3 Advanced Techniques to Reduce Log Volume by 90% (Part Two)


In the first blog post in the series, I went through four basic ways to reduce logging volumes: increasing the severity threshold, converting logs to metrics, uniform sampling, and drop rules. These techniques work well for smaller, simpler environments, but they lead to missing data that might be important when troubleshooting. Some of them require a significant effort to scale to the enterprise. In this blog post, I'll go through three advanced techniques to reduce log volumes: automatic sampling by pattern, logarithmic sampling by pattern, and sampling with automatic backfilling.
If we can automatically identify, in real-time, the patterns in log messages and track how many messages we're seeing for each pattern, we can then automatically make decisions on how much data to send for each pattern. Here’s how it would work:

The previous technique will do two things: 1) guarantee a basic minimum of log messages for every pattern and 2) reduce the rest of the data by a set fraction. However, that's not optimal. This means that your heaviest patterns, which maybe 10000x more noisy than your lightest patterns will be sampled the same amount and you only get a linear decrease in log volumes. Ideally, you want to sample the heavier patterns more heavily than lighter patterns. For example, if you're seeing 100,000 messages per second for pattern A and 100 messages per second for pattern B, you probably want to only pass through 1% of pattern A and 10% of pattern B. This is what logarithmic sampling does.
This technique is an extension of Sampling by pattern, so it has the same pros and cons. The only difference is that it's exponentially (pun intended) more effective. It's also exponentially more effective than the basic uniform sampling technique.
This last technique reduces the downsides of sampling by storing all the original logs into some low-cost, queryable storage and automatically reloading data to the log aggregator when there’s an anomaly. The anomaly detection could be built into the processing pipeline or it could be external (such as a callback from the observability tool itself). This way, when an engineer goes to troubleshoot the anomaly, the data would already be in the log aggregator.
I went through the available public documentation for various tools to check what capabilities are present in each. Where it was clear a technique was possible, I marked the cell with ✔️. Where it was missing, I marked it with ❌.
Grepr is the only solution that implements all advanced techniques. Further, Grepr automatically parses configured dashboards and alerts for patterns to exclude from sampling, and mitigate impacts to existing workflows. In customer deployments, we’ve seen log volume reductions of more than 90%! Sign up here for free, and see the impact Grepr can make in 20 minutes or reach out to us for a demo here.
Automatic sampling by pattern identifies log message patterns in real time and tracks the volume of each pattern. Once a pattern crosses a defined threshold, the system begins sampling messages for that pattern and periodically sends summary messages with counts of what was skipped, requiring minimal manual configuration.
Uniform sampling applies the same reduction ratio to all log messages regardless of volume. Logarithmic sampling adjusts the sampling rate based on each pattern's volume, so the noisiest patterns get sampled more aggressively while lower-volume patterns pass through at higher rates, producing exponentially greater volume reduction.
Automatic backfilling stores all original logs in low-cost queryable storage and automatically reloads relevant data to the log aggregator when an anomaly is detected. This means engineers still have access to full-fidelity data during troubleshooting without paying to index and store everything in an expensive log aggregation tool.
Yes. By combining automatic pattern detection with logarithmic sampling and backfilling, organizations can achieve 90% or greater volume reduction while preserving the data needed for troubleshooting, alerting, and compliance.