Skip to content

FAQ

The Cloud Reporter identifies licensing cost drivers by analyzing app/infra events stored in log analyzers.

Overview

What is Cloud Reporter and what does it analyze

Cloud Reporter is a cost analysis tool that runs in your infrastructure. It connects to your existing SIEM or log platform to identify optimization opportunities.

It analyzes log patterns and volume distribution directly from your indexed data to identify where costs come from. You get:

  • Detailed breakdowns by message pattern, application, and log type
  • Specific recommendations for cost reduction

Cloud Reporter works with data already in your platform -- no agents, no forwarder changes. Deploy as a Kubernetes CronJob or AWS Lambda function.

Results feed into ROI Analytics dashboards with a dedicated Cloud Reporter tab.

How does Cloud Reporter calculate potential savings

Cloud Reporter applies the same optimization engine used in production Log10x components to your sampled data.

For each message pattern, it calculates reduction ratios, identifies redundant patterns, and quantifies potential volume reduction. Results are presented with dollar amounts based on your actual SIEM pricing tier.

The analysis uses your specific log data, not generic benchmarks.

How do I act on Cloud Reporter's recommendations

Cloud Reporter pairs each optimization opportunity with actionable next steps:

  • AI-generated recommendations -- the 10x Console analyzes aggregated cost patterns and generates specific recommendations -- e.g., "Reduce DEBUG logs from payment-service (saves $4,200/mo) by adding this Regulator rule." AI runs in three configurable modes: Managed (hosted by Log10x), Bring Your Own Key (OpenAI, Anthropic, xAI, Azure OpenAI, or any OpenAI-compatible endpoint including self-hosted Ollama), or Disabled (raw metrics only, no data sent to any AI provider). Only aggregated metadata (event type, volume, cost) is sent -- never raw log content. API keys are encrypted at rest.
  • ROI Analytics dashboards -- Grafana dashboards showing cost per application, volume by severity, and top patterns by cost. Available as managed SaaS or self-hosted with open-source dashboard JSON.
  • Prometheus Metrics API -- standard REST endpoints to query all cost and volume metrics programmatically. Build custom integrations, feed FinOps tools, or power your own dashboards.
  • Edge deployment -- implement recommendations through Edge Regulator (budget caps) and Edge Optimizer (lossless compaction)

Each recommendation shows potential savings and specific implementation steps.

Can Cloud Reporter identify repeated stack traces as cost drivers

Yes. Exception stack traces spanning 50-100 lines repeated thousands of times are a common cost driver.

Cloud Reporter detects these patterns from your indexed data and quantifies the savings potential:

  • Original: 80-line trace x 10,000 occurrences = 800,000 lines
  • After Edge Optimizer compaction: 80-line template + 10,000 references = ~80,100 lines
  • Projected reduction: 90%+ for repeated stack traces

Works with all languages: Python tracebacks, Java/Kotlin, Node.js, Go panic dumps, Ruby, C# .NET, PHP. Deploy Edge Regulator to act on the findings.

Integration

Which SIEMs and log platforms does Cloud Reporter support

Cloud Reporter integrates with major log platforms:

  • Splunk
  • Elastic
  • Datadog
  • AWS CloudWatch Logs

Each integration uses read-only API access -- no agents or forwarders required. Setup takes about 15 minutes: deploy, generate a read-only API token, configure the connection, and analysis begins automatically. See the install guide for details.

What is Cloud Reporter's performance footprint

Minimal -- typically less than 0.1% of your SIEM capacity. Cloud Reporter runs as a Kubernetes CronJob (not a persistent process), so the footprint is a periodic blip on a schedule you control.

  • Read-only integration -- no writes, no data modifications, no interference with alerting or search
  • Configurable rate limiting with efficient sampling -- no full data scans
  • Off-peak scheduling -- you control the schedule and concurrency

Per-platform impact:

  • Splunk -- scheduled search jobs during off-peak windows, tunable to minimize search head load
  • Datadog -- respects API rate limits with automatic backoff
  • Elastic/OpenSearch -- lightweight _stats and _mapping calls, not full-text queries

Security

What data does Cloud Reporter access from my SIEM

Cloud Reporter accesses:

  • Index metadata and field statistics
  • Volume metrics and field cardinality
  • Representative log samples for pattern analysis

Log samples are processed in-memory and are not stored persistently or transmitted externally. You control which indexes and time ranges are analyzed. The API token you provide should have read-only permissions limited to the specific data you want analyzed.

Failure Modes & Recovery

What if the Cloud Reporter cronjob fails to start

Cronjob retries on next schedule — no data loss:

  • During cronjob failure: The scheduled report doesn't run at the expected time
  • Data loss: NO — Cloud Reporter is read-only (queries existing indexed data)
  • Impact: You miss a single report. Next scheduled run generates the report
  • Recovery: Automatic on next cronjob schedule (typically hourly or daily)

Monitoring: - pod_restart_count > 0 on reporter pod — track unexpected restarts - CronJob status: kubectl describe cronjob log10x-reporter -n logging - Job logs: kubectl logs -l job-name=log10x-reporter-* -n logging --tail=100

What if Cloud Reporter can't query your log analyzer

Query failure — next cronjob retry or manual run:

  • Network outage to SIEM: Reporter cronjob runs but API calls fail
  • Authentication expired: Reporter can't authenticate to your analyzer
  • SIEM down/unavailable: Queries time out
  • Data loss: NO — Cloud Reporter doesn't modify data, only reads
  • Recovery: Automatic on next scheduled cronjob run. To manually trigger: kubectl create job --from=cronjob/log10x-reporter manual-report -n logging

Resolution: - Verify network connectivity to your analyzer (Splunk, Elasticsearch, etc.) - Check API credentials in reporter config - Verify analyzer is responding: curl -I https://your-analyzer.example.com - Check pod logs for auth/timeout errors

Next: Storage Streamer