Observability has become one of the fastest-growing line items in enterprise IT budgets — and one of the least well-governed. Datadog, Splunk, Dynatrace, New Relic, and Grafana Enterprise all use pricing models specifically designed to expand consumption well beyond initial estimates. Cloud-native architectures, microservices proliferation, and Kubernetes scaling mean that monitored hosts, data ingest volumes, and active users can double inside 12 months with no corresponding business case review. The result: organisations routinely overspend on observability by 30–50% relative to what peer benchmarks indicate they should pay.
This guide breaks down the core pricing mechanics of each major platform, explains where costs spiral unexpectedly, and provides the negotiation framework that consistently delivers 25–40% savings at renewal. It draws on engagements across financial services, retail, healthcare, and technology companies collectively spending over $200M annually on observability tooling.
Why Observability Licensing Is Structurally Expensive
Traditional enterprise software sold seats or named users — a reasonably predictable unit. Observability platforms sell consumption: hosts monitored, data ingested, spans traced, or custom metrics emitted. In cloud-native environments, all of these units are inherently elastic. A Kubernetes cluster that auto-scales from 20 to 200 nodes under load is a 10× cost spike on a host-based model. A security incident that triggers log verbosity generates ingest volumes that blow through committed tiers.
Vendors know this. Their pricing models are deliberately calibrated to generate overage charges that arrive 60–90 days after the consumption event, when budget cycles make them difficult to contest. Understanding the specific mechanics of each platform is the essential first step toward controlling spend.
Datadog: Host-Based Pricing and the Infrastructure Tax
Datadog remains the market leader in cloud observability, and its pricing model is among the most sophisticated in terms of driving revenue expansion. The core Infrastructure product charges per host per month, but "host" is defined broadly enough that containers, Kubernetes nodes, and cloud function invocations can all trigger incremental charges depending on configuration.
The Datadog host trap: Datadog charges for the peak host count in any single hour of the month — not the monthly average. A single auto-scaling event that briefly spikes your fleet from 100 to 340 hosts can be billed at 340 hosts for the entire month if not contractually capped.
Beyond infrastructure, Datadog operates a fully modular product catalogue. APM, Log Management, Real User Monitoring, Synthetics, Security Monitoring, Database Monitoring, Network Performance Monitoring, and CI Visibility are all separately priced. Customers who sign for infrastructure monitoring frequently find themselves purchasing five or six additional modules within 18 months, tripling their original commitment.
Log Management pricing is particularly aggressive. Datadog charges for log ingestion volume and separately for indexed log retention. Enabling verbose logging across development, staging, and production environments simultaneously — a common DevOps practice — can generate 300–500% of projected ingest volumes. Organisations that haven't implemented log filtering, sampling, or tiering before onboarding Datadog regularly receive renewal quotes three times their first-year invoice.
Negotiation levers with Datadog include committing to multi-year contracts in exchange for significant per-unit discounts (15–25%), capping peak host billing at a defined percentile rather than the absolute maximum, and bundling products upfront at a lower blended rate than purchasing modules individually post-deployment. Datadog's enterprise team has substantial latitude on pricing for accounts above $500K annually.
Splunk: Ingest Volume Economics and the Cisco Transition
Splunk built its franchise on ingest-volume pricing: you pay per gigabyte per day of data indexed. At scale, this model becomes extraordinarily expensive. A 5,000-employee financial services firm generating 10TB/day of security and operational logs faces unit economics that bear no relationship to the business value derived from the last few terabytes of indexed data.
Splunk has been migrating customers from ingest pricing to its Entity-based licensing model under Cisco ownership (Cisco acquired Splunk in 2024). Entity pricing charges per host monitored rather than per GB indexed, which aligns better with infrastructure-centric use cases but penalises organisations with high-volume, low-host scenarios such as financial transaction logging or IoT telemetry.
| Splunk Model | Pricing Basis | Best For | Primary Risk |
|---|---|---|---|
| Ingest (legacy) | GB/day indexed | Low-volume, high-value logs | Data explosion costs |
| Entity (current) | Per monitored host | Infrastructure-heavy estates | Container/K8s proliferation |
| Workload (cloud) | vCPU/hour on Splunk Cloud | Variable workloads | Unpredictable monthly bills |
The Cisco acquisition creates a meaningful negotiation opportunity. Cisco is actively cross-selling Splunk into its existing networking and security customer base, creating strong incentives to close multi-year deals with favourable terms. Organisations renewing Splunk between 2025 and 2027 are negotiating with a vendor under commercial pressure to demonstrate acquisition synergies — leverage that did not exist under independent Splunk ownership.
Dynatrace: The DPS Model and Consumption Forecasting
Dynatrace shifted from host-based to its Davis Platform Subscription (DPS) model: a credit-based system where customers purchase a pool of credits consumed by different platform capabilities at different rates. Infrastructure monitoring burns credits at one rate; full-stack application observability at a higher rate; security analytics higher still.
The DPS model superficially offers flexibility. In practice, the difficulty is accurate consumption forecasting. Organisations that commit to a DPS pool sized for infrastructure monitoring frequently find that enabling full-stack APM and security analytics depletes credits three to four times faster than anticipated, requiring mid-term top-up purchases at significantly higher per-unit rates.
Dynatrace historically offers 20–30% discounts off list for multi-year DPS commitments with consumption floors. The critical negotiation point is ensuring that unused credits roll forward contractually rather than expiring at year-end, and that any within-term top-up purchases are priced at the original committed rate rather than prevailing list prices.
New Relic: Full-Stack Pricing and User-Based Tiers
New Relic restructured its pricing around two dimensions: data ingest (charged per GB above a free tier) and user count by tier — Full Platform Users, Core Users, and Basic Users. Full Platform Users access all New Relic capabilities; Core Users a defined subset; Basic Users are effectively free but operationally limited.
The user-tier model creates a compliance risk that many organisations underestimate. Development teams that configure dashboards, create alerts, or query data for troubleshooting are frequently classified as Full Platform Users by default, even when their usage pattern is Core User-equivalent. An annual usage audit consistently identifies 20–35% of full-platform licences as candidates for downgrade without operational impact.
On the ingest side, New Relic includes 100GB/month in its standard pricing — generous relative to competitors for smaller estates. However, distributed tracing at high sample rates, browser performance data across millions of sessions, or mobile application instrumentation quickly exceeds this free tier. Additional ingest is priced at approximately $0.30/GB, which becomes material at scale.
Grafana Enterprise: The Open-Source Alternative
Grafana Cloud and Grafana Enterprise represent an increasingly credible alternative to the commercial observability stack. The open-source Grafana visualisation layer, combined with Prometheus metrics, Loki logging, and Tempo tracing, provides a capable platform at a fraction of commercial alternatives' cost — provided the engineering team can support it.
For organisations with strong engineering capability, a Grafana-based stack can reduce observability spend by 60–70% versus a Datadog or Dynatrace equivalent. The honest assessment is that this requires material engineering investment and ongoing maintenance capacity. It is the right answer for technology-first organisations with in-house SRE capability; it is typically not the right answer for enterprises whose IT function is primarily a consumer of commercial tooling.
Consolidation: Why Most Enterprises Over-Tool
The single largest source of observability overspend is tooling proliferation. A typical Fortune 500 enterprise runs three to six distinct observability tools simultaneously: a legacy APM platform from a pre-cloud acquisition, a cloud-native solution adopted by a DevOps team, a SIEM for security analytics, a separate network monitoring tool, and vendor-specific monitoring agents bundled with cloud services. Each has its own contract, renewal date, and account team applying expansion pressure.
Advisory insight: Consolidating from four observability tools to two typically saves 35–45% of aggregate spend while reducing operational complexity proportionally. The consolidation conversation also creates platform-wide negotiating leverage that single-tool renewals cannot achieve.
A structured observability rationalisation begins with mapping which teams use which tools and for what purpose, then identifying capability overlaps. In most enterprises, APM, infrastructure monitoring, and log analytics represent the three core use cases. There is rarely a business justification for running two separate APM platforms — a situation that nonetheless exists in a significant proportion of large organisations as a result of team autonomy and ungoverned SaaS procurement.
Platform-Specific Negotiation Tactics
Datadog Renewal Strategy
Datadog renewals should begin 180 days before contract expiry, not 90. The vendor's enterprise quota cycles create negotiation windows in Q3 and early Q4 when account executives have maximum pricing flexibility. Key contractual demands: cap peak host billing at the 90th percentile of monthly consumption, bundle all anticipated product modules at a single blended rate, and secure a price escalation cap of no more than 3% annually on committed units.
Splunk and Cisco Leverage
Use the Cisco integration narrative as leverage. Cisco wants to position Splunk as central to its Security Cloud and Full-Stack Observability offerings. Organisations willing to participate in reference programmes or joint go-to-market activities can extract 15–20% additional discounting unavailable through standard renewal channels.
Dynatrace DPS Negotiation
Request a consumption analysis from your Dynatrace customer success team before committing to your next DPS pool size. Dynatrace provides this analysis at no charge; it shows actual credit burn rates by capability and enables right-sizing. Always negotiate that top-up credits within the term are priced at your committed rate, and push for 24-month credit rollover on unused pool balance.
New Relic User Reclassification
Before any New Relic renewal, run a 90-day usage analysis across all Full Platform Users. Identify users who have not accessed advanced features — custom queries, pipeline management, change tracking, CodeStream — in the preceding quarter. These are Core User candidates. New Relic's sales team will often facilitate reclassification proactively to retain the account against competitive threats.
Contract Terms That Matter
Beyond unit pricing, several contractual provisions are particularly important in observability agreements. Overage pricing — the rate applied when consumption exceeds committed tiers — should be negotiated to your committed per-unit rate, not prevailing list price. Many standard agreements price overages at 120–150% of the committed rate, which compounds significantly during high-consumption periods.
Data residency and retention terms matter increasingly in regulated industries. Ensure that log, trace, and metric data residency regions align with your data governance requirements, and that contractual retention periods match your compliance obligations without requiring expensive add-ons.
Push for annual termination-for-convenience rights with 60-day notice, even in multi-year agreements. Observability platforms accumulate years of historical data, custom dashboards, alert configurations, and integration endpoints — substantial operational switching costs that vendors leverage to erode renewal negotiating position.
Recommended Advisory Approach
Observability licensing negotiations benefit significantly from specialist advisory support. Firms such as Redress Compliance maintain current benchmark data on Datadog, Splunk, Dynatrace, and New Relic pricing across industry sectors and company sizes, enabling direct comparisons that reveal whether your current pricing is competitive. Knowing that comparable organisations pay 22% less per host on Datadog is a qualitatively different negotiation opener than simply asking for a discount.
A structured advisory engagement for an observability consolidation and renewal typically takes 8–12 weeks and generates savings that represent 8–15× the advisory fee. For organisations spending more than $1M annually on observability tooling, this is among the highest-return advisory investments available within the IT budget.
For the broader emerging technology contract framework, see our Emerging Tech Contracts Guide. For related topics, see our guides on cybersecurity platform licensing and cloud security licensing. Our software licensing advisory service covers observability platform negotiations across all major vendors. The Cloud Contract Framework white paper covers monitoring and observability cost governance in detail.