How it works

Compress at the edge. Query without re-ingesting.

Sasquatch sits inside your cluster. Logs, traces, and metrics are compressed against a model trained on your own schema, severity-routed in real time, and dropped into your bucket. Pull any time range back through Tap Out — no second ingestion fee, no rehydration tier.

18× logs·27× traces·30× metrics·live in 5 minutes
Get a demoSee architecture
01
Ingest
OTLP · CRI · syslog
02
Compress
Lossless · schema-aware
03
Store
Your S3 / GCS / Azure bucket
04
Query
LogQL · SPL · TraceQL · PromQL
Edge → bucket cycle~30s
The five-minute rebellion

Three commands. No migration. No pipeline.

Nothing to rearchitect. No Terraform sprint. No “log pipeline modernization project.” Copy three lines, watch the dashboard drop, go to your next meeting.

zsh · ~/deploy · sasquatch
live session
01
InstallM · 0:00
One curl. CLI on PATH.
$curl -fsSL https://sasquatchlabs.io/install | sh
→ detecting platform… macos · arm64
→ fetching sasquatch 0.3.27 2.1 MB
✓ installed at /usr/local/bin/sasquatch
02
ConnectM · 1:30
Sign in. Six questions. Ready.
$sasquatch init
? tenant id t_9205881d74fb4d99
? api key (sqk_…) ****
? cloud destination AWS S3
? bucket acme-logs
? region us-east-1
? hot-path destination Datadog
✓ helm command ready to run
03
DeployM · 3:00
Helm rolls. Agents wake up.
$helm install sasquatch oci://registry.sasquatchlabs.io/sasquatch-agent-chart \ --version 0.4.15 --values sasquatch-values.yaml
NAME: sasquatch
STATUS: deployed · LAST DEPLOYED: now
→ 340 agent pods scheduled across 340 nodes
→ control plane reached · auth ok
✓ first chunk uploaded in 41s
04
SaveM · 5:00
Bill is already dropping.
$sasquatch status
compression ratio 18.2×
events processed 4.2M (all cold · 210K also mirrored hot)
egress saved (last 5 min) 2.1 GB
bytes lost 0 (SHA-256 verified)
→ bill tracking live on dashboard
Then:
add the other two pillars whenever you want
+ Tracesvalues.yaml
traces: enabled: true otlp: grpc: 4317 http: 4318
Same agent, same chunks, same bucket. OTLP spans land in the cold path at 27× compression.
+ Queriesgrafana/datasources.yml
datasources: - name: Sasquatch type: loki url: https://query.sasquatchlabs.io
Grafana / Splunk / Datadog dashboards query straight into your bucket — no re-ingestion, no SIEM search line item.
3 commands

Install, init, helm. That's the whole runbook — no Confluence page required.

~5 minutes

From curl to first compressed chunk in the bucket. Coffee still warm.

0 outages

Deploys as a DaemonSet alongside your existing log path. Roll back anytime.

Your data, your keys

They rent your logs back to you. We don’t.

Your logs and traces live in your bucket, under your KMS keys, inside your VPC, subject to your lifecycle policy. We compress them in place and never hold a copy. When you need them back, two lanes: Tap Out pulls any range as raw NDJSON in seconds, and live queries answer from Grafana, Splunk, Datadog, or the native Snowman console — sub-second, no re-ingestion.

The incumbent model
Your logs live in their cloud.
  • Pay to send them
  • Pay to index them
  • Pay to keep them
  • Pay to read them back
  • Pay to leave
vs
The Sasquatch model
Your logs live in your cloud. Always.
  • Your bucket
  • Your KMS keys
  • Your VPC endpoint
  • Your lifecycle policy
  • Your Tap Out, anytime
Two lanes back to your data
Lane 1 · Tap Out

Bulk retrieval

Pull any time range as flat NDJSON. Stream it anywhere — another SIEM, a laptop, a compliance archive.

Interface
sasquatch tap-out · REST
Output
NDJSON, one event per line
Latency
seconds for GB-scale ranges
Used by
audit exports · SIEM migration · forensic dumps
Lane 2 · Live queries

Interactive search

Point Grafana, Splunk, Datadog, or Snowman at the query engine. It reads the same chunks — no re-ingestion, no search-compute line.

Interface
Loki · Tempo · Splunk · PromQL · native
Output
dashboard panels · Explore rows
Latency
sub-second for typical windows
Used by
day-to-day debugging · live incidents · compliance checks
What both lanes are actually for
01

Live incident, 3-month-old clue

Pull 72 hours of logs from January in under 30 seconds. Every field intact, events in order. Forward straight to the SIEM the on-call is already staring at.

02

Audit or eDiscovery request

Give auditors original records, not summaries. SHA-256 verified on every event. Courts accept it. Auditors accept it. Nobody asks "where did the rest go?"

03

Migrating off a SIEM

Replay your full log history into the new system. Your compressed archive becomes the migration source — no gap, no re-ingest fee, no left-behind months.

tap-out · pull any range
$sasquatch tap-out download \
--from 2026-01-14T00:00:00Z \
--to 2026-01-15T00:00:00Z \
--storage-mode s3 --storage-bucket acme-logs \
--output jan-14.ndjson
→ listing chunks in range… 2,184 matched
→ fetching from s3://acme-logs/… 432 MB
→ decompressing + verifying… 18.2× ratio, SHA-256 ok
✓ wrote 7.9 GB NDJSON to jan-14.ndjson
credentials read from env · never persisted
100%
decompressible
SHA-256
on every event
0
bytes leave your cloud
Yours
bucket, keys, VPC, policy