os-alt

self-host the SaaS you're paying for

← all comparisons

Graylog vs Splunk

Self-host swap-in for Splunk. · Self-host Splunk · Graylog on os-alt

Graylog is one of the open-source self-host replacements for Splunk — license SSPL-1.0, 30min docker-compose (Graylog + OpenSearch + MongoDB) to stand up, and $30-100/mo vps — opensearch is the heaviest component; budget by daily ingest gb. Compare against Splunk's Workload pricing from $1500/mo (5GB/day); Enterprise rises to $20k+/mo at scale below.

Graylogopen-sourceSplunkpaid SaaS
CategoryLog management + SIEMLog management + SIEM
License / pricingSSPL-1.0Workload pricing from $1500/mo (5GB/day); Enterprise rises to $20k+/mo at scale
Starting price$0 self-host$1500/user/mo
GitHubGraylog2/graylog2-server ★ 8.03k · last commit 1d agoaliveclosed source
Setup time30min docker-compose (Graylog + OpenSearch + MongoDB)SaaS — sign up + bill
Monthly cost$30-100/mo VPS — OpenSearch is the heaviest component; budget by daily ingest GB.from $1500/user/mo (Workload pricing from $1500/mo (5GB/day); Enterprise rises to $20k+/mo at scale)

Switching from Splunk to Graylog

Use the official compose at docs.graylog.org. Configure inputs (Syslog, GELF, Beats, raw TCP) — Splunk's universal forwarder maps to Filebeat or NXLog shipping to Graylog's Beats input. Splunk SPL queries don't port; rewrite as Graylog's query language (Lucene-syntax). Dashboards rebuild manually.

Good fit for
Centralized log management for a single team or org with strong SIEM needs (built-in alerting, RBAC, audit trail).
Weak at
OpenSearch ops overhead — sharding, snapshots, version upgrades are non-trivial at scale.
License note
Graylog moved from GPL to SSPL in 2024; self-host is unrestricted, but reselling as a managed service is restricted.

Other open-source self-host alternatives to Splunk

  • Grafana Loki
    AGPL-3.030min docker-compose (Loki + Promtail + Grafana)$10-50/mo VPS — Loki is index-light by design; storage backed by S3 stays cheap.
  • OpenObserve
    AGPL-3.015min single-binary or docker run$15-50/mo VPS; S3-backed storage scales independently of compute.

In a terminal? npx os-alt splunk prints Splunk's self-host options — how the CLI works →

FAQ

Is Graylog a free alternative to Splunk?

Yes — Graylog is open source under SSPL-1.0. Self-host cost: $30-100/mo VPS — OpenSearch is the heaviest component; budget by daily ingest GB.. Splunk starts at $1500/user/mo (Workload pricing from $1500/mo (5GB/day); Enterprise rises to $20k+/mo at scale).

How long does Graylog take to set up vs Splunk?

Self-hosting Graylog: 30min docker-compose (Graylog + OpenSearch + MongoDB). Splunk is a hosted SaaS — sign up and you're in.

What is Graylog good at, and what is it weak at?

Good fit for: Centralized log management for a single team or org with strong SIEM needs (built-in alerting, RBAC, audit trail).. Weak at: OpenSearch ops overhead — sharding, snapshots, version upgrades are non-trivial at scale..