Compare / Splunk vs Datadog

Splunk vs Datadog Cloud SIEM cost: 2026 comparison

Independent head-to-head cost comparison. Per-GB Splunk versus per-host-plus-per-GB Datadog at five host-and-volume profiles, five-year TCO, and where each vendor wins on consolidation versus depth. Updated May 2026.

Splunk model

Per-GB ingested

Plus ES separate licence

Datadog model

Per-host + per-GB

Plus Cloud SIEM tiny line

100h / 50GB

$140K vs $180K

Datadog wins, consolidation case

500h / 50GB

Splunk wins

Per-host base inverts at scale

Per-GB versus per-host: how the meters collide

Splunk and Datadog price on different axes, which makes the comparison structurally interesting. Splunk meters per gigabyte ingested, with a separate Enterprise Security licence covering SIEM analytics and content. Datadog meters per host (Infrastructure base) plus per-GB-ingested (Logs) plus per-analyzed-GB (Cloud SIEM) plus per-million-events (indexing tier). The meter mismatch means the comparison flips between Splunk-favoured and Datadog-favoured depending on the host-to-log-volume ratio of the specific environment.

For environments where logs originate primarily from hosts already paying for Datadog Infrastructure (engineering organisations, SaaS companies, cloud-native startups), the marginal Datadog Cloud SIEM cost is genuinely small and the consolidation argument compounds across the platform. For environments where logs originate from network appliances, SaaS audit logs, or external sources without corresponding Datadog hosts, the Datadog comparison loses its structural advantage and Splunk's per-GB economics win cleanly. The 50-host / 50-GB profile favours Datadog by roughly 30 percent; the 500-host / 50-GB profile inverts and favours Splunk by similar margin.

Detection content depth is the second axis where Splunk maintains structural advantage. Splunk Enterprise Security plus the broader content ecosystem (premium content packs, ITSI integration, community apps, mature SOAR add-on) deliver investigation depth that Datadog Cloud SIEM does not yet match. For mature SOCs where this depth is the binding constraint, the licence cost comparison is secondary. For SOCs whose detection content is broadly portable or built de novo, the licence savings can drive the migration.

Same environment, both vendors

Profile	Splunk Cloud + ES	Datadog all-in	Winner	Note
50 hosts, 25 GB/day	$80K	$58K	Datadog	Datadog wins on combined platform if hosts already paid
100 hosts, 50 GB/day	$175K (with ES)	$120K-$160K	Datadog	Cloud SIEM line tiny; indexed-log line dominates Datadog bill
200 hosts, 50 GB/day	$175K (with ES)	$155K-$200K	Even	Datadog per-host base eats the lead at higher host counts
500 hosts, 100 GB/day	$340K (with ES)	$385K-$520K	Splunk	Datadog per-host base inverts the unit-economics argument
200 hosts, 250 GB/day	$680K (with ES)	$650K-$820K	Even	Both vendors badly priced at this profile; Sentinel preferred

Annual licence ranges, list pricing for both vendors, before negotiated multi-year discounts. Datadog all-in includes per-host base, indexed log retention, and Cloud SIEM line.

Five-year TCO at 100 hosts and 50 GB per day

Year	Splunk Cloud + ES	Datadog
Year 1 (100 hosts, 50 GB/day)	$280K	$140K (consolidation case)
Year 2	$210K (TCO drop)	$135K (steady state)
Year 3	$200K (steady state)	$135K
Year 4	$210K (5% inflation)	$140K (5% inflation)
Year 5	$220K	$145K
5-year total	$1.12M	$695K

Five-year cumulative includes initial licence, 5% inflation per year, and Year 2 TCO compression on Splunk. Excludes one-time migration costs.

When Splunk genuinely wins

+Mature SOCs with deep custom Splunk ES content where the depth and search performance are the binding constraint, not consolidation
+Environments with high-host / low-log-volume ratios where Datadog's per-host base inverts the unit-economics argument
+Detection content libraries (premium content packs, ITSI, SOAR) that Datadog Cloud SIEM does not match
+Compliance-driven retention where Splunk Cloud's archive tier with searchable cold storage beats Datadog Flex Logs query latency
+Existing Splunk-trained SOC analysts where retraining on Datadog SIEM workflow delivers productivity tax that licence saving cannot recover

When Datadog genuinely wins

+Existing Datadog APM and Infrastructure customers where the marginal Cloud SIEM line is genuinely small (typically $3K-$18K per year)
+Engineering-led security teams who value API-first detection workflow and code-driven detection management
+Cloud-native environments where application telemetry (Datadog APM, traces, RUM) is the primary detection input, not network and endpoint correlation
+Organisations consolidating monitoring and security on a single platform where the operational simplification of one vendor matters
+Cost-driven Splunk migrations at moderate scale where Datadog Flex Logs absorbs long-retention compliance volume cheaply

FAQ

Common questions

Is Splunk or Datadog Cloud SIEM cheaper at 100 hosts and 50 GB per day?

Datadog Cloud SIEM is meaningfully cheaper at this profile, particularly for organisations already paying for Datadog Infrastructure or APM. The all-in Datadog math at 100 hosts and 50 GB per day with 30-day indexed retention lands at $120K-$160K per year, including the per-host base ($18K), indexed log retention ($95K-$130K), and Cloud SIEM line ($3.6K). Splunk Cloud at 50 GB per day plus Enterprise Security lands at $175K-$215K per year. The Datadog advantage is roughly 25-35 percent at this profile and widens further when the per-host base is already absorbed by existing Datadog spend.

Why does Datadog Cloud SIEM cost so little at the line-item level?

Datadog deliberately prices Cloud SIEM as an inexpensive add-on layered on top of expensive Datadog Logs. The Cloud SIEM line at $0.20 per analyzed log GB is genuinely small (~$3,650 per year for a 50 GB-per-day environment). The total Datadog bill is dominated by the underlying Logs spend (per-GB ingest plus per-million-event indexing) and the Infrastructure host count, both of which Cloud SIEM customers must pay regardless. Single-line Cloud SIEM rate comparisons against Splunk understate Datadog's true bill substantially; only the all-in math matters for buying decisions.

When does Splunk genuinely beat Datadog?

Splunk wins decisively in environments with high host counts and modest log volumes (e.g., 500 hosts at 50 GB per day), where Datadog's per-host base inverts the unit economics. A 500-host environment pays Datadog Infrastructure $90K base before any logs at all, where Splunk at 50 GB per day costs $135K total. Splunk also wins for mature SOCs with deep ES content libraries built over years, where migration cost outweighs licence saving for 24-36 months. And Splunk wins where investigation depth (ES, premium content, SOAR) is the binding constraint rather than raw log volume cost.

What is the migration cost from Splunk to Datadog?

Migration cost varies materially with detection content depth and analyst retraining. A typical mid-market migration (50 GB per day, 200 detections, 8-person SOC) runs $120K-$250K in professional services plus 4-8 months calendar time. Migration of Splunk SPL queries to Datadog query syntax is the largest single workstream. For organisations where the licence saving is $50K-$100K per year, the payback is 2-3 years. For organisations where the licence saving is $200K-plus per year, the payback drops under 18 months and migration is straightforwardly the right call. The decision should also weigh detection content portability (SIGMA-aligned content migrates faster than Splunk-native ES content) and SOC retraining capacity.

Does Datadog Cloud SIEM include UEBA and SOAR?

Datadog Cloud SIEM includes basic UEBA (entity timeline, behavioural baselines) but at moderate depth comparable to Splunk Enterprise Security with a basic UEBA app, not matching Exabeam or Securonix specialist depth. SOAR is delivered through Datadog Workflows and external integrations (Tines, Torq, etc.) rather than bundled in Cloud SIEM directly. Splunk's SOAR is a separately-licensed product. For organisations whose UEBA needs are basic-to-moderate and whose SOAR needs are delivered through external automation platforms, Datadog Cloud SIEM is structurally sufficient. For organisations needing deep bundled UEBA or SOAR within the SIEM platform, Splunk plus its add-ons typically wins.

Related cost references

Splunk pricing

Full Splunk reference

Datadog Cloud SIEM pricing

Full Datadog reference

Splunk vs Sentinel cost

Per-GB vs commitment-tier

Pricing models explained

Per-GB vs per-host

SIEM cost per GB

Both vendors normalised

SIEM cost calculator

Multi-vendor side-by-side