ClickHouse at petabyte scale.

If you run a Security Operations Center, you've probably heard someone say "we need to collect everything." Network logs, endpoint telemetry, cloud audit trails, application events. The list grows every quarter. What they don't mention is what happens when "everything" becomes 5 petabytes per day.

That's not a hypothetical. It's what Netflix ingests, averaging 10.6 million events per second (peaking at 12.5 million), across 40,000+ microservices supporting 300 million subscribers.

Huntress (3 million endpoints) migrated from Elastic to ClickHouse and achieved a 93% cost reduction. That's not a marginal improvement — it's a fundamental architectural mismatch.

Document-oriented storage overhead

Elasticsearch stores data as JSON documents with inverted indices for full-text search. Every field is indexed by default, creating massive storage overhead. A 500-byte security event becomes 2–5 KB stored — 4–10× overhead.

Shard management overhead

As data grows you need thousands of shards. Each shard is a Lucene index with overhead for segment files, merge operations, refresh cycles, and 2–3 GB heap memory minimum. 1,000+ shards per cluster is common at TB/day scale, meaning 2–3 TB RAM minimum. Shard rebalancing during failures causes cluster instability. Huntress experienced query degradation from 3s to 30s as shard count grew, plus 10–30 second JVM garbage collection pauses.

Heap pressure at scale

Elasticsearch is Java-based, using JVM heap memory for field-data cache (aggregations on high-cardinality fields), request caches, shard metadata. Aggregations on IP addresses, user IDs, file paths create massive field-data structures. Practical max heap is 31–32 GB per node (beyond this, compressed pointers are disabled). GC pauses increase with heap size.

When to migrate

Keep Elasticsearch if: under 1 TB/day ingestion, full-text search is critical, team has deep Elastic expertise, ECS plus Elastic Security rules are core workflow.

Migrate to ClickHouse if: over 1 TB/day, structured / semi-structured logs (JSON, Syslog, CEF) dominate, aggregation queries beat full-text search, query performance is degrading, shard management is consuming ops time, cost exceeds $15–30K/month for Elastic infrastructure. ClickHouse is likely 5–10× cheaper.

Security data has a decay curve. 0–7 days: active investigations, sub-second response. 7–30 days: recent incident follow-up, moderate frequency. 30–90 days: trend analysis, compliance reporting, lower frequency. 90+ days: forensics, legal holds, rare queries.

Most security teams store everything in one tier (expensive SIEM, or slow data lake). Netflix's approach optimizes for access patterns, not storage uniformity. Storing 5 PB in ClickHouse for one year would be prohibitively expensive. Tiering to Iceberg after 30 days cuts storage costs 10–50× while maintaining query capability.

The architecture pattern:

Raw Data → Apache Iceberg Tables (S3)
  ↓
  ├─→ ClickHouse (scheduled analytics, fingerprinting, tag queries)
  └─→ Trino/Presto (ad hoc investigations, complex joins)

ClickHouse isn't Netflix's monolithic database. It's a specialized query engine layered on top of Iceberg's lakehouse foundation. Iceberg provides storage durability, ACID guarantees, and schema evolution. ClickHouse provides sub-second query performance for specific workload patterns (scheduled reports, high-throughput aggregations).

Real numbers. Annual cost at 5 TB/day ingestion (1.825 PB/year stored):

Platform                  Annual cost
─────────────────────────────────────────
Splunk Enterprise         $2.74M – $5.48M
Elastic Cloud             $438K – $876K
ClickHouse (self-hosted)  $142K – $200K
ClickHouse Cloud          $200K – $300K

Assumptions: Splunk pricing from community reports ($3–6/GB/day enterprise). Elastic from public calculator (hot tier 30 days + warm 335 days). ClickHouse self-hosted: 10–15× c5.4xlarge instances + S3 + 2–3 FTE ops. ClickHouse Cloud: vendor public estimates.

ClickHouse is 5–27× cheaper than Splunk and 2–4× cheaper than Elastic at 5 TB/day. Savings scale linearly — at 50 TB/day, ClickHouse saves $2–5M annually.

ClickHouse materialized views provide 10–100× query acceleration for repeated patterns but require careful economic analysis at petabyte scale.

-- Base table (raw security events)
CREATE TABLE security_events (
    timestamp DateTime,
    source_ip String,
    user_id String,
    event_type String,
    payload String
) ENGINE = MergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (timestamp, source_ip);

-- Materialized view (pre-aggregated authentication failures)
CREATE MATERIALIZED VIEW auth_failures_hourly
ENGINE = SummingMergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (timestamp_hour, source_ip, user_id)
AS SELECT
    toStartOfHour(timestamp) as timestamp_hour,
    source_ip,
    user_id,
    countIf(event_type = 'auth_failure') as failure_count,
    countIf(event_type = 'auth_success') as success_count
FROM security_events
GROUP BY timestamp_hour, source_ip, user_id;

Query raw table: scan 50 GB auth logs, aggregate 50M events = 3–10 seconds. Query materialized view: scan 500 MB pre-aggregated data = 50–200 ms (20–100× faster). Storage overhead: +1%.

Materialize when

• Repeated dashboard queries (SOC dashboards refreshing every 5 minutes = 288 times/day).
• High-frequency aggregations (queries scanning billions of events repeatedly).
• Known query patterns (MITRE ATT&CK dashboards: 30+ queries on same raw data).

Don't materialize when

• Exploratory threat hunting (unknown patterns, ad-hoc queries).
• Rare queries (compliance reports run monthly).
• Low-volume data (MV overhead exceeds benefit).

Worked economics for one auth-failure dashboard at 288 refreshes/day: without MV, $86.40/day ($2,592/month). With MV, $2.94/day ($88/month). That's 97% reduction on a single dashboard. At 20–30 production dashboards, $600K/year savings via materialized views for known query patterns.

Netflix's likely approach: materialized views for high-frequency dashboards (auth failures, service health, error rates) plus raw queries for exploratory analysis (fingerprinting new log types, ad-hoc threat hunting).

When migrating security logs from a SIEM to a columnar database, you face a fundamental trade-off: flatten the schema and lose hierarchical semantics (see the flattening anti-pattern essay for the full treatment), or preserve structure and accept query complexity. Hydrolix is purpose-built for log data with high cardinality and nested structures. It's worth comparing where each architecture wins.

Architectural differences

Decoupled components. Hydrolix runs Kubernetes-native, stateless architecture where ingest, query, and merge scale independently. ClickHouse MergeTree operations can starve query resources (reads/writes share resources). Security impact: Hydrolix maintains consistent query performance during heavy ingestion (incident response while logs are flooding in).

High cardinality optimization. Hydrolix designed for "hundreds of thousands of columns" with full indexing. ClickHouse high-cardinality fields require careful codec selection. Security impact: security logs are extreme-cardinality (IPs, usernames, file paths, hashes) — Hydrolix optimized for this by default.

Nested data handling. Hydrolix uses catch-all fields storing arrays of maps, JSON Pointer syntax for nested queries, flattening optional. ClickHouse supports Nested types but query complexity rises. Security impact: CloudTrail / Azure AD logs with deeply nested structures query naturally in Hydrolix without explicit flattening.

JOIN support. Hydrolix has native JOIN between tables (timestamp-based, requires aliases and exact type matching). ClickHouse has full SQL JOIN support including dictionary joins and distributed joins. Security impact: ClickHouse more flexible for complex multi-table correlations.

When to choose which

Choose ClickHouse if: multi-use case platform (observability + security + business analytics), complex SQL joins required, schema optimization acceptable, Iceberg / lakehouse integration critical, mature ecosystem needed.

Choose Hydrolix if: 100% log data workload, extreme high cardinality (millions of unique IPs / usernames / hashes daily), deeply nested JSON to preserve without flattening, consistent query performance during ingestion spikes is critical, long-term cost-effective retention is the primary goal.

Evidence gap: ClickHouse has Netflix (5 PB/day) and Huntress (3M endpoints) production validation at Tier A. Hydrolix architecture claims are reasonable but lack equivalent public case studies at petabyte scale (Tier C). For now, default to ClickHouse for production decisions unless your workload is specifically log-only with nested-structure-heavy queries.

Netflix didn't share their logging optimizations for altruism. They validated an architectural pattern that observability and security communities are converging on: modern data stacks (columnar databases plus lakehouse storage) are replacing traditional SIEMs for petabyte-scale security data.

1. Columnar databases beat traditional SIEMs at scale. ClickHouse outperforms Splunk and Elasticsearch by 5–100× on analytical queries; cost is 23–42× cheaper than Elastic and Datadog at equivalent scale.
2. Optimize where it matters. Ingestion: generated parsers (216 µs → 23 µs). Write path: native protocols beat generic APIs. Query path: data layout beats clever algorithms (tag sharding 3 s → 700 ms).
3. Hot + cold tiering isn't optional at scale. Don't store everything in one tier. Match storage cost to query frequency. Unified query API hides complexity from analysts.
4. Petabyte scale changes everything. What works at 1 TB/day fails at 100 TB/day. Architectural decisions that seem premature become mandatory. "Do the least amount of work" becomes the guiding principle.

If you're designing a security data platform today, Netflix's ClickHouse journey isn't just inspiration — it's a blueprint.