CloudWatch Logs Insights cost optimization (reduce GB scanned)

Reviewed by CloudCostKit Editorial Team. Last updated: 2026-01-27. Editorial policy and methodology.

Start with a calculator if you need a first-pass estimate, then use this guide to validate the assumptions and catch the billing traps.


Optimization starts only after you know whether wide time ranges, repeated dashboards, noisy log-group scope, or incident query behavior are the real Logs Insights cost driver; otherwise teams trim the wrong query path. This page is for production intervention: time-range control, query-shape cleanup, log-group scope reduction, dashboard guardrails, and repeat-scan discipline.

Do not optimize yet if the model is still weak

  • If you do not know what belongs inside the Logs Insights bill, go back to the pricing guide.
  • If you do not know whether dashboards, ad-hoc queries, or incidents dominate scan spend, go back to the estimate guide.
  • If you only know that the bill is high but cannot name the dominant scan pattern, avoid broad changes for now.

Step 0: measure before optimizing

  • Identify the top 10 queries by GB scanned (dashboards + ad-hoc investigations).
  • Measure scanned GB/day for a representative week, including incident days.
  • Identify which log groups drive scanning (noisy vs high-signal).

High-leverage levers

  • Time-bound every query: avoid “last 30 days” defaults; start with 15–60 minutes and expand only if needed.
  • Filter early: restrict by service, path, status code, or request id before expensive parsing and sorting.
  • Split noisy logs: keep debug/verbose logs separate so you don’t scan them during normal operations.
  • Reduce repeated scans: dashboards should query small windows; incident playbooks should avoid scanning “all time” repeatedly.
  • Make queries reusable: save “golden queries” that are scoped and time-bounded to avoid ad-hoc broad scans.

Query patterns that usually scan less

  • Start narrow: 15 minutes, one log group, one service, then widen if the signal is missing.
  • Filter before parsing: restrict by a simple substring or status code early, then parse JSON fields.
  • Split debug logs: keep verbose logs in separate groups so normal queries don’t scan them.
  • Use “top N” sparingly: sorting large ranges can encourage bigger scans; scope first.

Example query shape (pseudocode):

fields @timestamp, @message
| filter @message like /ERROR/
| filter service = "payments"
| sort @timestamp desc
| limit 50

Operational guardrails

  • Dashboards: default to short windows (15m/1h) and avoid auto-refresh on long ranges.
  • Incident playbooks: prefer “narrow then widen” steps instead of repeated “search everything”.
  • Ownership: track who owns the top scanning dashboards and review them quarterly.

Common cost traps

  • Wide time ranges: scanning 7 days vs 1 hour can be a 168× jump in scanned GB.
  • Dashboards as scanners: auto-refresh dashboards can re-scan the same large dataset all day.
  • Unbounded search patterns: “find error anywhere” across all groups becomes expensive at scale.
  • Noisy log groups: high-volume success logs dominate scan volume for simple questions.

Validation checklist

  • For every “optimized query”, compare scanned GB before vs after.
  • Confirm dashboards are time-bounded and do not scan long ranges on auto-refresh.
  • Confirm noisy logs are separated or sampled so routine queries scan high-signal data.
  • After changes, validate incident workflows still work (debug ability preserved).

The safest loop is measure, change one query or dashboard lever, re-measure scanned GB, then confirm the cost fell where you expected instead of just shifting searches elsewhere.

Sources


Related guides

CloudWatch Logs Insights pricing: what to model (GB scanned)
A practical Logs Insights pricing checklist: the core unit is GB scanned. Model scanned GB from query habits, avoid dashboard re-scan traps, and validate with a measured baseline.
Estimate Logs Insights scanned GB (from query habits)
How to estimate CloudWatch Logs Insights cost: model GB scanned per query, query frequency, and time range. Includes a quick calculator workflow and common pitfalls.
AWS CloudWatch Metrics Pricing: Custom Metrics, API Requests, Dashboards, and Resolution
Understand AWS CloudWatch metrics pricing through custom metrics, metrics API requests, dashboards, high-resolution usage, and the alarm or external observability costs that belong beside the metrics bill.
CloudWatch dashboards pricing: what to include (dashboard-month + API)
Estimate CloudWatch dashboard pricing by separating dashboard-month charges from metrics API requests, alarms, and high-cardinality metric volume so dashboard sprawl is not mistaken for one simple fixed fee.
CloudWatch metrics cost optimization: reduce custom metric sprawl
A practical playbook to reduce CloudWatch metrics costs: control custom metric cardinality, right-size resolution, reduce API polling, and validate observability coverage.
Estimate CloudWatch metrics API requests (dashboards and polling)
How to estimate CloudWatch metrics API request volume for cost models: derive requests from dashboards and tooling polling, include refresh rates, and validate with measured usage.

Related calculators


FAQ

What drives Logs Insights cost?
GB scanned by queries. Frequent broad queries over long time ranges are the fastest way to create a large bill.
How do I reduce GB scanned without losing debug ability?
Make queries time-bounded, filter early, split noisy logs into separate groups, and avoid dashboards that re-scan large ranges continuously.

Last updated: 2026-01-27. Reviewed against CloudCostKit methodology and current provider documentation. See the Editorial Policy .