OpenObserve

Open source observability platform for logs, metrics, traces, and real user monitoring — delivering 140x lower storage costs than Elasticsearch with a single binary you can run in under 2 minutes.

19.7Kstars
898forks
GNU AGPLv3
TypeScript

OpenObserve (O2) is a cloud-native, unified observability platform built to replace the fragmented tooling of Elasticsearch, Datadog, Splunk, and the Grafana stack with a single binary. It ingests and correlates logs, metrics, distributed traces, and Real User Monitoring (RUM) data across any infrastructure at petabyte scale.

The platform achieves 140x lower storage costs than Elasticsearch by combining Apache Parquet columnar storage with an S3-native architecture. Instead of replicating data across hot, warm, and cold Elasticsearch shards, OpenObserve writes compressed Parquet files directly to object storage — S3, GCS, Azure Blob, or local disk — and uses an intelligent caching layer to make queries fast without the hardware overhead.

Built in Rust for memory safety and raw performance, OpenObserve ships as a single stateless binary that can be stood up in under two minutes with a single Docker command and scale from a developer laptop to a cluster handling 2+ petabytes per day. The stateless design means horizontal scaling requires no coordination overhead, and disaster recovery is trivial because all state lives in object storage with 11-nines durability.

OpenObserve speaks OpenTelemetry natively for zero-vendor-lock-in ingestion alongside Elasticsearch-compatible APIs, Prometheus remote write, Loki-compatible endpoints, and Jaeger-compatible trace APIs — letting teams migrate existing instrumentation without rewriting pipelines. Queries use SQL for logs and traces, PromQL for metrics, and built-in JavaScript-based stream processing pipelines for real-time enrichment, redaction, and transformation on ingest.

What You Get

  • Unified telemetry ingestion for logs, metrics, traces, and RUM through a single platform with OpenTelemetry-native APIs and compatibility layers for Elasticsearch, Prometheus, Loki, and Jaeger
  • Apache Parquet + S3-native storage that cuts storage costs 140x versus Elasticsearch by using columnar compression and inexpensive object storage instead of hot/warm/cold index sharding
  • Single binary deployment that starts in under 2 minutes with one Docker command and scales the same binary to terabytes without cluster reconfiguration
  • SQL + PromQL query interface giving engineers a familiar query model for logs and traces (SQL) and metrics (PromQL or SQL), eliminating proprietary query language lock-in
  • Built-in stream processing pipelines for enrichment, PII redaction, log-to-metrics conversion, and data routing on ingest without external tools like Logstash or Fluentd
  • Real User Monitoring (RUM) with session replay capturing frontend performance, JavaScript errors, Core Web Vitals, and full user session recordings in the same platform as backend telemetry
  • 19+ dashboard chart types with drag-and-drop panel builders, variable templating, and support for 200+ visualization combinations for infrastructure, application, and business metrics
  • Anomaly detection and alerting with configurable thresholds across all telemetry signals, alert history, and notification integrations for Slack, PagerDuty, webhooks, and email

Common Use Cases

  • Replacing Elasticsearch/ELK stack for centralized log management while dramatically reducing storage and operational costs using Parquet-backed object storage
  • Unified observability for microservices correlating distributed traces, logs, and metrics in one platform to reduce context switching and identify performance bottlenecks
  • Frontend + backend monitoring combining RUM session replays and Core Web Vitals with backend traces to debug full-stack user experience issues end-to-end
  • Cost-driven Datadog migration for teams hitting Datadog’s per-host pricing ceiling who need a self-hosted, OpenTelemetry-native alternative with predictable per-GB costs
  • Kubernetes and cloud-native monitoring ingesting metrics from Prometheus exporters, traces from instrumented workloads, and logs from container stdout via the OpenTelemetry Collector
  • Security and compliance log archiving retaining raw logs in Parquet format on S3-compatible storage with fine-grained organization-level multi-tenancy and access control
  • LLM observability evaluating and tracing AI model requests and responses alongside application telemetry to monitor cost, latency, and quality in AI-powered products

Under The Hood

OpenObserve’s backend is written entirely in Rust using the Tokio async runtime, providing memory safety and near-zero garbage-collection overhead under sustained high-throughput ingestion. The architecture is intentionally stateless: ingester nodes write compressed Apache Parquet files to configurable object storage (S3, GCS, Azure Blob, or local disk) and metadata to a pluggable key-value store (etcd or nats), so any node can be killed and restarted without data loss or manual rebalancing.

The query engine builds on Apache Arrow and DataFusion for columnar vectorized execution over Parquet files. A multi-level caching system — in-memory result cache, on-disk file cache, and partition pruning based on time and stream metadata — reduces the search space by up to 99% for typical time-bounded queries, giving Elasticsearch-competitive query latency at a fraction of the storage cost. Metrics are stored and queried using the same Parquet pipeline, with a PromQL parser layered on top for compatibility with existing Grafana dashboards and alerting rules.

Stream processing pipelines are implemented using a VRL (Vector Remap Language)-inspired JavaScript engine embedded in the ingest path, enabling stateless per-record transformations — field enrichment, PII masking, log-to-metrics conversion, and routing — without an external processing tier. Distributed tracing ingestion handles OpenTelemetry OTLP, Jaeger Thrift, and Zipkin formats, persisting spans as structured Parquet rows and computing service graphs and flamegraph-compatible trace trees at query time.

What makes OpenObserve unique in the observability landscape is its combination of full observability signal breadth (logs + metrics + traces + RUM) in a single binary that operates identically from a laptop Docker container to a petabyte-scale HA cluster — without requiring separate Elasticsearch, Prometheus, Loki, and Tempo deployments. The enterprise tier adds federated Super Cluster search across geographic regions, SSO/SAML, RBAC with attribute-based access control, anomaly detection using machine learning, and compliance features — all gated behind a feature flag in the same binary.

Self-Hosting

OpenObserve offers an enterprise tier built on the same open source binary, activated via license key without a separate commercial distribution. Enterprise features include Super Cluster federated search across multiple regions and clusters, SSO integration with SAML and OIDC providers, attribute-based access control (ABAC) for fine-grained data isolation, machine learning-powered anomaly detection, ingestion tokens for per-agent rate limiting, LLM evaluation and observability tooling, and dedicated support SLAs. A managed cloud service at cloud.openobserve.ai provides a free tier with up to 200 GB/day ingestion and removes all infrastructure management overhead.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search