storing traces that exceed an anomaly threshold and sampling the rest.

Stage 4: Build a resilient ingestion pipeline

Design ingestion to be resilient, low-latency for hot paths, and efficient for batch cold writes.

Recommended pipeline

Producers (app agents, OpenTelemetry SDKs, Prometheus, Fluentd/Fluent Bit)
Edge transformer (Vector recommended) — normalizes formats, extracts fields, applies sampling and enrichment
Streaming buffer (Kafka or Pulsar) — durable, ordered, scalable
ClickHouse consumers — either ClickHouse Kafka engine, or a connector/worker that writes via ClickHouse HTTP/Native protocol

Vector is particularly useful for normalization and rate-limiting before sending high-volume logs to Kafka or ClickHouse.

Example: Fluent Bit → Kafka → ClickHouse (HTTP insert)

# Fluent Bit output to Kafka (brief)
[OUTPUT]
    Name kafka
    Match *
    Brokers kafka1:9092
    Topic logs_raw

# Consumer writes to ClickHouse using a simple worker that batches JSONEachRow
curl -sS -X POST 'http://clickhouse:8123/?query=INSERT%20INTO%20logs_raw%20FORMAT%20JSONEachRow' \
    -H 'Content-Type: application/json' --data-binary @[batch-file].json

Use the ClickHouse Kafka table engine where appropriate to stream data directly from Kafka into MergeTree tables with materialized views.

Stage 5: Query patterns, SLOs, and dashboards

Design your queries to leverage ClickHouse strengths: vectorized execution, approximate aggregations, and fast group-bys at scale.

Common queries and SQL examples

Error rate and SLOs

SELECT
  toStartOfMinute(ts) as minute,
  sum(if(level = 'ERROR', 1, 0)) AS errors,
  count() AS total,
  errors / total AS error_rate
FROM logs_extracted
WHERE service = 'api' AND ts >= now() - INTERVAL 7 DAY
GROUP BY minute
ORDER BY minute DESC
LIMIT 100;

p95 latency from traces

SELECT
  toStartOfMinute(ts) AS minute,
  quantileExact(0.95)(duration_ms) AS p95_ms
FROM spans
WHERE service = 'payments' AND ts >= now() - INTERVAL 1 DAY
GROUP BY minute
ORDER BY minute DESC
LIMIT 200;

Use materialized views to precompute heavy aggregates (p50/p95/p99) per minute to accelerate dashboard queries.

Stage 6: Cost optimization tactics

Consolidation is only valuable if it reduces cost and complexity. These tactics keep the ClickHouse bill under control.

Compression — ClickHouse has efficient codecs (LZ4, ZSTD); pick ZSTD for higher compression on logs.
Tiered storage — place hot partitions on local NVMe and move older partitions to cheap S3 via ClickHouse storage policies.
Rollups — downsample raw metrics and logs after X days (e.g., 1s -> 1m) using materialized views.
Smart sampling — for traces, sample low-latency traces heavily and keep 100% of errors or traces above thresholds.
Delete rarely-used columns — don't store unneeded large blobs in hot tables; archive to object store instead.

Example TTL that moves data to S3 after 30 days:

ALTER TABLE logs_raw MODIFY TTL ts + INTERVAL 30 DAY TO DISK 's3_archive';

Operational concerns and pitfalls

ClickHouse is powerful, but not a drop-in replacement for every observability SaaS. Watch for these issues and mitigate them:

High-cardinality queries — unbounded cardinality (e.g., user_id as GROUP BY) can be costly; use pre-aggregation and tag cardinality limits.
Slow ad-hoc analysis — empower analysts with precomputed tables and query templates to avoid expensive scans.
Operational burden — running a distributed ClickHouse cluster requires expertise for replication, sharding, and backup strategies; consider managed ClickHouse if you lack staff.
Trace joins — joining traces and logs at scale can produce heavy shuffles; design tables to query by trace_id and time windows to limit scanned data.

Migration playbook — phased approach

Roll forward in small, measurable phases:

Pilot — move one non-critical service's logs and metrics to ClickHouse. Keep SaaS in parallel (dual-write) for 2–4 weeks and compare queries/costs.
Expand — add more services, traces for error cases only, and create materialized views for the top dashboards.
Optimize — tune partitions, compression, and retention; apply rollups and TTLs based on access patterns.
Decommission — after confidence, switch alerts/dashboards to ClickHouse queries and retire redundant SaaS subscriptions on a schedule.

Rollback and safety

Keep dual-write for a known window rather than a full cutover to mitigate risk.
Tag migrated dashboards and monitor query latency and cost in ClickHouse before full migration.
Maintain backups of raw partitions in S3 prior to destructive TTLs or deletes.

Example case study (composite, real-world patterns)

Acme Payments (composite) consolidated logs and metrics into ClickHouse in 2025–2026 as follows:

Audit showed 3 TB/day of logs with 70% duplicated metadata and a split across three SaaS vendors costing $90k/month.
Pilot moved 200 GB/day (non-critical services) into ClickHouse using Vector + Kafka; materialized views reduced query time by 10x.
After rollups and TTLs, Acme reduced hot storage by 60% and cut observability spend by 55% while improving mean time to detect by 40% thanks to unified queries.

"Consolidation didn’t mean losing features; it meant owning cost and focusing tool spend where it adds unique value." — Lead SRE, composite case

Security, compliance, and governance

When centralizing telemetry, control access and PII risks:

Use RBAC and network controls to restrict ClickHouse writes and reads.
Apply scrubbing/enrichment at the ingestion edge (Vector/OTel collector) to remove PII before it reaches the OLAP store.
Encrypt data at rest and in transit; use object storage encryption and ClickHouse disk-level encryption where available.
Implement auditing for queries that access sensitive fields.

Monitoring and scaling ClickHouse for telemetry

Monitor ClickHouse like any critical infra component:

Track ingestion lag from Kafka, merge queue sizes, and mutation/TTL job backlogs.
Measure query latency percentiles for dashboard SLAs.
Autoscale compute nodes for heavy reporting windows and then scale down for cost savings where possible.

Future-proofing: trends to watch in 2026+

Expect these trends to shape observability consolidation:

SQL-first telemetry — teams will prefer SQL for ad-hoc analysis and ML features on unified stores.
Open telemetry standardization — OTLP adapters and standard exporters will make ClickHouse ingestion pipelines easier.
Hybrid managed deployments — managed ClickHouse offerings will reduce operational risk for teams consolidating telemetry.
Cost-aware ingestion — tools that apply dynamic sampling, enrichment, and routing at the edge to minimize storage footprint.

Actionable takeaways

Start with a 14-day audit: measure GB/day, top dashboards, and SaaS spend to prioritize what to move.
Use Vector + Kafka + ClickHouse (with materialized views and TTLs) as a resilient, cost-effective pipeline.
Design tables with hot/warm/cold tiers, use rollups for high-cardinality metrics, and sample traces intelligently.
Keep dual-write for the pilot; retire SaaS subscriptions only after validated parity of metrics/dashboards.

Final recommendations

Consolidating observability into ClickHouse is not a magic bullet — but when executed with an audit-first approach, clear migration phases, and cost controls, it converts tool sprawl into a single, answerable telemetry platform. In 2026, ClickHouse’s ecosystem maturity and funding momentum make it a credible consolidation layer for teams that want SQL-based analytics, predictable costs, and control over their telemetry lifecycle.

Next step: run the 14-day observability audit matrix, pick a non-critical service for a pilot, and implement Vector → Kafka → ClickHouse ingestion with a two-week dual-write window.

Call to action

Ready to reduce costs and regain control of your telemetry? Contact sitehost.cloud for a tailored ClickHouse migration plan or explore our managed ClickHouse observability offering to accelerate consolidation with minimal operational risk.

Unknown

Contributor

Senior editor and content strategist. Writing about technology, design, and the future of digital media. Follow along for deep dives into the industry's moving parts.