Elasticsearch vs ClickHouse: Which Delivers Faster Log Search?

Architecture and Design Comparison

Elasticsearch is a real‑time distributed search and analytics engine built on Lucene, extending Lucene's search capabilities with sharding and replication to achieve high availability and scalability.

ClickHouse, developed by Yandex, is a column‑oriented relational DBMS designed for OLAP workloads; it uses an MPP architecture where each node processes a portion of the data, employs merge trees, sparse indexes, and SIMD optimizations, and coordinates nodes via Zookeeper.

Elasticsearch nodes are categorized as client nodes (handle API requests, no data storage), data nodes (store and index data), and master nodes (coordinate the cluster, no data storage). ClickHouse nodes share equal responsibilities and store data in columnar format, enabling fast scans and compression.

Query Comparison Practical

To compare basic query capabilities, the author built Docker‑Compose stacks: an Elasticsearch stack (single‑node Elastic container + Kibana) and a ClickHouse stack (single‑node ClickHouse container + TabixUI client). Synthetic syslog data were generated with Vector (using a generator source) and ingested into both stacks.

# ES: match all records
{ "query": { "match_all": {} } }
# ClickHouse: match all records
SELECT * FROM syslog

# ES: match a single field
{ "query": { "match": { "hostname": "for.org" } } }
# ClickHouse: match a single field
SELECT * FROM syslog WHERE hostname='for.org'

# ES: multi‑field match
{ "query": { "multi_match": { "query": "up.com ahmadajmi", "fields": ["hostname","application"] } } }
# ClickHouse: equivalent
SELECT * FROM syslog WHERE hostname='for.org' OR application='ahmadajmi'

# ES: term query (word search)
{ "query": { "term": { "message": "pretty" } } }
# ClickHouse: equivalent
SELECT * FROM syslog WHERE lowerUTF8(raw) LIKE '%pretty%'

# ES: range query (version >= 2)
{ "query": { "range": { "version": { "gte": 2 } } } }
# ClickHouse: equivalent
SELECT * FROM syslog WHERE version >= 2

# ES: exists query (field present)
{ "query": { "exists": { "field": "application" } } }
# ClickHouse: equivalent
SELECT * FROM syslog WHERE application IS NOT NULL

# ES: regex query on hostname
{ "query": { "regexp": { "hostname": { "value": "up.*", "flags": "ALL" } } } }
# ClickHouse: equivalent
SELECT * FROM syslog WHERE match(hostname, 'up.*')

# ES: aggregation – count of version field
{ "aggs": { "version_count": { "value_count": { "field": "version" } } } }
# ClickHouse: equivalent
SELECT count(version) FROM syslog

# ES: cardinality aggregation (distinct priority)
{ "aggs": { "my-agg-name": { "cardinality": { "field": "priority" } } } }
# ClickHouse: equivalent
SELECT count(distinct(priority)) FROM syslog

Both stacks were queried ten times per query using Python SDKs, and response time distributions were plotted.

Results show ClickHouse consistently outperforms Elasticsearch in most query types, especially aggregations, while remaining competitive in regex and term queries. The tests were run without any specific optimizations (e.g., Bloom filters were not enabled for ClickHouse).

Summary

The comparative testing demonstrates that ClickHouse delivers superior performance for typical log‑search scenarios, explaining why many companies are migrating from Elasticsearch to ClickHouse for analytics workloads.