OBSESC
OBSERVABILITY ESCAPE
Launch the AMI
[ Observability Escape ]

Keep every log.
Query everything.
Pay once.

Active observability on everything you ship, running in your cloud, on your data, in open format. One-time toll: 2¢/GB ingested. Then never again.

Start a 30-day POC See how it works
924 MB/s
sustained ingest
100×
compression
8 ms
count(*) at 100 TB
$0 exit
open parquet + iceberg
The four bad choices

Every team is making one of these. None of them are good.

SAMPLE

Keep 1%. Lose the incident that lived in the 99% you dropped.

DROP

Truncate to 7 days. Watch postmortems become guesswork.

GO COLD

Archive to Glacier. Wait 12 hours and write Athena queries to find one event.

PAY

Sign the renewal. Watch the bill grow 30% YoY while engineers ration their queries.

There's a fifth option. We built it.

The fifth option

Active observability
on everything.

No sampling. No dropping. No going cold. No vendor lock-in.

Keep every event
Compressed in your S3
Query in milliseconds
Summaries + sketches
Anomalies surface
As you ingest, not later
Pay once per GB
Then never again
How it works

Your logs go in once. They stay queryable forever.

Source
Your logs
Engine
OBSESC
you pay here, once · 2¢/GB
Destination
Your S3
Summaries + anomalies
100× compressed in your block storage.

Dashboards, percentiles, trends, anomalies. All in milliseconds.

Raw events · Parquet + Iceberg · Your S3
8× compressed. Open format.

Queryable by Athena, Trino, Spark, DuckDB, with or without us.

Active queries hit summaries. Drill-down dereferences URIs to raw. No inverted indexes. No calls home.

Why anomalies are free

We don't run a separate anomaly detector. The compression is the detector.

When we compress your logs into summaries, we use mathematical sketches (t-digests, HyperLogLog, bloom filters) to model the typical shape of your data.

Points that don't fit those models can't be compressed. So we keep them verbatim, with a pointer to the original log line.

if we summarized it,
we modeled it.
if we couldn't model it,
we kept it.
No false negatives.

By construction. If we summarized it, we modeled it. If we didn't, you have it.

No runaway costs.

Anomaly volume is bounded by the math: a fixed fraction of the tail per shard.

Queryable as a tier.

Range-scan anomalies the way you'd range-scan logs. "Has this spiked before?" in milliseconds.

How you pay us

One-time toll. 2¢ per GB ingested. Then never again.

We don't charge for
  • Storage
  • Queries
  • Retention
  • Compute
  • Seats
We charge
per GB ingested.
Once.
You keep, forever
  • Raw events in your S3
  • Summaries + anomalies
  • Unlimited queries
  • Open Parquet format
  • No exit cost

Pay once when data crosses the engine. Query it for the next decade for free.

Every other observability vendor charges you again every month for data they ingested years ago. We don't.

What it costs you

50 TB/day. Five years. The numbers don't even rhyme.

Splunk cold tier
OBSESC + your S3
0 10 20 30 40 50 60 Y1Y2Y3Y4Y5 $M cumulative

Splunk figures based on Enterprise list pricing for cold tier retention at 50 TB/day, before EDP discounts. OBSESC at 2¢/GB ingested + S3 lifecycle (IA → Glacier IR). Bring your contract. We'll redo the math on your terms.

Splunk
$49M

over 5 years. Grows every year. Data you wrote in Y1 still being charged in Y5.

OBSESC
$2.2M

over 5 years. Flat year-over-year. Only grows when you ingest more.

$47M difference. Same retention. Same fidelity. Faster queries.

What to do with your existing tools

Keep Splunk for what it's good at. Stop paying for what it isn't.

Same logic holds for Datadog, Elastic, or whatever you're running today. No rip and replace. Cut retention to the window your incumbent actually earns. Tee everything else to OBSESC.

Splunk · Where it earns its keep
  • Last 7 days of data
  • Live incident response: SPL against fresh data
  • Ad-hoc forensics on novel patterns
  • Existing dashboards, alerts, runbooks
  • Your team's query-language muscle memory
OBSESC · Everything else, active
  • Day 8 onward, forever
  • Trends, percentiles, capacity planning in milliseconds
  • Anomaly history: "has this spiked before?"
  • Compliance, audit, postmortem evidence
  • 100% retention. No sampling.

Cut Splunk retention from 90 days to 7. Tee everything to OBSESC. Same shipper. Same incident workflow. ~85% lower bill.

Your data, your bucket, your tools

If we vanished tomorrow, you'd lose nothing.

No exit cost
Your raw events live in your own S3 bucket as Apache Parquet, with Iceberg table metadata.

If we go away, your data doesn't. If you migrate off us, no export step. If your data team wants to query it directly, they already can.

Works with what you already have
AWS Athena
SQL queries on raw, no setup
Trino / Presto
Distributed analytics on cold data
Apache Spark
ML pipelines on years of logs
Snowflake external
Federate into your warehouse
DuckDB
Local analyst workflows
Your dbt models
Treat logs as a source table

Open Parquet. Open Iceberg. Open exit.

How you deploy us

Marketplace AMI. Running in an afternoon.

Metered through your existing AWS commit. No new vendor onboarding.

No new security review

You've already cleared AWS. The AMI inherits that perimeter. No SOC 2 dependency, no DPIA, no MSA negotiation, no questionnaire round-trip.

Existing AWS commit applies

Marketplace charges hit your AWS bill. Often counts toward your EDP. Procurement signs once (for AWS) and never sees us.

Your cloud, your control

AMI runs on your EC2. Data lands in your S3. We don't see your logs. We can't see your logs. There's no us-side infrastructure to compromise.

Doesn't call home

Only outbound traffic is AWS Marketplace metering. Nothing to allowlist. Nothing to audit. Nothing for your network team to argue about.

What we've proven so far

Benchmarked to 100 TB on a single instance.

924 MB/s
Sustained ingest at 100 TB
100×
Compression in summary tier
151B rows
Queried in sub-10ms
8 ms
COUNT(*) over 100 TB
Compression holds from 10 GB to 100 TB
80
100
120
116.5
118.3
108.7
99.4
96.9
10 GB
100 GB
1 TB
10 TB
100 TB
Validation: 100 TB
  • 303,559 / 303,559 shard roundtrips verified
  • 4,756,732 / 4,756,732 anomalies persisted
  • 0.0% T-digest estimation error
  • 44 / 44 query suite passed at every scale

Numbers from synthetic event data on a single i4i.4xlarge.

The landscape

What you get vs. what you have today.

SplunkDatadogHydrolixAxiomOBSESC
100% retention without re-paying ~ ~
Storage in your own bucket ~
Queries don't cost extra ~ ~
Open format, no exit cost ~
Anomalies surface automatically ~ ~
Deploys without security review ~ ~

We're not trying to replace Splunk. We're trying to make sure you only pay Splunk for the seven days where it earns its keep, and pay us once for everything else.

What changes for your team

Less ration, more answer.

FOR SREs
Before

"Did we keep last month's traces? Can I afford this query? Is this still in hot storage?"

After

Run the query. Get the answer. Look back six months. Look back two years.

FOR SECURITY
Before

"We sample auth logs at 10% to fit the budget. Compliance is sweating."

After

100% retention of every event. Audit-ready by default. Anomalies pre-surfaced.

FOR FINANCE
Before

Splunk renewal up another 30%. Datadog usage alarm hit again. Quarterly observability spend review on the calendar.

After

One predictable line item, scaled to ingest. No retention surprises. No query overage. No vendor lock-in.

What happens next

A 30-day POC.

Free. Your data. Your cloud.

1
Subscribe to the AMI

AWS Marketplace, your account, free tier for the POC window

2
Tee your log shipper

Cribl, OTel, Vector, Fluent Bit, Splunk HEC. Keep your existing destination.

3
Run for 30 days

We compute summaries, surface anomalies, hold raw in your bucket

4
Compare your bills

If we don't save you 5× on the cold tier, you walk away. Keep your data.

obsesc.com/poc AWS Marketplace: "OBSESC Observability Escape" info@obsesc.com
Launch the AMI