How to decide what telemetry stays hot, what moves to cheaper tiers, and what can be safely reduced or archived.
Retention and tiering strategies decide how long telemetry remains available and at what fidelity. Hot data should support live incident work and near-term debugging. Warmer or archived data may support trend analysis, audits, or longer-term investigations at lower cost. The central challenge is preserving enough evidence for important use cases without paying hot-storage prices for everything forever.
This is why retention should follow use cases rather than one global default. Incident responders may need detailed logs for seven days, but only sampled or aggregated data for older periods. Security or compliance needs may justify longer retention for some event types. Product analytics may need long-lived metrics but not full raw trace detail.
flowchart LR
A["Telemetry ingested"] --> B["Hot tier"]
B --> C["Warm tier"]
C --> D["Archive tier"]
B --> E["Fast incident search"]
C --> F["Longer trend analysis"]
D --> G["Audit or rare investigations"]
Questions to guide retention design:
1retention_policy:
2 logs:
3 hot_days: 7
4 warm_days: 30
5 archive_days: 90
6 metrics:
7 high_resolution_days: 14
8 downsampled_days: 365
9 traces:
10 searchable_days: 3
11 sampled_archive_days: 14
What to notice:
A retention policy is not only financial. It determines what questions can still be answered later. If old traces are fully gone, certain causal investigations become impossible. If logs are archived without useful indexing, investigations may still be possible but much slower. Teams should make those trade-offs explicitly.
If a team keeps every signal in the same expensive hot tier forever because “someone might need it someday,” what design weakness does that reflect?
The stronger answer is lack of tiered retention thinking. The policy is driven by fear of loss rather than by actual query patterns and urgency needs.