Why ClickHouse Outperforms Elasticsearch in Log Search: A Practical Benchmark

Architecture and Design Comparison

Elasticsearch is a real‑time distributed search and analytics engine built on Lucene, providing distributed search via shards and replicas. ClickHouse is a column‑oriented MPP OLAP database developed by Yandex, using a shared‑nothing architecture where each node stores and processes a portion of the data.

Elasticsearch nodes can play three roles: client node (API access, no data), data node (stores and indexes data), and master node (cluster coordination). ClickHouse nodes are equal peers in an MPP cluster and use Zookeeper for coordination.

Query Comparison Experiments

A Docker‑Compose stack was built for each system: an Elasticsearch‑Logstash‑Kibana (ELK) stack and a ClickHouse‑TabixUI stack. Data were generated with Vector’s generator source, parsed, coerced, and sent simultaneously to both stacks via Vector sinks.

Sample queries executed on both systems include:

Match‑all query

Single‑field match

Multi‑field match

Term query

Range query

Exists query

Regex query

Aggregations (count, cardinality)

Each query was run ten times using the Python SDK, and response‑time distributions were recorded.

Results

ClickHouse consistently showed lower latency than Elasticsearch across most query types, especially in aggregation scenarios where its columnar engine excels. In regex and term queries the performance gap was smaller but ClickHouse still remained competitive.

The tests were performed without any specific optimisations or enabling of ClickHouse’s Bloom filters, demonstrating ClickHouse’s strong out‑of‑the‑box performance for log‑search workloads.

Conclusion

The benchmark indicates that ClickHouse can be a superior alternative to Elasticsearch for many log‑analysis and search use cases, offering faster query execution and more efficient aggregations while still supporting typical search features.