1. I am not sure what you mean - do you want to see live logs coming in while on IA? If so, hover over an event in LI, select the gear icon and select view events in context. You have infinite/real-time scroll in this view.
2. On the filesystem in a proprietary format (not in a database). Compression is typically 8-10x depending on your events.
3. LI charges per end-point while Splunk charges per GB. Given that the amount of logs increases exponentially when you have an issue, LI gives you consistent pricing.
I hope this helps.
Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===