ConfigurationReference

Configuration reference

Grafana Enterprise Logs can be configured using a YAML file - specified using the -config.file flag - or CLI flags. In case you combine both, CLI flags take precedence over the YAML config file.

The current configuration of any GEL component can be seen by visiting the /config HTTP path. Passwords are filtered out of this endpoint.

Reference

To specify which configuration file to load, pass the -config.file flag at the command line. The file is written in YAML format, defined by the scheme below. Brackets indicate that a parameter is optional.

Generic placeholders

  • <boolean>: a boolean that can take the values true or false
  • <int>: any integer matching the regular expression [1-9]+[0-9]*
  • <duration>: a duration matching the regular expression [0-9]+(ns|us|µs|ms|s|m|h|d|w|y) where y = 365 days
  • <string>: a regular string
  • <url>: a URL
  • <prefix>: a CLI flag prefix based on the context (look at the parent configuration block to see which CLI flags prefix should be used)
  • <time>: a timestamp, with available formats: 2006-01-20 (midnight, local timezone), 2006-01-20T15:04 (local timezone), and RFC 3339 formats: 2006-01-20T15:04:05Z (UTC) or 2006-01-20T15:04:05+07:00 (explicit timezone)

Use environment variables in the configuration

You can use environment variable references in the config file to set values that need to be configurable during deployment by using the -config.expand-env flag. To do this, use:

${VAR}

Where VAR is the name of the environment variable.

Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.

To specify a default value, use:

${VAR:default_value}

Where default_value is the value to use if the environment variable is undefined.

Supported contents and default values of the config file

# Comma-separated list of GEL modules to load. The alias 'all' can be used in
# the list to load a number of core modules and will enable single-binary mode.
# CLI flag: -target
[target: <string> | default = "all"]

# Set to false to disable auth.
# CLI flag: -auth.enabled
[auth_enabled: <boolean> | default = true]

[http_prefix: <string> | default = ""]

# The server_config configures the HTTP and gRPC server of the launched
# service(s).
[server: <server_config>]

# The distributor_config configures the GEL distributor.
[distributor: <distributor_config>]

# The querier_config configures the GEL querier.
[querier: <querier_config>]

# The ingester_client_config configures how the GEL distributors connect to the
# ingesters.
[ingester_client: <ingester_client_config>]

# The ingester_config configures the GEL ingester.
[ingester: <ingester_config>]

# Configures where GEL will store data.
[storage_config: <storage_config>]

# Configures how GEL will store data in the specific store.
[chunk_store_config: <chunk_store_config>]

# Configures the chunk index schema and where it is stored.
[schema_config: <schema_config>]

# Configures limits per-tenant or globally.
[limits_config: <limits_config>]

# Configures the table manager for retention.
[table_manager: <table_manager_config>]

# The worker_config configures the worker - running within the GEL querier -
# picking up and executing queries enqueued by the query-frontend.
[frontend_worker: <worker_config>]

# The query_frontend_config configures the GEL query-frontend.
[frontend: <frontend_config>]

# The ruler_config configures the GEL ruler.
[ruler: <ruler_config>]

# The query_range_config configures the query splitting and caching in the GEL
# query-frontend.
[query_range: <query_range_config>]

# The runtime_config configures the reloading of the runtime configuration file.
[runtime_config: <runtime_config>]

# The memberlist_config block configures the gossip ring to discover and connect
# between distributors, ingesters and queriers.
[memberlist: <memberlist_config>]

# Configures application tracing.
[tracing: <tracing_config>]

# Configures the component which compacts index shards for performance.
[compactor: <compactor_config>]

query_scheduler:
  # Maximum number of outstanding requests per tenant per query-scheduler.
  # In-flight requests above this limit will fail with HTTP response status code
  # 429.
  # CLI flag: -query-scheduler.max-outstanding-requests-per-tenant
  [max_outstanding_requests_per_tenant: <int> | default = 100]

  # If a querier disconnects without sending notification about graceful
  # shutdown, the query-scheduler will keep the querier in the tenant's shard
  # until the forget delay has passed. This feature is useful to reduce the
  # blast radius when shuffle-sharding is enabled.
  # CLI flag: -query-scheduler.querier-forget-delay
  [querier_forget_delay: <duration> | default = 0s]

  # This configures the gRPC client used to report errors back to the
  # query-frontend.
  grpc_client_config:
    # gRPC client max receive message size (bytes).
    # CLI flag: -query-scheduler.grpc-client-config.grpc-max-recv-msg-size
    [max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -query-scheduler.grpc-client-config.grpc-max-send-msg-size
    [max_send_msg_size: <int> | default = 16777216]

    # Use compression when sending messages. Supported values are: 'gzip',
    # 'snappy' and '' (disable compression)
    # CLI flag: -query-scheduler.grpc-client-config.grpc-compression
    [grpc_compression: <string> | default = ""]

    # Rate limit for gRPC client; 0 means disabled.
    # CLI flag: -query-scheduler.grpc-client-config.grpc-client-rate-limit
    [rate_limit: <float> | default = 0]

    # Rate limit burst for gRPC client.
    # CLI flag: -query-scheduler.grpc-client-config.grpc-client-rate-limit-burst
    [rate_limit_burst: <int> | default = 0]

    # Enable backoff and retry when we hit ratelimits.
    # CLI flag: -query-scheduler.grpc-client-config.backoff-on-ratelimits
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # Minimum delay when backing off.
      # CLI flag: -query-scheduler.grpc-client-config.backoff-min-period
      [min_period: <duration> | default = 100ms]

      # Maximum delay when backing off.
      # CLI flag: -query-scheduler.grpc-client-config.backoff-max-period
      [max_period: <duration> | default = 10s]

      # Number of times to backoff and retry before failing.
      # CLI flag: -query-scheduler.grpc-client-config.backoff-retries
      [max_retries: <int> | default = 10]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -query-scheduler.grpc-client-config.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -query-scheduler.grpc-client-config.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -query-scheduler.grpc-client-config.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -query-scheduler.grpc-client-config.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -query-scheduler.grpc-client-config.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -query-scheduler.grpc-client-config.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

# The admin_api_config configures the admin API.
[admin_api: <admin_api_config>]

# The admin_client_config configures the instance management admin client.
[admin_client: <admin_client_config>]

# The auth_config configures the authentication type to use.
[auth: <auth_config>]

# Unique ID of this cortex cluster.
# CLI flag: -cluster-name
[cluster_name: <string> | default = ""]

# The gateway_config configures the gateway proxy.
[gateway: <gateway_config>]

# The license_config configures the license validation module.
[license: <license_config>]

# The tokengen_config configures the tokengen target.
[tokengen: <tokengen_config>]

admin_api_config

The admin_api_config configures the admin API.

# Designated header to parse when searching for the grafana user ID of the user
# accessing the API.
# CLI flag: -admin.api.user-header-name
[user_header_name: <string> | default = "X-WEBAUTH-USER"]

leader_election:
  # This flag enables leader election for the admin api.
  # CLI flag: -admin-api.leader-election.enabled
  [enabled: <boolean> | default = false]

  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -admin-api.leader-election.ring.store
      [store: <string> | default = "consul"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -admin-api.leader-election.ring.prefix
      [prefix: <string> | default = "leader-election/"]

      consul:
        # Hostname and port of Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.hostname
        [host: <string> | default = "localhost:8500"]

        # ACL Token used to interact with Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.acl-token
        [acl_token: <string> | default = ""]

        # HTTP timeout when talking to Consul
        # CLI flag: -admin-api.leader-election.ring.consul.client-timeout
        [http_client_timeout: <duration> | default = 20s]

        # Enable consistent reads to Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.consistent-reads
        [consistent_reads: <boolean> | default = false]

        # Rate limit when watching key or prefix in Consul, in requests per
        # second. 0 disables the rate limit.
        # CLI flag: -admin-api.leader-election.ring.consul.watch-rate-limit
        [watch_rate_limit: <float> | default = 1]

        # Burst size used in rate limit. Values less than 1 are treated as 1.
        # CLI flag: -admin-api.leader-election.ring.consul.watch-burst-size
        [watch_burst_size: <int> | default = 1]

      etcd:
        # The etcd endpoints to connect to.
        # CLI flag: -admin-api.leader-election.ring.etcd.endpoints
        [endpoints: <list of string> | default = []]

        # The dial timeout for the etcd connection.
        # CLI flag: -admin-api.leader-election.ring.etcd.dial-timeout
        [dial_timeout: <duration> | default = 10s]

        # The maximum number of retries to do for failed ops.
        # CLI flag: -admin-api.leader-election.ring.etcd.max-retries
        [max_retries: <int> | default = 10]

        # Enable TLS.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-enabled
        [tls_enabled: <boolean> | default = false]

        # Path to the client certificate file, which will be used for
        # authenticating with the server. Also requires the key path to be
        # configured.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # Path to the key file for the client certificate. Also requires the
        # client certificate to be configured.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-key-path
        [tls_key_path: <string> | default = ""]

        # Path to the CA certificates file to validate server certificate
        # against. If not set, the host's root CA certificates are used.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # Override the expected name on the server certificate.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-server-name
        [tls_server_name: <string> | default = ""]

        # Skip validating server certificate.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-insecure-skip-verify
        [tls_insecure_skip_verify: <boolean> | default = false]

        # Etcd username.
        # CLI flag: -admin-api.leader-election.ring.etcd.username
        [username: <string> | default = ""]

        # Etcd password.
        # CLI flag: -admin-api.leader-election.ring.etcd.password
        [password: <string> | default = ""]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # Period at which to heartbeat to the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-period
    [heartbeat_period: <duration> | default = 15s]

    # The heartbeat timeout after which admin-api instances are considered
    # unhealthy within the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # Period to wait after generating tokens to resolve collisions. Required
    # when using a gossip ring KV store.
    # CLI flag: -admin-api.leader-election.ring.tokens-observe-period
    [tokens_observe_period: <duration> | default = 1m]

    # Name of network interface to read address from.
    # CLI flag: -admin-api.leader-election.ring.instance-interface-names
    [instance_interface_names: <list of string> | default = [eth0 en0]]

  client_config:
    # gRPC client max receive message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-recv-msg-size
    [max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-send-msg-size
    [max_send_msg_size: <int> | default = 16777216]

    # Use compression when sending messages. Supported values are: 'gzip',
    # 'snappy' and '' (disable compression)
    # CLI flag: -admin-api.leader-election.client.grpc-compression
    [grpc_compression: <string> | default = ""]

    # Rate limit for gRPC client; 0 means disabled.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit
    [rate_limit: <float> | default = 0]

    # Rate limit burst for gRPC client.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit-burst
    [rate_limit_burst: <int> | default = 0]

    # Enable backoff and retry when we hit ratelimits.
    # CLI flag: -admin-api.leader-election.client.backoff-on-ratelimits
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # Minimum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-min-period
      [min_period: <duration> | default = 100ms]

      # Maximum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-max-period
      [max_period: <duration> | default = 10s]

      # Number of times to backoff and retry before failing.
      # CLI flag: -admin-api.leader-election.client.backoff-retries
      [max_retries: <int> | default = 10]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -admin-api.leader-election.client.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -admin-api.leader-election.client.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

limits:
  # Should API based per-instance limits be used.
  # CLI flag: -admin-api.limits.enabled
  [enabled: <boolean> | default = true]

  # Period with which to refresh per-instance limits.
  # CLI flag: -admin-api.limits.refresh-period
  [refresh_period: <duration> | default = 1m]

admin_client_config

The admin_client_config configures the instance management admin client.

storage:
  # Set a backend to use, (gcs, s3)
  # CLI flag: -admin.client.backend-type
  [type: <string> | default = ""]

  s3:
    # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
    # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
    # S3-compatible service in hostname:port format.
    # CLI flag: -admin.client.s3.endpoint
    [endpoint: <string> | default = ""]

    # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
    # to autodetect it.
    # CLI flag: -admin.client.s3.region
    [region: <string> | default = ""]

    # S3 bucket name
    # CLI flag: -admin.client.s3.bucket-name
    [bucket_name: <string> | default = ""]

    # S3 secret access key
    # CLI flag: -admin.client.s3.secret-access-key
    [secret_access_key: <string> | default = ""]

    # S3 access key ID
    # CLI flag: -admin.client.s3.access-key-id
    [access_key_id: <string> | default = ""]

    # If enabled, use http:// for the S3 endpoint instead of https://. This
    # could be useful in local dev/test environments while using an
    # S3-compatible backend storage, like Minio.
    # CLI flag: -admin.client.s3.insecure
    [insecure: <boolean> | default = false]

    # The signature version to use for authenticating against S3. Supported
    # values are: v4, v2.
    # CLI flag: -admin.client.s3.signature-version
    [signature_version: <string> | default = "v4"]

    sse:
      # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
      # CLI flag: -admin.client.s3.sse.type
      [type: <string> | default = ""]

      # KMS Key ID used to encrypt objects in S3
      # CLI flag: -admin.client.s3.sse.kms-key-id
      [kms_key_id: <string> | default = ""]

      # KMS Encryption Context used for object encryption. It expects JSON
      # formatted string.
      # CLI flag: -admin.client.s3.sse.kms-encryption-context
      [kms_encryption_context: <string> | default = ""]

    http:
      # The time an idle connection will remain idle before closing.
      # CLI flag: -admin.client.s3.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # The amount of time the client will wait for a servers response headers.
      # CLI flag: -admin.client.s3.http.response-header-timeout
      [response_header_timeout: <duration> | default = 2m]

      # If the client connects to S3 via HTTPS and this option is enabled, the
      # client will accept any certificate and hostname.
      # CLI flag: -admin.client.s3.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

      # Maximum time to wait for a TLS handshake. 0 means no limit.
      # CLI flag: -admin.client.s3.tls-handshake-timeout
      [tls_handshake_timeout: <duration> | default = 10s]

      # The time to wait for a server's first response headers after fully
      # writing the request headers if the request has an Expect header. 0 to
      # send the request body immediately.
      # CLI flag: -admin.client.s3.expect-continue-timeout
      [expect_continue_timeout: <duration> | default = 1s]

      # Maximum number of idle (keep-alive) connections across all hosts. 0
      # means no limit.
      # CLI flag: -admin.client.s3.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # Maximum number of idle (keep-alive) connections to keep per-host. If 0,
      # a built-in default value is used.
      # CLI flag: -admin.client.s3.max-idle-connections-per-host
      [max_idle_connections_per_host: <int> | default = 100]

      # Maximum number of connections per host. 0 means no limit.
      # CLI flag: -admin.client.s3.max-connections-per-host
      [max_connections_per_host: <int> | default = 0]

    # Path to header map file containing name/value combos.
    # CLI flag: -admin.client.s3.header-map.file-path
    [header_map_file_path: <string> | default = ""]

    # Interval at which to repoll the headers file, if set <= 0 polling is
    # disabled.
    # CLI flag: -admin.client.s3.header-map.poll-interval
    [header_map_poll_interval: <duration> | default = 1m]

  gcs:
    # GCS bucket name
    # CLI flag: -admin.client.gcs.bucket-name
    [bucket_name: <string> | default = ""]

    # JSON representing either a Google Developers Console
    # client_credentials.json file or a Google Developers service account key
    # file. If empty, fallback to Google default logic.
    # CLI flag: -admin.client.gcs.service-account
    [service_account: <string> | default = ""]

  # Enable caching on the versioned client
  # CLI flag: -admin.client.cache.enabled
  [enable_cache: <boolean> | default = true]

# If set to true, the built-in __admin__ access policy will not be active.
# CLI flag: -admin.client.disable-default-admin-policy
[disable_default_admin_policy: <boolean> | default = false]

auth_config

The auth_config configures the authentication type to use.

# method for authenticating incoming HTTP requests, (default, enterprise).
# CLI flag: -auth.type
[type: <string> | default = "default"]

# requires admin level auth for the /metrics endpoint.
# CLI flag: -auth.required-for-metrics
[required_for_metrics: <boolean> | default = false]

override:
  # Override admin token. If set, this string will always be accepted as a token
  # with admin level scope.
  # CLI flag: -auth.override.token
  [token: <string> | default = ""]

  # If set, this file will be read at startup and the string from that file will
  # be used as a admin scoped token.
  # CLI flag: -auth.override.token-file
  [token_file: <string> | default = ""]

admin:
  # how long auth responses should be cached
  # CLI flag: -auth.cache.ttl
  [cache_ttl: <duration> | default = 10m]

  oidc:
    # JWT token issuer URL (example "https://accounts.google.com")
    # CLI flag: -auth.admin.oidc.issuer-url
    [issuer_url: <string> | default = ""]

    # claim in the JWT token containing the access policy
    # CLI flag: -auth.admin.oidc.access-policy-claim
    [access_policy_claim: <string> | default = ""]

    # regex to extract the access policy from the JWT token. The first submatch
    # of the provided regex expression will be used.
    # CLI flag: -auth.admin.oidc.access-policy-regex
    [access_policy_regex: <string> | default = ""]

    # optional audience to check in JWT token
    # CLI flag: -auth.admin.oidc.audience
    [audience: <string> | default = ""]

    # name of the access policy to use when the token doesn't contain an access
    # policy
    # CLI flag: -auth.admin.oidc.default-access-policy
    [default_access_policy: <string> | default = ""]

    # enable ADFS compatibility
    # CLI flag: -auth.admin.oidc.adfs-compatibility
    [adfs_compatibility: <boolean> | default = false]

gateway_config

The gateway_config configures the gateway proxy.

proxy:
  default:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.default.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.default.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.default.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.default.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.default.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.default.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.default.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.default.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.default.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.default.read-timeout
    [read_timeout: <duration> | default = 2m]

  admin_api:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.admin-api.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.admin-api.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.admin-api.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.admin-api.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.read-timeout
    [read_timeout: <duration> | default = 2m]

  compactor:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.compactor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.compactor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.compactor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.compactor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.read-timeout
    [read_timeout: <duration> | default = 2m]

  distributor:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.distributor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.distributor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.distributor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.distributor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.read-timeout
    [read_timeout: <duration> | default = 2m]

  ingester:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ingester.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ingester.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.ingester.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ingester.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.read-timeout
    [read_timeout: <duration> | default = 2m]

  query_frontend:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.query-frontend.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.query-frontend.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.query-frontend.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.query-frontend.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.read-timeout
    [read_timeout: <duration> | default = 2m]

  ruler:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ruler.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ruler.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.ruler.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.ruler.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.ruler.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ruler.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ruler.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.ruler.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ruler.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ruler.read-timeout
    [read_timeout: <duration> | default = 2m]

license_config

The license_config configures the license validation module.

# Filepath to license jwt file.
# CLI flag: -license.path
[path: <string> | default = "./license.jwt"]

# Interval to check for new or existing licenses.
# CLI flag: -license.sync-interval
[sync_interval: <duration> | default = 1h]

tokengen_config

The tokengen_config configures the tokengen target.

# The name of the access policy to generate a token for. It defaults to the
# built-in admin policy.
# CLI flag: -tokengen.access-policy
[access_policy: <string> | default = "__admin__"]

# If set, the generated token will be printed to a file at the provided path
# instead of stdout.
# CLI flag: -tokengen.token-file
[token_file: <string> | default = ""]

server_config

The server_config configures the HTTP and gRPC server of the launched service(s).

# HTTP server listen network, default tcp
# CLI flag: -server.http-listen-network
[http_listen_network: <string> | default = "tcp"]

# HTTP server listen address.
# CLI flag: -server.http-listen-address
[http_listen_address: <string> | default = ""]

# HTTP server listen port.
# CLI flag: -server.http-listen-port
[http_listen_port: <int> | default = 80]

# Maximum number of simultaneous http connections, <=0 to disable
# CLI flag: -server.http-conn-limit
[http_listen_conn_limit: <int> | default = 0]

# gRPC server listen network
# CLI flag: -server.grpc-listen-network
[grpc_listen_network: <string> | default = "tcp"]

# gRPC server listen address.
# CLI flag: -server.grpc-listen-address
[grpc_listen_address: <string> | default = ""]

# gRPC server listen port.
# CLI flag: -server.grpc-listen-port
[grpc_listen_port: <int> | default = 9095]

# Maximum number of simultaneous grpc connections, <=0 to disable
# CLI flag: -server.grpc-conn-limit
[grpc_listen_conn_limit: <int> | default = 0]

http_tls_config:
  # HTTP server cert path.
  # CLI flag: -server.http-tls-cert-path
  [cert_file: <string> | default = ""]

  # HTTP server key path.
  # CLI flag: -server.http-tls-key-path
  [key_file: <string> | default = ""]

  # HTTP TLS Client Auth type.
  # CLI flag: -server.http-tls-client-auth
  [client_auth_type: <string> | default = ""]

  # HTTP TLS Client CA path.
  # CLI flag: -server.http-tls-ca-path
  [client_ca_file: <string> | default = ""]

grpc_tls_config:
  # GRPC TLS server cert path.
  # CLI flag: -server.grpc-tls-cert-path
  [cert_file: <string> | default = ""]

  # GRPC TLS server key path.
  # CLI flag: -server.grpc-tls-key-path
  [key_file: <string> | default = ""]

  # GRPC TLS Client Auth type.
  # CLI flag: -server.grpc-tls-client-auth
  [client_auth_type: <string> | default = ""]

  # GRPC TLS Client CA path.
  # CLI flag: -server.grpc-tls-ca-path
  [client_ca_file: <string> | default = ""]

# Register the intrumentation handlers (/metrics etc).
# CLI flag: -server.register-instrumentation
[register_instrumentation: <boolean> | default = true]

# Timeout for graceful shutdowns
# CLI flag: -server.graceful-shutdown-timeout
[graceful_shutdown_timeout: <duration> | default = 30s]

# Read timeout for HTTP server
# CLI flag: -server.http-read-timeout
[http_server_read_timeout: <duration> | default = 30s]

# Write timeout for HTTP server
# CLI flag: -server.http-write-timeout
[http_server_write_timeout: <duration> | default = 30s]

# Idle timeout for HTTP server
# CLI flag: -server.http-idle-timeout
[http_server_idle_timeout: <duration> | default = 2m]

# Limit on the size of a gRPC message this server can receive (bytes).
# CLI flag: -server.grpc-max-recv-msg-size-bytes
[grpc_server_max_recv_msg_size: <int> | default = 4194304]

# Limit on the size of a gRPC message this server can send (bytes).
# CLI flag: -server.grpc-max-send-msg-size-bytes
[grpc_server_max_send_msg_size: <int> | default = 4194304]

# Limit on the number of concurrent streams for gRPC calls (0 = unlimited)
# CLI flag: -server.grpc-max-concurrent-streams
[grpc_server_max_concurrent_streams: <int> | default = 100]

# The duration after which an idle connection should be closed. Default:
# infinity
# CLI flag: -server.grpc.keepalive.max-connection-idle
[grpc_server_max_connection_idle: <duration> | default = 2562047h47m16.854775807s]

# The duration for the maximum amount of time a connection may exist before it
# will be closed. Default: infinity
# CLI flag: -server.grpc.keepalive.max-connection-age
[grpc_server_max_connection_age: <duration> | default = 2562047h47m16.854775807s]

# An additive period after max-connection-age after which the connection will be
# forcibly closed. Default: infinity
# CLI flag: -server.grpc.keepalive.max-connection-age-grace
[grpc_server_max_connection_age_grace: <duration> | default = 2562047h47m16.854775807s]

# Duration after which a keepalive probe is sent in case of no activity over the
# connection., Default: 2h
# CLI flag: -server.grpc.keepalive.time
[grpc_server_keepalive_time: <duration> | default = 2h]

# After having pinged for keepalive check, the duration after which an idle
# connection should be closed, Default: 20s
# CLI flag: -server.grpc.keepalive.timeout
[grpc_server_keepalive_timeout: <duration> | default = 20s]

# Minimum amount of time a client should wait before sending a keepalive ping.
# If client sends keepalive ping more often, server will send GOAWAY and close
# the connection.
# CLI flag: -server.grpc.keepalive.min-time-between-pings
[grpc_server_min_time_between_pings: <duration> | default = 5m]

# If true, server allows keepalive pings even when there are no active
# streams(RPCs). If false, and client sends ping when there are no active
# streams, server will send GOAWAY and close the connection.
# CLI flag: -server.grpc.keepalive.ping-without-stream-allowed
[grpc_server_ping_without_stream_allowed: <boolean> | default = false]

# Output log messages in the given format. Valid formats: [logfmt, json]
# CLI flag: -log.format
[log_format: <string> | default = "logfmt"]

# Only log messages with the given severity or above. Valid levels: [debug,
# info, warn, error]
# CLI flag: -log.level
[log_level: <string> | default = "info"]

# Optionally log the source IPs.
# CLI flag: -server.log-source-ips-enabled
[log_source_ips_enabled: <boolean> | default = false]

# Header field storing the source IPs. Only used if
# server.log-source-ips-enabled is true. If not set the default Forwarded,
# X-Real-IP and X-Forwarded-For headers are used
# CLI flag: -server.log-source-ips-header
[log_source_ips_header: <string> | default = ""]

# Regex for matching the source IPs. Only used if server.log-source-ips-enabled
# is true. If not set the default Forwarded, X-Real-IP and X-Forwarded-For
# headers are used
# CLI flag: -server.log-source-ips-regex
[log_source_ips_regex: <string> | default = ""]

# Base path to serve all API routes from (e.g. /v1/)
# CLI flag: -server.path-prefix
[http_path_prefix: <string> | default = ""]

distributor_config

The distributor_config configures the GEL distributor.

ring:
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -distributor.ring.store
    [store: <string> | default = "consul"]

    # The prefix for the keys in the store. Should end with a /.
    # CLI flag: -distributor.ring.prefix
    [prefix: <string> | default = "collectors/"]

    consul:
      # Hostname and port of Consul.
      # CLI flag: -distributor.ring.consul.hostname
      [host: <string> | default = "localhost:8500"]

      # ACL Token used to interact with Consul.
      # CLI flag: -distributor.ring.consul.acl-token
      [acl_token: <string> | default = ""]

      # HTTP timeout when talking to Consul
      # CLI flag: -distributor.ring.consul.client-timeout
      [http_client_timeout: <duration> | default = 20s]

      # Enable consistent reads to Consul.
      # CLI flag: -distributor.ring.consul.consistent-reads
      [consistent_reads: <boolean> | default = false]

      # Rate limit when watching key or prefix in Consul, in requests per
      # second. 0 disables the rate limit.
      # CLI flag: -distributor.ring.consul.watch-rate-limit
      [watch_rate_limit: <float> | default = 1]

      # Burst size used in rate limit. Values less than 1 are treated as 1.
      # CLI flag: -distributor.ring.consul.watch-burst-size
      [watch_burst_size: <int> | default = 1]

    etcd:
      # The etcd endpoints to connect to.
      # CLI flag: -distributor.ring.etcd.endpoints
      [endpoints: <list of string> | default = []]

      # The dial timeout for the etcd connection.
      # CLI flag: -distributor.ring.etcd.dial-timeout
      [dial_timeout: <duration> | default = 10s]

      # The maximum number of retries to do for failed ops.
      # CLI flag: -distributor.ring.etcd.max-retries
      [max_retries: <int> | default = 10]

      # Enable TLS.
      # CLI flag: -distributor.ring.etcd.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Path to the client certificate file, which will be used for
      # authenticating with the server. Also requires the key path to be
      # configured.
      # CLI flag: -distributor.ring.etcd.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # Path to the key file for the client certificate. Also requires the
      # client certificate to be configured.
      # CLI flag: -distributor.ring.etcd.tls-key-path
      [tls_key_path: <string> | default = ""]

      # Path to the CA certificates file to validate server certificate against.
      # If not set, the host's root CA certificates are used.
      # CLI flag: -distributor.ring.etcd.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # Override the expected name on the server certificate.
      # CLI flag: -distributor.ring.etcd.tls-server-name
      [tls_server_name: <string> | default = ""]

      # Skip validating server certificate.
      # CLI flag: -distributor.ring.etcd.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Etcd username.
      # CLI flag: -distributor.ring.etcd.username
      [username: <string> | default = ""]

      # Etcd password.
      # CLI flag: -distributor.ring.etcd.password
      [password: <string> | default = ""]

    multi:
      # Primary backend storage used by multi-client.
      # CLI flag: -distributor.ring.multi.primary
      [primary: <string> | default = ""]

      # Secondary backend storage used by multi-client.
      # CLI flag: -distributor.ring.multi.secondary
      [secondary: <string> | default = ""]

      # Mirror writes to secondary store.
      # CLI flag: -distributor.ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # Timeout for storing value to secondary store.
      # CLI flag: -distributor.ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -distributor.ring.heartbeat-period
  [heartbeat_period: <duration> | default = 5s]

  # The heartbeat timeout after which distributors are considered unhealthy
  # within the ring. 0 = never (timeout disabled).
  # CLI flag: -distributor.ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # Name of network interface to read address from.
  # CLI flag: -distributor.ring.instance-interface-names
  [instance_interface_names: <list of string> | default = [eth0 en0]]

querier_config

The querier_config configures the GEL querier.

# Timeout when querying backends (ingesters or storage) during the execution of
# a query request
# CLI flag: -querier.query-timeout
[query_timeout: <duration> | default = 1m]

# Limit the duration for which live tailing request would be served
# CLI flag: -querier.tail-max-duration
[tail_max_duration: <duration> | default = 1h]

# Time to wait before sending more than the minimum successful query requests.
# CLI flag: -querier.extra-query-delay
[extra_query_delay: <duration> | default = 0s]

# Maximum lookback beyond which queries are not sent to ingester. 0 means all
# queries are sent to ingester.
# CLI flag: -querier.query-ingesters-within
[query_ingesters_within: <duration> | default = 0s]

engine:
  # Timeout for query execution.
  # CLI flag: -querier.engine.timeout
  [timeout: <duration> | default = 5m]

  # The maximum amount of time to look back for log lines. Used only for instant
  # log queries.
  # CLI flag: -querier.engine.max-lookback-period
  [max_look_back_period: <duration> | default = 30s]

# The maximum number of concurrent queries.
# CLI flag: -querier.max-concurrent
[max_concurrent: <int> | default = 20]

# Queriers should only query the store and not try to query any ingesters
# CLI flag: -querier.query-store-only
[query_store_only: <boolean> | default = false]

ingester_client_config

The ingester_client_config configures how the GEL distributors connect to the ingesters.

pool_config:
  # How frequently to clean up clients for ingesters that have gone away.
  # CLI flag: -distributor.client-cleanup-period
  [client_cleanup_period: <duration> | default = 15s]

  # Run a health check on each ingester client during periodic cleanup.
  # CLI flag: -distributor.health-check-ingesters
  [health_check_ingesters: <boolean> | default = true]

# Timeout for ingester client RPCs.
# CLI flag: -ingester.client.timeout
[remote_timeout: <duration> | default = 5s]

grpc_client_config:
  # gRPC client max receive message size (bytes).
  # CLI flag: -ingester.client.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # gRPC client max send message size (bytes).
  # CLI flag: -ingester.client.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 16777216]

  # Use compression when sending messages. Supported values are: 'gzip',
  # 'snappy' and '' (disable compression)
  # CLI flag: -ingester.client.grpc-compression
  [grpc_compression: <string> | default = ""]

  # Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -ingester.client.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # Rate limit burst for gRPC client.
  # CLI flag: -ingester.client.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # Enable backoff and retry when we hit ratelimits.
  # CLI flag: -ingester.client.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # Minimum delay when backing off.
    # CLI flag: -ingester.client.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # Maximum delay when backing off.
    # CLI flag: -ingester.client.backoff-max-period
    [max_period: <duration> | default = 10s]

    # Number of times to backoff and retry before failing.
    # CLI flag: -ingester.client.backoff-retries
    [max_retries: <int> | default = 10]

  # Enable TLS in the GRPC client. This flag needs to be enabled when any other
  # TLS flag is set. If set to false, insecure connection to gRPC server will be
  # used.
  # CLI flag: -ingester.client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -ingester.client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -ingester.client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -ingester.client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -ingester.client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -ingester.client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

ingester_config

The ingester_config configures the GEL ingester.

lifecycler:
  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -ring.store
      [store: <string> | default = "consul"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -ring.prefix
      [prefix: <string> | default = "collectors/"]

      consul:
        # Hostname and port of Consul.
        # CLI flag: -consul.hostname
        [host: <string> | default = "localhost:8500"]

        # ACL Token used to interact with Consul.
        # CLI flag: -consul.acl-token
        [acl_token: <string> | default = ""]

        # HTTP timeout when talking to Consul
        # CLI flag: -consul.client-timeout
        [http_client_timeout: <duration> | default = 20s]

        # Enable consistent reads to Consul.
        # CLI flag: -consul.consistent-reads
        [consistent_reads: <boolean> | default = false]

        # Rate limit when watching key or prefix in Consul, in requests per
        # second. 0 disables the rate limit.
        # CLI flag: -consul.watch-rate-limit
        [watch_rate_limit: <float> | default = 1]

        # Burst size used in rate limit. Values less than 1 are treated as 1.
        # CLI flag: -consul.watch-burst-size
        [watch_burst_size: <int> | default = 1]

      etcd:
        # The etcd endpoints to connect to.
        # CLI flag: -etcd.endpoints
        [endpoints: <list of string> | default = []]

        # The dial timeout for the etcd connection.
        # CLI flag: -etcd.dial-timeout
        [dial_timeout: <duration> | default = 10s]

        # The maximum number of retries to do for failed ops.
        # CLI flag: -etcd.max-retries
        [max_retries: <int> | default = 10]

        # Enable TLS.
        # CLI flag: -etcd.tls-enabled
        [tls_enabled: <boolean> | default = false]

        # Path to the client certificate file, which will be used for
        # authenticating with the server. Also requires the key path to be
        # configured.
        # CLI flag: -etcd.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # Path to the key file for the client certificate. Also requires the
        # client certificate to be configured.
        # CLI flag: -etcd.tls-key-path
        [tls_key_path: <string> | default = ""]

        # Path to the CA certificates file to validate server certificate
        # against. If not set, the host's root CA certificates are used.
        # CLI flag: -etcd.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # Override the expected name on the server certificate.
        # CLI flag: -etcd.tls-server-name
        [tls_server_name: <string> | default = ""]

        # Skip validating server certificate.
        # CLI flag: -etcd.tls-insecure-skip-verify
        [tls_insecure_skip_verify: <boolean> | default = false]

        # Etcd username.
        # CLI flag: -etcd.username
        [username: <string> | default = ""]

        # Etcd password.
        # CLI flag: -etcd.password
        [password: <string> | default = ""]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -multi.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -multi.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # The heartbeat timeout after which ingesters are skipped for reads/writes.
    # 0 = never (timeout disabled).
    # CLI flag: -ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # The number of ingesters to write to and read from.
    # CLI flag: -distributor.replication-factor
    [replication_factor: <int> | default = 3]

    # True to enable the zone-awareness and replicate ingested samples across
    # different availability zones.
    # CLI flag: -distributor.zone-awareness-enabled
    [zone_awareness_enabled: <boolean> | default = false]

  # Number of tokens for each ingester.
  # CLI flag: -ingester.num-tokens
  [num_tokens: <int> | default = 128]

  # Period at which to heartbeat to consul. 0 = disabled.
  # CLI flag: -ingester.heartbeat-period
  [heartbeat_period: <duration> | default = 5s]

  # Observe tokens after generating to resolve collisions. Useful when using
  # gossiping ring.
  # CLI flag: -ingester.observe-period
  [observe_period: <duration> | default = 0s]

  # Period to wait for a claim from another member; will join automatically
  # after this.
  # CLI flag: -ingester.join-after
  [join_after: <duration> | default = 0s]

  # Minimum duration to wait before becoming ready. This is to work around race
  # conditions with ingesters exiting and updating the ring.
  # CLI flag: -ingester.min-ready-duration
  [min_ready_duration: <duration> | default = 1m]

  # Name of network interface to read address from.
  # CLI flag: -ingester.lifecycler.interface
  [interface_names: <list of string> | default = [eth0 en0]]

  # Duration to sleep for before exiting, to ensure metrics are scraped.
  # CLI flag: -ingester.final-sleep
  [final_sleep: <duration> | default = 30s]

  # File path where tokens are stored. If empty, tokens are not stored at
  # shutdown and restored at startup.
  # CLI flag: -ingester.tokens-file-path
  [tokens_file_path: <string> | default = ""]

  # The availability zone where this instance is running.
  # CLI flag: -ingester.availability-zone
  [availability_zone: <string> | default = ""]

  # Unregister from the ring upon clean shutdown. It can be useful to disable
  # for rolling restarts with consistent naming in conjunction with
  # -distributor.extend-writes=false.
  # CLI flag: -ingester.unregister-on-shutdown
  [unregister_on_shutdown: <boolean> | default = true]

# Number of times to try and transfer chunks before falling back to flushing. If
# set to 0 or negative value, transfers are disabled.
# CLI flag: -ingester.max-transfer-retries
[max_transfer_retries: <int> | default = 10]

# CLI flag: -ingester.concurrent-flushes
[concurrent_flushes: <int> | default = 16]

# CLI flag: -ingester.flush-check-period
[flush_check_period: <duration> | default = 30s]

# CLI flag: -ingester.flush-op-timeout
[flush_op_timeout: <duration> | default = 10s]

# CLI flag: -ingester.chunks-retain-period
[chunk_retain_period: <duration> | default = 15m]

# CLI flag: -ingester.chunks-idle-period
[chunk_idle_period: <duration> | default = 30m]

# CLI flag: -ingester.chunks-block-size
[chunk_block_size: <int> | default = 262144]

# CLI flag: -ingester.chunk-target-size
[chunk_target_size: <int> | default = 0]

# The algorithm to use for compressing chunk. (none, gzip, lz4-64k, snappy,
# lz4-256k, lz4-1M, lz4, flate, zstd)
# CLI flag: -ingester.chunk-encoding
[chunk_encoding: <string> | default = "gzip"]

# Maximum chunk age before flushing.
# CLI flag: -ingester.max-chunk-age
[max_chunk_age: <duration> | default = 1h]

# Enable to remove unhealthy ingesters from the ring after
# `ring.kvstore.heartbeat_timeout`
# CLI flag: -ingester.autoforget-unhealthy
[autoforget_unhealthy: <boolean> | default = false]

# How often to cut chunks to synchronize ingesters.
# CLI flag: -ingester.sync-period
[sync_period: <duration> | default = 0s]

# Minimum utilization of chunk when doing synchronization.
# CLI flag: -ingester.sync-min-utilization
[sync_min_utilization: <float> | default = 0]

# Maximum number of ignored stream errors to return. 0 to return all errors.
# CLI flag: -ingester.max-ignored-stream-errors
[max_returned_stream_errors: <int> | default = 10]

# How far back should an ingester be allowed to query the store for data, for
# use only with boltdb-shipper index and filesystem object store. -1 for
# infinite.
# CLI flag: -ingester.query-store-max-look-back-period
[query_store_max_look_back_period: <duration> | default = 0s]

wal:
  # Enable writing of ingested data into WAL.
  # CLI flag: -ingester.wal-enabled
  [enabled: <boolean> | default = false]

  # Directory to store the WAL and/or recover from WAL.
  # CLI flag: -ingester.wal-dir
  [dir: <string> | default = "wal"]

  # Interval at which checkpoints should be created.
  # CLI flag: -ingester.checkpoint-duration
  [checkpoint_duration: <duration> | default = 5m]

  # When WAL is enabled, should chunks be flushed to long-term storage on
  # shutdown.
  # CLI flag: -ingester.flush-on-shutdown
  [flush_on_shutdown: <boolean> | default = false]

  # How much memory the WAL may use during replay before it needs to flush
  # chunks to storage, i.e. 10GB. We suggest setting this to a high percentage
  # (~75%) of available memory.
  # CLI flag: -ingester.wal-replay-memory-ceiling
  [replay_memory_ceiling: <int> | default = 4GB]

# Shard factor used in the ingesters for the in process reverse index. This MUST
# be evenly divisible by ALL schema shard factors or GEL will not start.
# CLI flag: -ingester.index-shards
[index_shards: <int> | default = 32]

storage_config

Configures where GEL will store data.

# The storage engine to use: chunks or blocks.
# CLI flag: -store.engine
[engine: <string> | default = "chunks"]

aws:
  dynamodb:
    # DynamoDB endpoint URL with escaped Key and Secret encoded. If only region
    # is specified as a host, proper endpoint will be deduced. Use
    # inmemory:///<table-name> to use a mock in-memory implementation.
    # CLI flag: -dynamodb.url
    [dynamodb_url: <url> | default = ]

    # DynamoDB table management requests per second limit.
    # CLI flag: -dynamodb.api-limit
    [api_limit: <float> | default = 2]

    # DynamoDB rate cap to back off when throttled.
    # CLI flag: -dynamodb.throttle-limit
    [throttle_limit: <float> | default = 10]

    metrics:
      # Use metrics-based autoscaling, via this query URL
      # CLI flag: -metrics.url
      [url: <string> | default = ""]

      # Queue length above which we will scale up capacity
      # CLI flag: -metrics.target-queue-length
      [target_queue_length: <int> | default = 100000]

      # Scale up capacity by this multiple
      # CLI flag: -metrics.scale-up-factor
      [scale_up_factor: <float> | default = 1.3]

      # Ignore throttling below this level (rate per second)
      # CLI flag: -metrics.ignore-throttle-below
      [ignore_throttle_below: <float> | default = 1]

      # query to fetch ingester queue length
      # CLI flag: -metrics.queue-length-query
      [queue_length_query: <string> | default = "sum(avg_over_time(cortex_ingester_flush_queue_length{job=\"cortex/ingester\"}[2m]))"]

      # query to fetch throttle rates per table
      # CLI flag: -metrics.write-throttle-query
      [write_throttle_query: <string> | default = "sum(rate(cortex_dynamo_throttled_total{operation=\"DynamoDB.BatchWriteItem\"}[1m])) by (table) > 0"]

      # query to fetch write capacity usage per table
      # CLI flag: -metrics.usage-query
      [write_usage_query: <string> | default = "sum(rate(cortex_dynamo_consumed_capacity_total{operation=\"DynamoDB.BatchWriteItem\"}[15m])) by (table) > 0"]

      # query to fetch read capacity usage per table
      # CLI flag: -metrics.read-usage-query
      [read_usage_query: <string> | default = "sum(rate(cortex_dynamo_consumed_capacity_total{operation=\"DynamoDB.QueryPages\"}[1h])) by (table) > 0"]

      # query to fetch read errors per table
      # CLI flag: -metrics.read-error-query
      [read_error_query: <string> | default = "sum(increase(cortex_dynamo_failures_total{operation=\"DynamoDB.QueryPages\",error=\"ProvisionedThroughputExceededException\"}[1m])) by (table) > 0"]

    # Number of chunks to group together to parallelise fetches (zero to
    # disable)
    # CLI flag: -dynamodb.chunk-gang-size
    [chunk_gang_size: <int> | default = 10]

    # Max number of chunk-get operations to start in parallel
    # CLI flag: -dynamodb.chunk.get-max-parallelism
    [chunk_get_max_parallelism: <int> | default = 32]

    backoff_config:
      # Minimum backoff time
      # CLI flag: -dynamodb.min-backoff
      [min_period: <duration> | default = 100ms]

      # Maximum backoff time
      # CLI flag: -dynamodb.max-backoff
      [max_period: <duration> | default = 50s]

      # Maximum number of times to retry an operation
      # CLI flag: -dynamodb.max-retries
      [max_retries: <int> | default = 20]

  # S3 endpoint URL with escaped Key and Secret encoded. If only region is
  # specified as a host, proper endpoint will be deduced. Use
  # inmemory:///<bucket-name> to use a mock in-memory implementation.
  # CLI flag: -s3.url
  [s3: <url> | default = ]

  # Set this to `true` to force the request to use path-style addressing.
  # CLI flag: -s3.force-path-style
  [s3forcepathstyle: <boolean> | default = false]

  # Comma separated list of bucket names to evenly distribute chunks over.
  # Overrides any buckets specified in s3.url flag
  # CLI flag: -s3.buckets
  [bucketnames: <string> | default = ""]

  # S3 Endpoint to connect to.
  # CLI flag: -s3.endpoint
  [endpoint: <string> | default = ""]

  # AWS region to use.
  # CLI flag: -s3.region
  [region: <string> | default = ""]

  # AWS Access Key ID
  # CLI flag: -s3.access-key-id
  [access_key_id: <string> | default = ""]

  # AWS Secret Access Key
  # CLI flag: -s3.secret-access-key
  [secret_access_key: <string> | default = ""]

  # Disable https on s3 connection.
  # CLI flag: -s3.insecure
  [insecure: <boolean> | default = false]

  # Enable AWS Server Side Encryption [Deprecated: Use .sse instead. if
  # s3.sse-encryption is enabled, it assumes .sse.type SSE-S3]
  # CLI flag: -s3.sse-encryption
  [sse_encryption: <boolean> | default = false]

  http_config:
    # The maximum amount of time an idle connection will be held open.
    # CLI flag: -s3.http.idle-conn-timeout
    [idle_conn_timeout: <duration> | default = 1m30s]

    # If non-zero, specifies the amount of time to wait for a server's response
    # headers after fully writing the request.
    # CLI flag: -s3.http.response-header-timeout
    [response_header_timeout: <duration> | default = 0s]

    # Set to true to skip verifying the certificate chain and hostname.
    # CLI flag: -s3.http.insecure-skip-verify
    [insecure_skip_verify: <boolean> | default = false]

    # Path to the trusted CA file that signed the SSL certificate of the S3
    # endpoint.
    # CLI flag: -s3.http.ca-file
    [ca_file: <string> | default = ""]

  # The signature version to use for authenticating against S3. Supported values
  # are: v4, v2.
  # CLI flag: -s3.signature-version
  [signature_version: <string> | default = "v4"]

  sse:
    # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
    # CLI flag: -s3.sse.type
    [type: <string> | default = ""]

    # KMS Key ID used to encrypt objects in S3
    # CLI flag: -s3.sse.kms-key-id
    [kms_key_id: <string> | default = ""]

    # KMS Encryption Context used for object encryption. It expects JSON
    # formatted string.
    # CLI flag: -s3.sse.kms-encryption-context
    [kms_encryption_context: <string> | default = ""]

azure:
  # Azure Cloud environment. Supported values are: AzureGlobal, AzureChinaCloud,
  # AzureGermanCloud, AzureUSGovernment.
  # CLI flag: -azure.environment
  [environment: <string> | default = "AzureGlobal"]

  # Name of the blob container used to store chunks. This container must be
  # created before running cortex.
  # CLI flag: -azure.container-name
  [container_name: <string> | default = "cortex"]

  # The Microsoft Azure account name to be used
  # CLI flag: -azure.account-name
  [account_name: <string> | default = ""]

  # The Microsoft Azure account key to use.
  # CLI flag: -azure.account-key
  [account_key: <string> | default = ""]

  # Preallocated buffer size for downloads.
  # CLI flag: -azure.download-buffer-size
  [download_buffer_size: <int> | default = 512000]

  # Preallocated buffer size for uploads.
  # CLI flag: -azure.upload-buffer-size
  [upload_buffer_size: <int> | default = 256000]

  # Number of buffers used to used to upload a chunk.
  # CLI flag: -azure.download-buffer-count
  [upload_buffer_count: <int> | default = 1]

  # Timeout for requests made against azure blob storage.
  # CLI flag: -azure.request-timeout
  [request_timeout: <duration> | default = 30s]

  # Number of retries for a request which times out.
  # CLI flag: -azure.max-retries
  [max_retries: <int> | default = 5]

  # Minimum time to wait before retrying a request.
  # CLI flag: -azure.min-retry-delay
  [min_retry_delay: <duration> | default = 10ms]

  # Maximum time to wait before retrying a request.
  # CLI flag: -azure.max-retry-delay
  [max_retry_delay: <duration> | default = 500ms]

bigtable:
  # Bigtable project ID.
  # CLI flag: -bigtable.project
  [project: <string> | default = ""]

  # Bigtable instance ID. Please refer to
  # https://cloud.google.com/docs/authentication/production for more information
  # about how to configure authentication.
  # CLI flag: -bigtable.instance
  [instance: <string> | default = ""]

  grpc_client_config:
    # gRPC client max receive message size (bytes).
    # CLI flag: -bigtable.grpc-max-recv-msg-size
    [max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -bigtable.grpc-max-send-msg-size
    [max_send_msg_size: <int> | default = 16777216]

    # Use compression when sending messages. Supported values are: 'gzip',
    # 'snappy' and '' (disable compression)
    # CLI flag: -bigtable.grpc-compression
    [grpc_compression: <string> | default = ""]

    # Rate limit for gRPC client; 0 means disabled.
    # CLI flag: -bigtable.grpc-client-rate-limit
    [rate_limit: <float> | default = 0]

    # Rate limit burst for gRPC client.
    # CLI flag: -bigtable.grpc-client-rate-limit-burst
    [rate_limit_burst: <int> | default = 0]

    # Enable backoff and retry when we hit ratelimits.
    # CLI flag: -bigtable.backoff-on-ratelimits
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # Minimum delay when backing off.
      # CLI flag: -bigtable.backoff-min-period
      [min_period: <duration> | default = 100ms]

      # Maximum delay when backing off.
      # CLI flag: -bigtable.backoff-max-period
      [max_period: <duration> | default = 10s]

      # Number of times to backoff and retry before failing.
      # CLI flag: -bigtable.backoff-retries
      [max_retries: <int> | default = 10]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -bigtable.tls-enabled
    [tls_enabled: <boolean> | default = true]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -bigtable.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -bigtable.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -bigtable.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -bigtable.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -bigtable.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

  # If enabled, once a tables info is fetched, it is cached.
  # CLI flag: -bigtable.table-cache.enabled
  [table_cache_enabled: <boolean> | default = true]

  # Duration to cache tables before checking again.
  # CLI flag: -bigtable.table-cache.expiration
  [table_cache_expiration: <duration> | default = 30m]

gcs:
  # Name of GCS bucket. Please refer to
  # https://cloud.google.com/docs/authentication/production for more information
  # about how to configure authentication.
  # CLI flag: -gcs.bucketname
  [bucket_name: <string> | default = ""]

  # The size of the buffer that GCS client for each PUT request. 0 to disable
  # buffering.
  # CLI flag: -gcs.chunk-buffer-size
  [chunk_buffer_size: <int> | default = 0]

  # The duration after which the requests to GCS should be timed out.
  # CLI flag: -gcs.request-timeout
  [request_timeout: <duration> | default = 0s]

  # Enabled OpenCensus (OC) instrumentation for all requests.
  # CLI flag: -gcs.enable-opencensus
  [enable_opencensus: <boolean> | default = true]

cassandra:
  # Comma-separated hostnames or IPs of Cassandra instances.
  # CLI flag: -cassandra.addresses
  [addresses: <string> | default = ""]

  # Port that Cassandra is running on
  # CLI flag: -cassandra.port
  [port: <int> | default = 9042]

  # Keyspace to use in Cassandra.
  # CLI flag: -cassandra.keyspace
  [keyspace: <string> | default = ""]

  # Consistency level for Cassandra.
  # CLI flag: -cassandra.consistency
  [consistency: <string> | default = "QUORUM"]

  # Replication factor to use in Cassandra.
  # CLI flag: -cassandra.replication-factor
  [replication_factor: <int> | default = 3]

  # Instruct the cassandra driver to not attempt to get host info from the
  # system.peers table.
  # CLI flag: -cassandra.disable-initial-host-lookup
  [disable_initial_host_lookup: <boolean> | default = false]

  # Use SSL when connecting to cassandra instances.
  # CLI flag: -cassandra.ssl
  [SSL: <boolean> | default = false]

  # Require SSL certificate validation.
  # CLI flag: -cassandra.host-verification
  [host_verification: <boolean> | default = true]

  # Policy for selecting Cassandra host. Supported values are: round-robin,
  # token-aware.
  # CLI flag: -cassandra.host-selection-policy
  [host_selection_policy: <string> | default = "round-robin"]

  # Path to certificate file to verify the peer.
  # CLI flag: -cassandra.ca-path
  [CA_path: <string> | default = ""]

  # Path to certificate file used by TLS.
  # CLI flag: -cassandra.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to private key file used by TLS.
  # CLI flag: -cassandra.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Enable password authentication when connecting to cassandra.
  # CLI flag: -cassandra.auth
  [auth: <boolean> | default = false]

  # Username to use when connecting to cassandra.
  # CLI flag: -cassandra.username
  [username: <string> | default = ""]

  # Password to use when connecting to cassandra.
  # CLI flag: -cassandra.password
  [password: <string> | default = ""]

  # File containing password to use when connecting to cassandra.
  # CLI flag: -cassandra.password-file
  [password_file: <string> | default = ""]

  # If set, when authenticating with cassandra a custom authenticator will be
  # expected during the handshake. This flag can be set multiple times.
  # CLI flag: -cassandra.custom-authenticator
  [custom_authenticators: <list of string> | default = []]

  # Timeout when connecting to cassandra.
  # CLI flag: -cassandra.timeout
  [timeout: <duration> | default = 2s]

  # Initial connection timeout, used during initial dial to server.
  # CLI flag: -cassandra.connect-timeout
  [connect_timeout: <duration> | default = 5s]

  # Interval to retry connecting to cassandra nodes marked as DOWN.
  # CLI flag: -cassandra.reconnent-interval
  [reconnect_interval: <duration> | default = 1s]

  # Number of retries to perform on a request. Set to 0 to disable retries.
  # CLI flag: -cassandra.max-retries
  [max_retries: <int> | default = 0]

  # Maximum time to wait before retrying a failed request.
  # CLI flag: -cassandra.retry-max-backoff
  [retry_max_backoff: <duration> | default = 10s]

  # Minimum time to wait before retrying a failed request.
  # CLI flag: -cassandra.retry-min-backoff
  [retry_min_backoff: <duration> | default = 100ms]

  # Limit number of concurrent queries to Cassandra. Set to 0 to disable the
  # limit.
  # CLI flag: -cassandra.query-concurrency
  [query_concurrency: <int> | default = 0]

  # Number of TCP connections per host.
  # CLI flag: -cassandra.num-connections
  [num_connections: <int> | default = 2]

  # Convict hosts of being down on failure.
  # CLI flag: -cassandra.convict-hosts-on-failure
  [convict_hosts_on_failure: <boolean> | default = true]

  # Table options used to create index or chunk tables. This value is used as
  # plain text in the table `WITH` like this, "CREATE TABLE
  # <generated_by_cortex> (...) WITH <cassandra.table-options>". For details,
  # see https://cortexmetrics.io/docs/production/cassandra. By default it will
  # use the default table options of your Cassandra cluster.
  # CLI flag: -cassandra.table-options
  [table_options: <string> | default = ""]

boltdb:
  # Location of BoltDB index files.
  # CLI flag: -boltdb.dir
  [directory: <string> | default = ""]

filesystem:
  # Directory to store chunks in.
  # CLI flag: -local.chunk-directory
  [directory: <string> | default = ""]

swift:
  # OpenStack Swift authentication API version. 0 to autodetect.
  # CLI flag: -swift.auth-version
  [auth_version: <int> | default = 0]

  # OpenStack Swift authentication URL
  # CLI flag: -swift.auth-url
  [auth_url: <string> | default = ""]

  # OpenStack Swift username.
  # CLI flag: -swift.username
  [username: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -swift.user-domain-name
  [user_domain_name: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -swift.user-domain-id
  [user_domain_id: <string> | default = ""]

  # OpenStack Swift user ID.
  # CLI flag: -swift.user-id
  [user_id: <string> | default = ""]

  # OpenStack Swift API key.
  # CLI flag: -swift.password
  [password: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -swift.domain-id
  [domain_id: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -swift.domain-name
  [domain_name: <string> | default = ""]

  # OpenStack Swift project ID (v2,v3 auth only).
  # CLI flag: -swift.project-id
  [project_id: <string> | default = ""]

  # OpenStack Swift project name (v2,v3 auth only).
  # CLI flag: -swift.project-name
  [project_name: <string> | default = ""]

  # ID of the OpenStack Swift project's domain (v3 auth only), only needed if it
  # differs the from user domain.
  # CLI flag: -swift.project-domain-id
  [project_domain_id: <string> | default = ""]

  # Name of the OpenStack Swift project's domain (v3 auth only), only needed if
  # it differs from the user domain.
  # CLI flag: -swift.project-domain-name
  [project_domain_name: <string> | default = ""]

  # OpenStack Swift Region to use (v2,v3 auth only).
  # CLI flag: -swift.region-name
  [region_name: <string> | default = ""]

  # Name of the OpenStack Swift container to put chunks in.
  # CLI flag: -swift.container-name
  [container_name: <string> | default = ""]

  # Max retries on requests error.
  # CLI flag: -swift.max-retries
  [max_retries: <int> | default = 3]

  # Time after which a connection attempt is aborted.
  # CLI flag: -swift.connect-timeout
  [connect_timeout: <duration> | default = 10s]

  # Time after which an idle request is aborted. The timeout watchdog is reset
  # each time some data is received, so the timeout triggers after X time no
  # data is received on a request.
  # CLI flag: -swift.request-timeout
  [request_timeout: <duration> | default = 5s]

# Cache validity for active index entries. Should be no higher than
# -ingester.max-chunk-idle.
# CLI flag: -store.index-cache-validity
[index_cache_validity: <duration> | default = 5m]

index_queries_cache_config:
  # Cache config for index entry reading. Enable in-memory cache.
  # CLI flag: -store.index-cache-read.cache.enable-fifocache
  [enable_fifocache: <boolean> | default = false]

  # Cache config for index entry reading. The default validity of entries for
  # caches unless overridden.
  # CLI flag: -store.index-cache-read.default-validity
  [default_validity: <duration> | default = 0s]

  background:
    # Cache config for index entry reading. At what concurrency to write back to
    # cache.
    # CLI flag: -store.index-cache-read.background.write-back-concurrency
    [writeback_goroutines: <int> | default = 10]

    # Cache config for index entry reading. How many key batches to buffer for
    # background write-back.
    # CLI flag: -store.index-cache-read.background.write-back-buffer
    [writeback_buffer: <int> | default = 10000]

  memcached:
    # Cache config for index entry reading. How long keys stay in the memcache.
    # CLI flag: -store.index-cache-read.memcached.expiration
    [expiration: <duration> | default = 0s]

    # Cache config for index entry reading. How many keys to fetch in each
    # batch.
    # CLI flag: -store.index-cache-read.memcached.batchsize
    [batch_size: <int> | default = 1024]

    # Cache config for index entry reading. Maximum active requests to memcache.
    # CLI flag: -store.index-cache-read.memcached.parallelism
    [parallelism: <int> | default = 100]

  memcached_client:
    # Cache config for index entry reading. Hostname for memcached service to
    # use. If empty and if addresses is unset, no memcached will be used.
    # CLI flag: -store.index-cache-read.memcached.hostname
    [host: <string> | default = ""]

    # Cache config for index entry reading. SRV service used to discover
    # memcache servers.
    # CLI flag: -store.index-cache-read.memcached.service
    [service: <string> | default = "memcached"]

    # Cache config for index entry reading. EXPERIMENTAL: Comma separated
    # addresses list in DNS Service Discovery format:
    # https://cortexmetrics.io/docs/configuration/arguments/#dns-service-discovery
    # CLI flag: -store.index-cache-read.memcached.addresses
    [addresses: <string> | default = ""]

    # Cache config for index entry reading. Maximum time to wait before giving
    # up on memcached requests.
    # CLI flag: -store.index-cache-read.memcached.timeout
    [timeout: <duration> | default = 100ms]

    # Cache config for index entry reading. Maximum number of idle connections
    # in pool.
    # CLI flag: -store.index-cache-read.memcached.max-idle-conns
    [max_idle_conns: <int> | default = 16]

    # Cache config for index entry reading. The maximum size of an item stored
    # in memcached. Bigger items are not stored. If set to 0, no maximum size is
    # enforced.
    # CLI flag: -store.index-cache-read.memcached.max-item-size
    [max_item_size: <int> | default = 0]

    # Cache config for index entry reading. Period with which to poll DNS for
    # memcache servers.
    # CLI flag: -store.index-cache-read.memcached.update-interval
    [update_interval: <duration> | default = 1m]

    # Cache config for index entry reading. Use consistent hashing to distribute
    # to memcache servers.
    # CLI flag: -store.index-cache-read.memcached.consistent-hash
    [consistent_hash: <boolean> | default = true]

    # Cache config for index entry reading. Trip circuit-breaker after this
    # number of consecutive dial failures (if zero then circuit-breaker is
    # disabled).
    # CLI flag: -store.index-cache-read.memcached.circuit-breaker-consecutive-failures
    [circuit_breaker_consecutive_failures: <int> | default = 10]

    # Cache config for index entry reading. Duration circuit-breaker remains
    # open after tripping (if zero then 60 seconds is used).
    # CLI flag: -store.index-cache-read.memcached.circuit-breaker-timeout
    [circuit_breaker_timeout: <duration> | default = 10s]

    # Cache config for index entry reading. Reset circuit-breaker counts after
    # this long (if zero then never reset).
    # CLI flag: -store.index-cache-read.memcached.circuit-breaker-interval
    [circuit_breaker_interval: <duration> | default = 10s]

  redis:
    # Cache config for index entry reading. Redis Server endpoint to use for
    # caching. A comma-separated list of endpoints for Redis Cluster or Redis
    # Sentinel. If empty, no redis will be used.
    # CLI flag: -store.index-cache-read.redis.endpoint
    [endpoint: <string> | default = ""]

    # Cache config for index entry reading. Redis Sentinel master name. An empty
    # string for Redis Server or Redis Cluster.
    # CLI flag: -store.index-cache-read.redis.master-name
    [master_name: <string> | default = ""]

    # Cache config for index entry reading. Maximum time to wait before giving
    # up on redis requests.
    # CLI flag: -store.index-cache-read.redis.timeout
    [timeout: <duration> | default = 500ms]

    # Cache config for index entry reading. How long keys stay in the redis.
    # CLI flag: -store.index-cache-read.redis.expiration
    [expiration: <duration> | default = 0s]

    # Cache config for index entry reading. Database index.
    # CLI flag: -store.index-cache-read.redis.db
    [db: <int> | default = 0]

    # Cache config for index entry reading. Maximum number of connections in the
    # pool.
    # CLI flag: -store.index-cache-read.redis.pool-size
    [pool_size: <int> | default = 0]

    # Cache config for index entry reading. Password to use when connecting to
    # redis.
    # CLI flag: -store.index-cache-read.redis.password
    [password: <string> | default = ""]

    # Cache config for index entry reading. Enable connecting to redis with TLS.
    # CLI flag: -store.index-cache-read.redis.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Cache config for index entry reading. Skip validating server certificate.
    # CLI flag: -store.index-cache-read.redis.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Cache config for index entry reading. Close connections after remaining
    # idle for this duration. If the value is zero, then idle connections are
    # not closed.
    # CLI flag: -store.index-cache-read.redis.idle-timeout
    [idle_timeout: <duration> | default = 0s]

    # Cache config for index entry reading. Close connections older than this
    # duration. If the value is zero, then the pool does not close connections
    # based on age.
    # CLI flag: -store.index-cache-read.redis.max-connection-age
    [max_connection_age: <duration> | default = 0s]

  fifocache:
    # Cache config for index entry reading. Maximum memory size of the cache in
    # bytes. A unit suffix (KB, MB, GB) may be applied.
    # CLI flag: -store.index-cache-read.fifocache.max-size-bytes
    [max_size_bytes: <string> | default = ""]

    # Cache config for index entry reading. Maximum number of entries in the
    # cache.
    # CLI flag: -store.index-cache-read.fifocache.max-size-items
    [max_size_items: <int> | default = 0]

    # Cache config for index entry reading. The expiry duration for the cache.
    # CLI flag: -store.index-cache-read.fifocache.duration
    [validity: <duration> | default = 0s]

    # Deprecated (use max-size-items or max-size-bytes instead): Cache config
    # for index entry reading. The number of entries to cache.
    # CLI flag: -store.index-cache-read.fifocache.size
    [size: <int> | default = 0]

# Disable broad index queries which results in reduced cache usage and faster
# query performance at the expense of somewhat higher QPS on the index store.
# CLI flag: -store.disable-broad-index-queries
[disable_broad_index_queries: <boolean> | default = false]

delete_store:
  # Store for keeping delete request
  # CLI flag: -deletes.store
  [store: <string> | default = ""]

  # Name of the table which stores delete requests
  # CLI flag: -deletes.requests-table-name
  [requests_table_name: <string> | default = "delete_requests"]

  table_provisioning:
    # Enables on demand throughput provisioning for the storage provider (if
    # supported). Applies only to tables which are not autoscaled. Supported by
    # DynamoDB
    # CLI flag: -deletes.table.enable-ondemand-throughput-mode
    [enable_ondemand_throughput_mode: <boolean> | default = false]

    # Table default write throughput. Supported by DynamoDB
    # CLI flag: -deletes.table.write-throughput
    [provisioned_write_throughput: <int> | default = 1]

    # Table default read throughput. Supported by DynamoDB
    # CLI flag: -deletes.table.read-throughput
    [provisioned_read_throughput: <int> | default = 300]

    write_scale:
      # Should we enable autoscale for the table.
      # CLI flag: -deletes.table.write-throughput.scale.enabled
      [enabled: <boolean> | default = false]

      # AWS AutoScaling role ARN
      # CLI flag: -deletes.table.write-throughput.scale.role-arn
      [role_arn: <string> | default = ""]

      # DynamoDB minimum provision capacity.
      # CLI flag: -deletes.table.write-throughput.scale.min-capacity
      [min_capacity: <int> | default = 3000]

      # DynamoDB maximum provision capacity.
      # CLI flag: -deletes.table.write-throughput.scale.max-capacity
      [max_capacity: <int> | default = 6000]

      # DynamoDB minimum seconds between each autoscale up.
      # CLI flag: -deletes.table.write-throughput.scale.out-cooldown
      [out_cooldown: <int> | default = 1800]

      # DynamoDB minimum seconds between each autoscale down.
      # CLI flag: -deletes.table.write-throughput.scale.in-cooldown
      [in_cooldown: <int> | default = 1800]

      # DynamoDB target ratio of consumed capacity to provisioned capacity.
      # CLI flag: -deletes.table.write-throughput.scale.target-value
      [target: <float> | default = 80]

    read_scale:
      # Should we enable autoscale for the table.
      # CLI flag: -deletes.table.read-throughput.scale.enabled
      [enabled: <boolean> | default = false]

      # AWS AutoScaling role ARN
      # CLI flag: -deletes.table.read-throughput.scale.role-arn
      [role_arn: <string> | default = ""]

      # DynamoDB minimum provision capacity.
      # CLI flag: -deletes.table.read-throughput.scale.min-capacity
      [min_capacity: <int> | default = 3000]

      # DynamoDB maximum provision capacity.
      # CLI flag: -deletes.table.read-throughput.scale.max-capacity
      [max_capacity: <int> | default = 6000]

      # DynamoDB minimum seconds between each autoscale up.
      # CLI flag: -deletes.table.read-throughput.scale.out-cooldown
      [out_cooldown: <int> | default = 1800]

      # DynamoDB minimum seconds between each autoscale down.
      # CLI flag: -deletes.table.read-throughput.scale.in-cooldown
      [in_cooldown: <int> | default = 1800]

      # DynamoDB target ratio of consumed capacity to provisioned capacity.
      # CLI flag: -deletes.table.read-throughput.scale.target-value
      [target: <float> | default = 80]

    # Tag (of the form key=value) to be added to the tables. Supported by
    # DynamoDB
    # CLI flag: -deletes.table.tags
    [tags: <map of string to string> | default = ]

grpc_store:
  # Hostname or IP of the gRPC store instance.
  # CLI flag: -grpc-store.server-address
  [server_address: <string> | default = ""]

# The maximum number of chunks to fetch per batch.
# CLI flag: -store.max-chunk-batch-size
[max_chunk_batch_size: <int> | default = 50]

boltdb_shipper:
  # Directory where ingesters would write boltdb files which would then be
  # uploaded by shipper to configured storage
  # CLI flag: -boltdb.shipper.active-index-directory
  [active_index_directory: <string> | default = ""]

  # Shared store for keeping boltdb files. Supported types: gcs, s3, azure,
  # filesystem
  # CLI flag: -boltdb.shipper.shared-store
  [shared_store: <string> | default = ""]

  # Prefix to add to Object Keys in Shared store. Path separator(if any) should
  # always be a '/'. Prefix should never start with a separator but should
  # always end with it
  # CLI flag: -boltdb.shipper.shared-store.key-prefix
  [shared_store_key_prefix: <string> | default = "index/"]

  # Cache location for restoring boltDB files for queries
  # CLI flag: -boltdb.shipper.cache-location
  [cache_location: <string> | default = ""]

  # TTL for boltDB files restored in cache for queries
  # CLI flag: -boltdb.shipper.cache-ttl
  [cache_ttl: <duration> | default = 24h]

  # Resync downloaded files with the storage
  # CLI flag: -boltdb.shipper.resync-interval
  [resync_interval: <duration> | default = 5m]

  # Number of days of index to be kept downloaded for queries. Works only with
  # tables created with 24h period.
  # CLI flag: -boltdb.shipper.query-ready-num-days
  [query_ready_num_days: <int> | default = 0]

  index_gateway_client:
    # Hostname or IP of the Index Gateway gRPC server.
    # CLI flag: -boltdb.shipper.index-gateway-client.server-address
    [server_address: <string> | default = ""]

    grpc_client_config:
      # gRPC client max receive message size (bytes).
      # CLI flag: -boltdb.shipper.index-gateway-client.grpc-max-recv-msg-size
      [max_recv_msg_size: <int> | default = 104857600]

      # gRPC client max send message size (bytes).
      # CLI flag: -boltdb.shipper.index-gateway-client.grpc-max-send-msg-size
      [max_send_msg_size: <int> | default = 16777216]

      # Use compression when sending messages. Supported values are: 'gzip',
      # 'snappy' and '' (disable compression)
      # CLI flag: -boltdb.shipper.index-gateway-client.grpc-compression
      [grpc_compression: <string> | default = ""]

      # Rate limit for gRPC client; 0 means disabled.
      # CLI flag: -boltdb.shipper.index-gateway-client.grpc-client-rate-limit
      [rate_limit: <float> | default = 0]

      # Rate limit burst for gRPC client.
      # CLI flag: -boltdb.shipper.index-gateway-client.grpc-client-rate-limit-burst
      [rate_limit_burst: <int> | default = 0]

      # Enable backoff and retry when we hit ratelimits.
      # CLI flag: -boltdb.shipper.index-gateway-client.backoff-on-ratelimits
      [backoff_on_ratelimits: <boolean> | default = false]

      backoff_config:
        # Minimum delay when backing off.
        # CLI flag: -boltdb.shipper.index-gateway-client.backoff-min-period
        [min_period: <duration> | default = 100ms]

        # Maximum delay when backing off.
        # CLI flag: -boltdb.shipper.index-gateway-client.backoff-max-period
        [max_period: <duration> | default = 10s]

        # Number of times to backoff and retry before failing.
        # CLI flag: -boltdb.shipper.index-gateway-client.backoff-retries
        [max_retries: <int> | default = 10]

      # Enable TLS in the GRPC client. This flag needs to be enabled when any
      # other TLS flag is set. If set to false, insecure connection to gRPC
      # server will be used.
      # CLI flag: -boltdb.shipper.index-gateway-client.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Path to the client certificate file, which will be used for
      # authenticating with the server. Also requires the key path to be
      # configured.
      # CLI flag: -boltdb.shipper.index-gateway-client.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # Path to the key file for the client certificate. Also requires the
      # client certificate to be configured.
      # CLI flag: -boltdb.shipper.index-gateway-client.tls-key-path
      [tls_key_path: <string> | default = ""]

      # Path to the CA certificates file to validate server certificate against.
      # If not set, the host's root CA certificates are used.
      # CLI flag: -boltdb.shipper.index-gateway-client.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # Override the expected name on the server certificate.
      # CLI flag: -boltdb.shipper.index-gateway-client.tls-server-name
      [tls_server_name: <string> | default = ""]

      # Skip validating server certificate.
      # CLI flag: -boltdb.shipper.index-gateway-client.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

chunk_store_config

Configures how GEL will store data in the specific store.

chunk_cache_config:
  # Cache config for chunks. Enable in-memory cache.
  # CLI flag: -store.chunks-cache.cache.enable-fifocache
  [enable_fifocache: <boolean> | default = false]

  # Cache config for chunks. The default validity of entries for caches unless
  # overridden.
  # CLI flag: -store.chunks-cache.default-validity
  [default_validity: <duration> | default = 0s]

  background:
    # Cache config for chunks. At what concurrency to write back to cache.
    # CLI flag: -store.chunks-cache.background.write-back-concurrency
    [writeback_goroutines: <int> | default = 10]

    # Cache config for chunks. How many key batches to buffer for background
    # write-back.
    # CLI flag: -store.chunks-cache.background.write-back-buffer
    [writeback_buffer: <int> | default = 10000]

  memcached:
    # Cache config for chunks. How long keys stay in the memcache.
    # CLI flag: -store.chunks-cache.memcached.expiration
    [expiration: <duration> | default = 0s]

    # Cache config for chunks. How many keys to fetch in each batch.
    # CLI flag: -store.chunks-cache.memcached.batchsize
    [batch_size: <int> | default = 1024]

    # Cache config for chunks. Maximum active requests to memcache.
    # CLI flag: -store.chunks-cache.memcached.parallelism
    [parallelism: <int> | default = 100]

  memcached_client:
    # Cache config for chunks. Hostname for memcached service to use. If empty
    # and if addresses is unset, no memcached will be used.
    # CLI flag: -store.chunks-cache.memcached.hostname
    [host: <string> | default = ""]

    # Cache config for chunks. SRV service used to discover memcache servers.
    # CLI flag: -store.chunks-cache.memcached.service
    [service: <string> | default = "memcached"]

    # Cache config for chunks. EXPERIMENTAL: Comma separated addresses list in
    # DNS Service Discovery format:
    # https://cortexmetrics.io/docs/configuration/arguments/#dns-service-discovery
    # CLI flag: -store.chunks-cache.memcached.addresses
    [addresses: <string> | default = ""]

    # Cache config for chunks. Maximum time to wait before giving up on
    # memcached requests.
    # CLI flag: -store.chunks-cache.memcached.timeout
    [timeout: <duration> | default = 100ms]

    # Cache config for chunks. Maximum number of idle connections in pool.
    # CLI flag: -store.chunks-cache.memcached.max-idle-conns
    [max_idle_conns: <int> | default = 16]

    # Cache config for chunks. The maximum size of an item stored in memcached.
    # Bigger items are not stored. If set to 0, no maximum size is enforced.
    # CLI flag: -store.chunks-cache.memcached.max-item-size
    [max_item_size: <int> | default = 0]

    # Cache config for chunks. Period with which to poll DNS for memcache
    # servers.
    # CLI flag: -store.chunks-cache.memcached.update-interval
    [update_interval: <duration> | default = 1m]

    # Cache config for chunks. Use consistent hashing to distribute to memcache
    # servers.
    # CLI flag: -store.chunks-cache.memcached.consistent-hash
    [consistent_hash: <boolean> | default = true]

    # Cache config for chunks. Trip circuit-breaker after this number of
    # consecutive dial failures (if zero then circuit-breaker is disabled).
    # CLI flag: -store.chunks-cache.memcached.circuit-breaker-consecutive-failures
    [circuit_breaker_consecutive_failures: <int> | default = 10]

    # Cache config for chunks. Duration circuit-breaker remains open after
    # tripping (if zero then 60 seconds is used).
    # CLI flag: -store.chunks-cache.memcached.circuit-breaker-timeout
    [circuit_breaker_timeout: <duration> | default = 10s]

    # Cache config for chunks. Reset circuit-breaker counts after this long (if
    # zero then never reset).
    # CLI flag: -store.chunks-cache.memcached.circuit-breaker-interval
    [circuit_breaker_interval: <duration> | default = 10s]

  redis:
    # Cache config for chunks. Redis Server endpoint to use for caching. A
    # comma-separated list of endpoints for Redis Cluster or Redis Sentinel. If
    # empty, no redis will be used.
    # CLI flag: -store.chunks-cache.redis.endpoint
    [endpoint: <string> | default = ""]

    # Cache config for chunks. Redis Sentinel master name. An empty string for
    # Redis Server or Redis Cluster.
    # CLI flag: -store.chunks-cache.redis.master-name
    [master_name: <string> | default = ""]

    # Cache config for chunks. Maximum time to wait before giving up on redis
    # requests.
    # CLI flag: -store.chunks-cache.redis.timeout
    [timeout: <duration> | default = 500ms]

    # Cache config for chunks. How long keys stay in the redis.
    # CLI flag: -store.chunks-cache.redis.expiration
    [expiration: <duration> | default = 0s]

    # Cache config for chunks. Database index.
    # CLI flag: -store.chunks-cache.redis.db
    [db: <int> | default = 0]

    # Cache config for chunks. Maximum number of connections in the pool.
    # CLI flag: -store.chunks-cache.redis.pool-size
    [pool_size: <int> | default = 0]

    # Cache config for chunks. Password to use when connecting to redis.
    # CLI flag: -store.chunks-cache.redis.password
    [password: <string> | default = ""]

    # Cache config for chunks. Enable connecting to redis with TLS.
    # CLI flag: -store.chunks-cache.redis.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Cache config for chunks. Skip validating server certificate.
    # CLI flag: -store.chunks-cache.redis.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Cache config for chunks. Close connections after remaining idle for this
    # duration. If the value is zero, then idle connections are not closed.
    # CLI flag: -store.chunks-cache.redis.idle-timeout
    [idle_timeout: <duration> | default = 0s]

    # Cache config for chunks. Close connections older than this duration. If
    # the value is zero, then the pool does not close connections based on age.
    # CLI flag: -store.chunks-cache.redis.max-connection-age
    [max_connection_age: <duration> | default = 0s]

  fifocache:
    # Cache config for chunks. Maximum memory size of the cache in bytes. A unit
    # suffix (KB, MB, GB) may be applied.
    # CLI flag: -store.chunks-cache.fifocache.max-size-bytes
    [max_size_bytes: <string> | default = ""]

    # Cache config for chunks. Maximum number of entries in the cache.
    # CLI flag: -store.chunks-cache.fifocache.max-size-items
    [max_size_items: <int> | default = 0]

    # Cache config for chunks. The expiry duration for the cache.
    # CLI flag: -store.chunks-cache.fifocache.duration
    [validity: <duration> | default = 0s]

    # Deprecated (use max-size-items or max-size-bytes instead): Cache config
    # for chunks. The number of entries to cache.
    # CLI flag: -store.chunks-cache.fifocache.size
    [size: <int> | default = 0]

write_dedupe_cache_config:
  # Cache config for index entry writing. Enable in-memory cache.
  # CLI flag: -store.index-cache-write.cache.enable-fifocache
  [enable_fifocache: <boolean> | default = false]

  # Cache config for index entry writing. The default validity of entries for
  # caches unless overridden.
  # CLI flag: -store.index-cache-write.default-validity
  [default_validity: <duration> | default = 0s]

  background:
    # Cache config for index entry writing. At what concurrency to write back to
    # cache.
    # CLI flag: -store.index-cache-write.background.write-back-concurrency
    [writeback_goroutines: <int> | default = 10]

    # Cache config for index entry writing. How many key batches to buffer for
    # background write-back.
    # CLI flag: -store.index-cache-write.background.write-back-buffer
    [writeback_buffer: <int> | default = 10000]

  memcached:
    # Cache config for index entry writing. How long keys stay in the memcache.
    # CLI flag: -store.index-cache-write.memcached.expiration
    [expiration: <duration> | default = 0s]

    # Cache config for index entry writing. How many keys to fetch in each
    # batch.
    # CLI flag: -store.index-cache-write.memcached.batchsize
    [batch_size: <int> | default = 1024]

    # Cache config for index entry writing. Maximum active requests to memcache.
    # CLI flag: -store.index-cache-write.memcached.parallelism
    [parallelism: <int> | default = 100]

  memcached_client:
    # Cache config for index entry writing. Hostname for memcached service to
    # use. If empty and if addresses is unset, no memcached will be used.
    # CLI flag: -store.index-cache-write.memcached.hostname
    [host: <string> | default = ""]

    # Cache config for index entry writing. SRV service used to discover
    # memcache servers.
    # CLI flag: -store.index-cache-write.memcached.service
    [service: <string> | default = "memcached"]

    # Cache config for index entry writing. EXPERIMENTAL: Comma separated
    # addresses list in DNS Service Discovery format:
    # https://cortexmetrics.io/docs/configuration/arguments/#dns-service-discovery
    # CLI flag: -store.index-cache-write.memcached.addresses
    [addresses: <string> | default = ""]

    # Cache config for index entry writing. Maximum time to wait before giving
    # up on memcached requests.
    # CLI flag: -store.index-cache-write.memcached.timeout
    [timeout: <duration> | default = 100ms]

    # Cache config for index entry writing. Maximum number of idle connections
    # in pool.
    # CLI flag: -store.index-cache-write.memcached.max-idle-conns
    [max_idle_conns: <int> | default = 16]

    # Cache config for index entry writing. The maximum size of an item stored
    # in memcached. Bigger items are not stored. If set to 0, no maximum size is
    # enforced.
    # CLI flag: -store.index-cache-write.memcached.max-item-size
    [max_item_size: <int> | default = 0]

    # Cache config for index entry writing. Period with which to poll DNS for
    # memcache servers.
    # CLI flag: -store.index-cache-write.memcached.update-interval
    [update_interval: <duration> | default = 1m]

    # Cache config for index entry writing. Use consistent hashing to distribute
    # to memcache servers.
    # CLI flag: -store.index-cache-write.memcached.consistent-hash
    [consistent_hash: <boolean> | default = true]

    # Cache config for index entry writing. Trip circuit-breaker after this
    # number of consecutive dial failures (if zero then circuit-breaker is
    # disabled).
    # CLI flag: -store.index-cache-write.memcached.circuit-breaker-consecutive-failures
    [circuit_breaker_consecutive_failures: <int> | default = 10]

    # Cache config for index entry writing. Duration circuit-breaker remains
    # open after tripping (if zero then 60 seconds is used).
    # CLI flag: -store.index-cache-write.memcached.circuit-breaker-timeout
    [circuit_breaker_timeout: <duration> | default = 10s]

    # Cache config for index entry writing. Reset circuit-breaker counts after
    # this long (if zero then never reset).
    # CLI flag: -store.index-cache-write.memcached.circuit-breaker-interval
    [circuit_breaker_interval: <duration> | default = 10s]

  redis:
    # Cache config for index entry writing. Redis Server endpoint to use for
    # caching. A comma-separated list of endpoints for Redis Cluster or Redis
    # Sentinel. If empty, no redis will be used.
    # CLI flag: -store.index-cache-write.redis.endpoint
    [endpoint: <string> | default = ""]

    # Cache config for index entry writing. Redis Sentinel master name. An empty
    # string for Redis Server or Redis Cluster.
    # CLI flag: -store.index-cache-write.redis.master-name
    [master_name: <string> | default = ""]

    # Cache config for index entry writing. Maximum time to wait before giving
    # up on redis requests.
    # CLI flag: -store.index-cache-write.redis.timeout
    [timeout: <duration> | default = 500ms]

    # Cache config for index entry writing. How long keys stay in the redis.
    # CLI flag: -store.index-cache-write.redis.expiration
    [expiration: <duration> | default = 0s]

    # Cache config for index entry writing. Database index.
    # CLI flag: -store.index-cache-write.redis.db
    [db: <int> | default = 0]

    # Cache config for index entry writing. Maximum number of connections in the
    # pool.
    # CLI flag: -store.index-cache-write.redis.pool-size
    [pool_size: <int> | default = 0]

    # Cache config for index entry writing. Password to use when connecting to
    # redis.
    # CLI flag: -store.index-cache-write.redis.password
    [password: <string> | default = ""]

    # Cache config for index entry writing. Enable connecting to redis with TLS.
    # CLI flag: -store.index-cache-write.redis.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Cache config for index entry writing. Skip validating server certificate.
    # CLI flag: -store.index-cache-write.redis.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Cache config for index entry writing. Close connections after remaining
    # idle for this duration. If the value is zero, then idle connections are
    # not closed.
    # CLI flag: -store.index-cache-write.redis.idle-timeout
    [idle_timeout: <duration> | default = 0s]

    # Cache config for index entry writing. Close connections older than this
    # duration. If the value is zero, then the pool does not close connections
    # based on age.
    # CLI flag: -store.index-cache-write.redis.max-connection-age
    [max_connection_age: <duration> | default = 0s]

  fifocache:
    # Cache config for index entry writing. Maximum memory size of the cache in
    # bytes. A unit suffix (KB, MB, GB) may be applied.
    # CLI flag: -store.index-cache-write.fifocache.max-size-bytes
    [max_size_bytes: <string> | default = ""]

    # Cache config for index entry writing. Maximum number of entries in the
    # cache.
    # CLI flag: -store.index-cache-write.fifocache.max-size-items
    [max_size_items: <int> | default = 0]

    # Cache config for index entry writing. The expiry duration for the cache.
    # CLI flag: -store.index-cache-write.fifocache.duration
    [validity: <duration> | default = 0s]

    # Deprecated (use max-size-items or max-size-bytes instead): Cache config
    # for index entry writing. The number of entries to cache.
    # CLI flag: -store.index-cache-write.fifocache.size
    [size: <int> | default = 0]

# Cache index entries older than this period. 0 to disable.
# CLI flag: -store.cache-lookups-older-than
[cache_lookups_older_than: <duration> | default = 0s]

# This flag is deprecated. Use -querier.max-query-lookback instead.
# CLI flag: -store.max-look-back-period
[max_look_back_period: <duration> | default = 0s]

schema_config

Configures the chunk index schema and where it is stored.

# The 'period_config' block configures what index schemas should be used for
# from specific time periods.
# See https://grafana.com/docs/loki/latest/configuration/#period_config
[configs: <array> | default = none]

limits_config

Configures limits per-tenant or globally.

# Whether the ingestion rate limit should be applied individually to each
# distributor instance (local), or evenly shared across the cluster (global).
# CLI flag: -distributor.ingestion-rate-limit-strategy
[ingestion_rate_strategy: <string> | default = "local"]

# Per-user ingestion rate limit in sample size per second. Units in MB.
# CLI flag: -distributor.ingestion-rate-limit-mb
[ingestion_rate_mb: <float> | default = 4]

# Per-user allowed ingestion burst size (in sample size). Units in MB.
# CLI flag: -distributor.ingestion-burst-size-mb
[ingestion_burst_size_mb: <float> | default = 6]

# Maximum length accepted for label names
# CLI flag: -validation.max-length-label-name
[max_label_name_length: <int> | default = 1024]

# Maximum length accepted for label value. This setting also applies to the
# metric name
# CLI flag: -validation.max-length-label-value
[max_label_value_length: <int> | default = 2048]

# Maximum number of label names per series.
# CLI flag: -validation.max-label-names-per-series
[max_label_names_per_series: <int> | default = 30]

# Reject old samples.
# CLI flag: -validation.reject-old-samples
[reject_old_samples: <boolean> | default = false]

# Maximum accepted sample age before rejecting.
# CLI flag: -validation.reject-old-samples.max-age
[reject_old_samples_max_age: <duration> | default = 2w]

# Duration which table will be created/deleted before/after it's needed; we
# won't accept sample from before this time.
# CLI flag: -validation.create-grace-period
[creation_grace_period: <duration> | default = 10m]

# Enforce every sample has a metric name.
# CLI flag: -validation.enforce-metric-name
[enforce_metric_name: <boolean> | default = true]

# maximum line length allowed, i.e. 100mb. Default (0) means unlimited.
# CLI flag: -distributor.max-line-size
[max_line_size: <int> | default = 0B]

# Whether to truncate lines that exceed max_line_size
# CLI flag: -distributor.max-line-size-truncate
[max_line_size_truncate: <boolean> | default = false]

# Maximum number of active streams per user, per ingester. 0 to disable.
# CLI flag: -ingester.max-streams-per-user
[max_streams_per_user: <int> | default = 10000]

# Maximum number of active streams per user, across the cluster. 0 to disable.
# CLI flag: -ingester.max-global-streams-per-user
[max_global_streams_per_user: <int> | default = 0]

# (Experimental) Allow out of order writes.
# CLI flag: -ingester.unordered-writes
[unordered_writes: <boolean> | default = false]

# Maximum bytes per second rate per active stream (deprecated in favor of
# ingester.per-stream-rate-limit).
# CLI flag: -ingester.max-stream-rate-bytes
[max_stream_rate_bytes: <int> | default = 3MB]

# Maximum burst bytes per second rate per active stream (deprecated in favor of
# ingester.per-stream-rate-limit-burst).
# CLI flag: -ingester.max-stream-burst-bytes
[max_stream_burst_rate_bytes: <int> | default = 15MB]

# Maximum byte rate per second per stream, also expressible in human readable
# forms (1MB, 256KB, etc).
# CLI flag: -ingester.per-stream-rate-limit
[per_stream_rate_limit: <int> | default = 3MB]

# Maximum burst bytes per stream, also expressible in human readable forms (1MB,
# 256KB, etc).
# CLI flag: -ingester.per-stream-rate-limit-burst
[per_stream_rate_limit_burst: <int> | default = 15MB]

# Maximum number of chunks that can be fetched in a single query.
# CLI flag: -store.query-chunk-limit
[max_chunks_per_query: <int> | default = 2000000]

# Limit the maximum of unique series returned by a metric query. When the limit
# is reached an error is returned.
# CLI flag: -querier.max-query-series
[max_query_series: <int> | default = 500]

# Limit how long back data (series and metadata) can be queried, up until
# <lookback> duration ago. This limit is enforced in the query-frontend, querier
# and ruler. If the requested time range is outside the allowed range, the
# request will not fail but will be manipulated to only query data within the
# allowed time range. 0 to disable.
# CLI flag: -querier.max-query-lookback
[max_query_lookback: <duration> | default = 0s]

# Limit to length of chunk store queries, 0 to disable.
# CLI flag: -store.max-query-length
[max_query_length: <duration> | default = 0s]

# Maximum number of queries will be scheduled in parallel by the frontend.
# CLI flag: -querier.max-query-parallelism
[max_query_parallelism: <int> | default = 14]

# Cardinality limit for index queries.
# CLI flag: -store.cardinality-limit
[cardinality_limit: <int> | default = 100000]

# Limit the number of streams matchers per query
# CLI flag: -querier.max-streams-matcher-per-query
[max_streams_matchers_per_query: <int> | default = 1000]

# Limit the number of concurrent tail requests
# CLI flag: -querier.max-concurrent-tail-requests
[max_concurrent_tail_requests: <int> | default = 10]

# Per-user entries limit per query
# CLI flag: -validation.max-entries-limit
[max_entries_limit_per_query: <int> | default = 5000]

# Most recent allowed cacheable result per-tenant, to prevent caching very
# recent results that might still be in flux.
# CLI flag: -frontend.max-cache-freshness
[max_cache_freshness_per_query: <duration> | default = 1m]

# Maximum number of queriers that can handle requests for a single tenant. If
# set to 0 or value higher than number of available queriers, *all* queriers
# will handle requests for the tenant. Each frontend (or query-scheduler, if
# used) will select the same set of queriers for the same tenant (given that all
# queriers are connected to all frontends / query-schedulers). This option only
# works with queriers connecting to the query-frontend / query-scheduler, not
# when using downstream URL.
# CLI flag: -frontend.max-queriers-per-tenant
[max_queriers_per_tenant: <int> | default = 0]

[split_queries_by_interval: <duration> | default = ]

# Limit the sharding time range.Queries with time range that fall between now
# and now minus the sharding lookback are not sharded. 0 to disable.
# CLI flag: -frontend.min-sharding-lookback
[min_sharding_lookback: <duration> | default = 0s]

# Duration to delay the evaluation of rules to ensure the underlying metrics
# have been pushed to GEL.
# CLI flag: -ruler.evaluation-delay-duration
[ruler_evaluation_delay_duration: <duration> | default = 0s]

# Maximum number of rules per rule group per-tenant. 0 to disable.
# CLI flag: -ruler.max-rules-per-rule-group
[ruler_max_rules_per_rule_group: <int> | default = 0]

# Maximum number of rule groups per-tenant. 0 to disable.
# CLI flag: -ruler.max-rule-groups-per-tenant
[ruler_max_rule_groups_per_tenant: <int> | default = 0]

# Capacity of remote-write queues; if a queue exceeds its capacity it will evict
# oldest samples.
# CLI flag: -ruler.remote-write.queue-capacity
[ruler_remote_write_queue_capacity: <int> | default = 10000]

# How long before chunks will be deleted from the store. (requires compactor
# retention enabled).
# CLI flag: -store.retention
[retention_period: <duration> | default = 31d]

# Per-stream retention to apply, if the retention is enable on the compactor
# side.
# Example:
# retention_stream:
# - selector: '{namespace="dev"}'
#   priority: 1
#   period: 24h
# - selector: '{container="nginx"}'
#   priority: 1
#   period: 744h
# Selector is a Prometheus labels matchers that will apply the 'period'
# retention only if the stream is matching. In case multiple stream are
# matching, the highest priority will be picked. If no rule is matched the
# 'retention_period' is used.
[retention_stream: <array> | default = none]

# File name of per-user overrides.
# CLI flag: -limits.per-user-override-config
[per_tenant_override_config: <string> | default = ""]

# Period with this to reload the overrides.
# CLI flag: -limits.per-user-override-period
[per_tenant_override_period: <duration> | default = 10s]

table_manager_config

Configures the table manager for retention.

# If true, disable all changes to DB capacity
# CLI flag: -table-manager.throughput-updates-disabled
[throughput_updates_disabled: <boolean> | default = false]

# If true, enables retention deletes of DB tables
# CLI flag: -table-manager.retention-deletes-enabled
[retention_deletes_enabled: <boolean> | default = false]

# Tables older than this retention period are deleted. Must be either 0
# (disabled) or a multiple of 24h. When enabled, be aware this setting is
# destructive to data!
# CLI flag: -table-manager.retention-period
[retention_period: <duration> | default = 0s]

# How frequently to poll backend to learn our capacity.
# CLI flag: -table-manager.poll-interval
[poll_interval: <duration> | default = 2m]

# Periodic tables grace period (duration which table will be created/deleted
# before/after it's needed).
# CLI flag: -table-manager.periodic-table.grace-period
[creation_grace_period: <duration> | default = 10m]

index_tables_provisioning:
  # Enables on demand throughput provisioning for the storage provider (if
  # supported). Applies only to tables which are not autoscaled. Supported by
  # DynamoDB
  # CLI flag: -table-manager.index-table.enable-ondemand-throughput-mode
  [enable_ondemand_throughput_mode: <boolean> | default = false]

  # Table default write throughput. Supported by DynamoDB
  # CLI flag: -table-manager.index-table.write-throughput
  [provisioned_write_throughput: <int> | default = 1000]

  # Table default read throughput. Supported by DynamoDB
  # CLI flag: -table-manager.index-table.read-throughput
  [provisioned_read_throughput: <int> | default = 300]

  write_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.index-table.write-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.index-table.write-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.index-table.write-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.index-table.write-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.index-table.write-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.index-table.write-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.index-table.write-throughput.scale.target-value
    [target: <float> | default = 80]

  read_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.index-table.read-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.index-table.read-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.index-table.read-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.index-table.read-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.index-table.read-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.index-table.read-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.index-table.read-throughput.scale.target-value
    [target: <float> | default = 80]

  # Enables on demand throughput provisioning for the storage provider (if
  # supported). Applies only to tables which are not autoscaled. Supported by
  # DynamoDB
  # CLI flag: -table-manager.index-table.inactive-enable-ondemand-throughput-mode
  [enable_inactive_throughput_on_demand_mode: <boolean> | default = false]

  # Table write throughput for inactive tables. Supported by DynamoDB
  # CLI flag: -table-manager.index-table.inactive-write-throughput
  [inactive_write_throughput: <int> | default = 1]

  # Table read throughput for inactive tables. Supported by DynamoDB
  # CLI flag: -table-manager.index-table.inactive-read-throughput
  [inactive_read_throughput: <int> | default = 300]

  inactive_write_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.target-value
    [target: <float> | default = 80]

  inactive_read_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.target-value
    [target: <float> | default = 80]

  # Number of last inactive tables to enable write autoscale.
  # CLI flag: -table-manager.index-table.inactive-write-throughput.scale-last-n
  [inactive_write_scale_lastn: <int> | default = 4]

  # Number of last inactive tables to enable read autoscale.
  # CLI flag: -table-manager.index-table.inactive-read-throughput.scale-last-n
  [inactive_read_scale_lastn: <int> | default = 4]

chunk_tables_provisioning:
  # Enables on demand throughput provisioning for the storage provider (if
  # supported). Applies only to tables which are not autoscaled. Supported by
  # DynamoDB
  # CLI flag: -table-manager.chunk-table.enable-ondemand-throughput-mode
  [enable_ondemand_throughput_mode: <boolean> | default = false]

  # Table default write throughput. Supported by DynamoDB
  # CLI flag: -table-manager.chunk-table.write-throughput
  [provisioned_write_throughput: <int> | default = 1000]

  # Table default read throughput. Supported by DynamoDB
  # CLI flag: -table-manager.chunk-table.read-throughput
  [provisioned_read_throughput: <int> | default = 300]

  write_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.target-value
    [target: <float> | default = 80]

  read_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.target-value
    [target: <float> | default = 80]

  # Enables on demand throughput provisioning for the storage provider (if
  # supported). Applies only to tables which are not autoscaled. Supported by
  # DynamoDB
  # CLI flag: -table-manager.chunk-table.inactive-enable-ondemand-throughput-mode
  [enable_inactive_throughput_on_demand_mode: <boolean> | default = false]

  # Table write throughput for inactive tables. Supported by DynamoDB
  # CLI flag: -table-manager.chunk-table.inactive-write-throughput
  [inactive_write_throughput: <int> | default = 1]

  # Table read throughput for inactive tables. Supported by DynamoDB
  # CLI flag: -table-manager.chunk-table.inactive-read-throughput
  [inactive_read_throughput: <int> | default = 300]

  inactive_write_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.target-value
    [target: <float> | default = 80]

  inactive_read_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.target-value
    [target: <float> | default = 80]

  # Number of last inactive tables to enable write autoscale.
  # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale-last-n
  [inactive_write_scale_lastn: <int> | default = 4]

  # Number of last inactive tables to enable read autoscale.
  # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale-last-n
  [inactive_read_scale_lastn: <int> | default = 4]

worker_config

The worker_config configures the worker - running within the GEL querier - picking up and executing queries enqueued by the query-frontend.

# Address of query frontend service, in host:port format. If
# -querier.scheduler-address is set as well, querier will use scheduler instead.
# Only one of -querier.frontend-address or -querier.scheduler-address can be
# set. If neither is set, queries are only received via HTTP endpoint.
# CLI flag: -querier.frontend-address
[frontend_address: <string> | default = ""]

# Hostname (and port) of scheduler that querier will periodically resolve,
# connect to and receive queries from. Only one of -querier.frontend-address or
# -querier.scheduler-address can be set. If neither is set, queries are only
# received via HTTP endpoint.
# CLI flag: -querier.scheduler-address
[scheduler_address: <string> | default = ""]

# How often to query DNS for query-frontend or query-scheduler address.
# CLI flag: -querier.dns-lookup-period
[dns_lookup_duration: <duration> | default = 10s]

# Number of simultaneous queries to process per query-frontend or
# query-scheduler.
# CLI flag: -querier.worker-parallelism
[parallelism: <int> | default = 10]

# Force worker concurrency to match the -querier.max-concurrent option.
# Overrides querier.worker-parallelism.
# CLI flag: -querier.worker-match-max-concurrent
[match_max_concurrent: <boolean> | default = false]

# Querier ID, sent to frontend service to identify requests from the same
# querier. Defaults to hostname.
# CLI flag: -querier.id
[id: <string> | default = ""]

grpc_client_config:
  # gRPC client max receive message size (bytes).
  # CLI flag: -querier.frontend-client.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # gRPC client max send message size (bytes).
  # CLI flag: -querier.frontend-client.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 16777216]

  # Use compression when sending messages. Supported values are: 'gzip',
  # 'snappy' and '' (disable compression)
  # CLI flag: -querier.frontend-client.grpc-compression
  [grpc_compression: <string> | default = ""]

  # Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -querier.frontend-client.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # Rate limit burst for gRPC client.
  # CLI flag: -querier.frontend-client.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # Enable backoff and retry when we hit ratelimits.
  # CLI flag: -querier.frontend-client.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # Minimum delay when backing off.
    # CLI flag: -querier.frontend-client.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # Maximum delay when backing off.
    # CLI flag: -querier.frontend-client.backoff-max-period
    [max_period: <duration> | default = 10s]

    # Number of times to backoff and retry before failing.
    # CLI flag: -querier.frontend-client.backoff-retries
    [max_retries: <int> | default = 10]

  # Enable TLS in the GRPC client. This flag needs to be enabled when any other
  # TLS flag is set. If set to false, insecure connection to gRPC server will be
  # used.
  # CLI flag: -querier.frontend-client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -querier.frontend-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -querier.frontend-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -querier.frontend-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -querier.frontend-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -querier.frontend-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

frontend_config

The query_frontend_config configures the GEL query-frontend.

# Log queries that are slower than the specified duration. Set to 0 to disable.
# Set to < 0 to enable on all queries.
# CLI flag: -frontend.log-queries-longer-than
[log_queries_longer_than: <duration> | default = 0s]

# Max body size for downstream prometheus.
# CLI flag: -frontend.max-body-size
[max_body_size: <int> | default = 10485760]

# True to enable query statistics tracking. When enabled, a message with some
# statistics is logged for every query.
# CLI flag: -frontend.query-stats-enabled
[query_stats_enabled: <boolean> | default = false]

# Maximum number of outstanding requests per tenant per frontend; requests
# beyond this error with HTTP 429.
# CLI flag: -querier.max-outstanding-requests-per-tenant
[max_outstanding_per_tenant: <int> | default = 100]

# If a querier disconnects without sending notification about graceful shutdown,
# the query-frontend will keep the querier in the tenant's shard until the
# forget delay has passed. This feature is useful to reduce the blast radius
# when shuffle-sharding is enabled.
# CLI flag: -query-frontend.querier-forget-delay
[querier_forget_delay: <duration> | default = 0s]

# DNS hostname used for finding query-schedulers.
# CLI flag: -frontend.scheduler-address
[scheduler_address: <string> | default = ""]

# How often to resolve the scheduler-address, in order to look for new
# query-scheduler instances.
# CLI flag: -frontend.scheduler-dns-lookup-period
[scheduler_dns_lookup_period: <duration> | default = 10s]

# Number of concurrent workers forwarding queries to single query-scheduler.
# CLI flag: -frontend.scheduler-worker-concurrency
[scheduler_worker_concurrency: <int> | default = 5]

grpc_client_config:
  # gRPC client max receive message size (bytes).
  # CLI flag: -frontend.grpc-client-config.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # gRPC client max send message size (bytes).
  # CLI flag: -frontend.grpc-client-config.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 16777216]

  # Use compression when sending messages. Supported values are: 'gzip',
  # 'snappy' and '' (disable compression)
  # CLI flag: -frontend.grpc-client-config.grpc-compression
  [grpc_compression: <string> | default = ""]

  # Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -frontend.grpc-client-config.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # Rate limit burst for gRPC client.
  # CLI flag: -frontend.grpc-client-config.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # Enable backoff and retry when we hit ratelimits.
  # CLI flag: -frontend.grpc-client-config.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # Minimum delay when backing off.
    # CLI flag: -frontend.grpc-client-config.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # Maximum delay when backing off.
    # CLI flag: -frontend.grpc-client-config.backoff-max-period
    [max_period: <duration> | default = 10s]

    # Number of times to backoff and retry before failing.
    # CLI flag: -frontend.grpc-client-config.backoff-retries
    [max_retries: <int> | default = 10]

  # Enable TLS in the GRPC client. This flag needs to be enabled when any other
  # TLS flag is set. If set to false, insecure connection to gRPC server will be
  # used.
  # CLI flag: -frontend.grpc-client-config.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -frontend.grpc-client-config.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -frontend.grpc-client-config.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -frontend.grpc-client-config.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -frontend.grpc-client-config.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -frontend.grpc-client-config.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

# Name of network interface to read address from. This address is sent to
# query-scheduler and querier, which uses it to send the query response back to
# query-frontend.
# CLI flag: -frontend.instance-interface-names
[instance_interface_names: <list of string> | default = [eth0 en0]]

# Compress HTTP responses.
# CLI flag: -querier.compress-http-responses
[compress_responses: <boolean> | default = false]

# URL of downstream Prometheus.
# CLI flag: -frontend.downstream-url
[downstream_url: <string> | default = ""]

# URL of querier for tail proxy.
# CLI flag: -frontend.tail-proxy-url
[tail_proxy_url: <string> | default = ""]

ruler_config

The ruler_config configures the GEL ruler.

# URL of alerts return path.
# CLI flag: -ruler.external.url
[external_url: <url> | default = ]

ruler_client:
  # gRPC client max receive message size (bytes).
  # CLI flag: -ruler.client.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # gRPC client max send message size (bytes).
  # CLI flag: -ruler.client.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 16777216]

  # Use compression when sending messages. Supported values are: 'gzip',
  # 'snappy' and '' (disable compression)
  # CLI flag: -ruler.client.grpc-compression
  [grpc_compression: <string> | default = ""]

  # Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -ruler.client.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # Rate limit burst for gRPC client.
  # CLI flag: -ruler.client.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # Enable backoff and retry when we hit ratelimits.
  # CLI flag: -ruler.client.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # Minimum delay when backing off.
    # CLI flag: -ruler.client.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # Maximum delay when backing off.
    # CLI flag: -ruler.client.backoff-max-period
    [max_period: <duration> | default = 10s]

    # Number of times to backoff and retry before failing.
    # CLI flag: -ruler.client.backoff-retries
    [max_retries: <int> | default = 10]

  # Enable TLS in the GRPC client. This flag needs to be enabled when any other
  # TLS flag is set. If set to false, insecure connection to gRPC server will be
  # used.
  # CLI flag: -ruler.client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -ruler.client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -ruler.client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -ruler.client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -ruler.client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -ruler.client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

# How frequently to evaluate rules
# CLI flag: -ruler.evaluation-interval
[evaluation_interval: <duration> | default = 1m]

# How frequently to poll for rule changes
# CLI flag: -ruler.poll-interval
[poll_interval: <duration> | default = 1m]

# Deprecated. Use -ruler-storage.* CLI flags and their respective YAML config
# options instead.
storage:
  # Method to use for backend rule storage (configdb, azure, gcs, s3, swift,
  # local)
  # CLI flag: -ruler.storage.type
  [type: <string> | default = "configdb"]

  configdb:
    # URL of configs API server.
    # CLI flag: -ruler.configs.url
    [configs_api_url: <url> | default = ]

    # Timeout for requests to Weave Cloud configs service.
    # CLI flag: -ruler.configs.client-timeout
    [client_timeout: <duration> | default = 5s]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -ruler.configs.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -ruler.configs.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -ruler.configs.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -ruler.configs.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -ruler.configs.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

  azure:
    # Azure Cloud environment. Supported values are: AzureGlobal,
    # AzureChinaCloud, AzureGermanCloud, AzureUSGovernment.
    # CLI flag: -ruler.storage.azure.environment
    [environment: <string> | default = "AzureGlobal"]

    # Name of the blob container used to store chunks. This container must be
    # created before running cortex.
    # CLI flag: -ruler.storage.azure.container-name
    [container_name: <string> | default = "cortex"]

    # The Microsoft Azure account name to be used
    # CLI flag: -ruler.storage.azure.account-name
    [account_name: <string> | default = ""]

    # The Microsoft Azure account key to use.
    # CLI flag: -ruler.storage.azure.account-key
    [account_key: <string> | default = ""]

    # Preallocated buffer size for downloads.
    # CLI flag: -ruler.storage.azure.download-buffer-size
    [download_buffer_size: <int> | default = 512000]

    # Preallocated buffer size for uploads.
    # CLI flag: -ruler.storage.azure.upload-buffer-size
    [upload_buffer_size: <int> | default = 256000]

    # Number of buffers used to used to upload a chunk.
    # CLI flag: -ruler.storage.azure.download-buffer-count
    [upload_buffer_count: <int> | default = 1]

    # Timeout for requests made against azure blob storage.
    # CLI flag: -ruler.storage.azure.request-timeout
    [request_timeout: <duration> | default = 30s]

    # Number of retries for a request which times out.
    # CLI flag: -ruler.storage.azure.max-retries
    [max_retries: <int> | default = 5]

    # Minimum time to wait before retrying a request.
    # CLI flag: -ruler.storage.azure.min-retry-delay
    [min_retry_delay: <duration> | default = 10ms]

    # Maximum time to wait before retrying a request.
    # CLI flag: -ruler.storage.azure.max-retry-delay
    [max_retry_delay: <duration> | default = 500ms]

  gcs:
    # Name of GCS bucket. Please refer to
    # https://cloud.google.com/docs/authentication/production for more
    # information about how to configure authentication.
    # CLI flag: -ruler.storage.gcs.bucketname
    [bucket_name: <string> | default = ""]

    # The size of the buffer that GCS client for each PUT request. 0 to disable
    # buffering.
    # CLI flag: -ruler.storage.gcs.chunk-buffer-size
    [chunk_buffer_size: <int> | default = 0]

    # The duration after which the requests to GCS should be timed out.
    # CLI flag: -ruler.storage.gcs.request-timeout
    [request_timeout: <duration> | default = 0s]

    # Enabled OpenCensus (OC) instrumentation for all requests.
    # CLI flag: -ruler.storage.gcs.enable-opencensus
    [enable_opencensus: <boolean> | default = true]

  s3:
    # S3 endpoint URL with escaped Key and Secret encoded. If only region is
    # specified as a host, proper endpoint will be deduced. Use
    # inmemory:///<bucket-name> to use a mock in-memory implementation.
    # CLI flag: -ruler.storage.s3.url
    [s3: <url> | default = ]

    # Set this to `true` to force the request to use path-style addressing.
    # CLI flag: -ruler.storage.s3.force-path-style
    [s3forcepathstyle: <boolean> | default = false]

    # Comma separated list of bucket names to evenly distribute chunks over.
    # Overrides any buckets specified in s3.url flag
    # CLI flag: -ruler.storage.s3.buckets
    [bucketnames: <string> | default = ""]

    # S3 Endpoint to connect to.
    # CLI flag: -ruler.storage.s3.endpoint
    [endpoint: <string> | default = ""]

    # AWS region to use.
    # CLI flag: -ruler.storage.s3.region
    [region: <string> | default = ""]

    # AWS Access Key ID
    # CLI flag: -ruler.storage.s3.access-key-id
    [access_key_id: <string> | default = ""]

    # AWS Secret Access Key
    # CLI flag: -ruler.storage.s3.secret-access-key
    [secret_access_key: <string> | default = ""]

    # Disable https on s3 connection.
    # CLI flag: -ruler.storage.s3.insecure
    [insecure: <boolean> | default = false]

    # Enable AWS Server Side Encryption [Deprecated: Use .sse instead. if
    # s3.sse-encryption is enabled, it assumes .sse.type SSE-S3]
    # CLI flag: -ruler.storage.s3.sse-encryption
    [sse_encryption: <boolean> | default = false]

    http_config:
      # The maximum amount of time an idle connection will be held open.
      # CLI flag: -ruler.storage.s3.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # If non-zero, specifies the amount of time to wait for a server's
      # response headers after fully writing the request.
      # CLI flag: -ruler.storage.s3.http.response-header-timeout
      [response_header_timeout: <duration> | default = 0s]

      # Set to false to skip verifying the certificate chain and hostname.
      # CLI flag: -ruler.storage.s3.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

    # The signature version to use for authenticating against S3. Supported
    # values are: v4, v2.
    # CLI flag: -ruler.storage.s3.signature-version
    [signature_version: <string> | default = "v4"]

    sse:
      # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
      # CLI flag: -ruler.storage.s3.sse.type
      [type: <string> | default = ""]

      # KMS Key ID used to encrypt objects in S3
      # CLI flag: -ruler.storage.s3.sse.kms-key-id
      [kms_key_id: <string> | default = ""]

      # KMS Encryption Context used for object encryption. It expects JSON
      # formatted string.
      # CLI flag: -ruler.storage.s3.sse.kms-encryption-context
      [kms_encryption_context: <string> | default = ""]

  swift:
    # OpenStack Swift authentication API version. 0 to autodetect.
    # CLI flag: -ruler.storage.swift.auth-version
    [auth_version: <int> | default = 0]

    # OpenStack Swift authentication URL
    # CLI flag: -ruler.storage.swift.auth-url
    [auth_url: <string> | default = ""]

    # OpenStack Swift username.
    # CLI flag: -ruler.storage.swift.username
    [username: <string> | default = ""]

    # OpenStack Swift user's domain name.
    # CLI flag: -ruler.storage.swift.user-domain-name
    [user_domain_name: <string> | default = ""]

    # OpenStack Swift user's domain ID.
    # CLI flag: -ruler.storage.swift.user-domain-id
    [user_domain_id: <string> | default = ""]

    # OpenStack Swift user ID.
    # CLI flag: -ruler.storage.swift.user-id
    [user_id: <string> | default = ""]

    # OpenStack Swift API key.
    # CLI flag: -ruler.storage.swift.password
    [password: <string> | default = ""]

    # OpenStack Swift user's domain ID.
    # CLI flag: -ruler.storage.swift.domain-id
    [domain_id: <string> | default = ""]

    # OpenStack Swift user's domain name.
    # CLI flag: -ruler.storage.swift.domain-name
    [domain_name: <string> | default = ""]

    # OpenStack Swift project ID (v2,v3 auth only).
    # CLI flag: -ruler.storage.swift.project-id
    [project_id: <string> | default = ""]

    # OpenStack Swift project name (v2,v3 auth only).
    # CLI flag: -ruler.storage.swift.project-name
    [project_name: <string> | default = ""]

    # ID of the OpenStack Swift project's domain (v3 auth only), only needed if
    # it differs the from user domain.
    # CLI flag: -ruler.storage.swift.project-domain-id
    [project_domain_id: <string> | default = ""]

    # Name of the OpenStack Swift project's domain (v3 auth only), only needed
    # if it differs from the user domain.
    # CLI flag: -ruler.storage.swift.project-domain-name
    [project_domain_name: <string> | default = ""]

    # OpenStack Swift Region to use (v2,v3 auth only).
    # CLI flag: -ruler.storage.swift.region-name
    [region_name: <string> | default = ""]

    # Name of the OpenStack Swift container to put chunks in.
    # CLI flag: -ruler.storage.swift.container-name
    [container_name: <string> | default = ""]

    # Max retries on requests error.
    # CLI flag: -ruler.storage.swift.max-retries
    [max_retries: <int> | default = 3]

    # Time after which a connection attempt is aborted.
    # CLI flag: -ruler.storage.swift.connect-timeout
    [connect_timeout: <duration> | default = 10s]

    # Time after which an idle request is aborted. The timeout watchdog is reset
    # each time some data is received, so the timeout triggers after X time no
    # data is received on a request.
    # CLI flag: -ruler.storage.swift.request-timeout
    [request_timeout: <duration> | default = 5s]

  local:
    # Directory to scan for rules
    # CLI flag: -ruler.storage.local.directory
    [directory: <string> | default = ""]

# file path to store temporary rule files for the prometheus rule managers
# CLI flag: -ruler.rule-path
[rule_path: <string> | default = "/rules"]

# Comma-separated list of URL(s) of the Alertmanager(s) to send notifications
# to. Each Alertmanager URL is treated as a separate group in the configuration.
# Multiple Alertmanagers in HA per group can be supported by using DNS
# resolution via -ruler.alertmanager-discovery.
# CLI flag: -ruler.alertmanager-url
[alertmanager_url: <string> | default = ""]

# Use DNS SRV records to discover Alertmanager hosts.
# CLI flag: -ruler.alertmanager-discovery
[enable_alertmanager_discovery: <boolean> | default = false]

# How long to wait between refreshing DNS resolutions of Alertmanager hosts.
# CLI flag: -ruler.alertmanager-refresh-interval
[alertmanager_refresh_interval: <duration> | default = 1m]

# If enabled requests to Alertmanager will utilize the V2 API.
# CLI flag: -ruler.alertmanager-use-v2
[enable_alertmanager_v2: <boolean> | default = false]

# Capacity of the queue for notifications to be sent to the Alertmanager.
# CLI flag: -ruler.notification-queue-capacity
[notification_queue_capacity: <int> | default = 10000]

# HTTP timeout duration when sending notifications to the Alertmanager.
# CLI flag: -ruler.notification-timeout
[notification_timeout: <duration> | default = 10s]

alertmanager_client:
  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -ruler.alertmanager-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -ruler.alertmanager-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -ruler.alertmanager-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -ruler.alertmanager-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -ruler.alertmanager-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # HTTP Basic authentication username. It overrides the username set in the URL
  # (if any).
  # CLI flag: -ruler.alertmanager-client.basic-auth-username
  [basic_auth_username: <string> | default = ""]

  # HTTP Basic authentication password. It overrides the password set in the URL
  # (if any).
  # CLI flag: -ruler.alertmanager-client.basic-auth-password
  [basic_auth_password: <string> | default = ""]

# Max time to tolerate outage for restoring "for" state of alert.
# CLI flag: -ruler.for-outage-tolerance
[for_outage_tolerance: <duration> | default = 1h]

# Minimum duration between alert and restored "for" state. This is maintained
# only for alerts with configured "for" time greater than grace period.
# CLI flag: -ruler.for-grace-period
[for_grace_period: <duration> | default = 10m]

# Minimum amount of time to wait before resending an alert to Alertmanager.
# CLI flag: -ruler.resend-delay
[resend_delay: <duration> | default = 1m]

# Distribute rule evaluation using ring backend
# CLI flag: -ruler.enable-sharding
[enable_sharding: <boolean> | default = false]

# The sharding strategy to use. Supported values are: default, shuffle-sharding.
# CLI flag: -ruler.sharding-strategy
[sharding_strategy: <string> | default = "default"]

# Time to spend searching for a pending ruler when shutting down.
# CLI flag: -ruler.search-pending-for
[search_pending_for: <duration> | default = 5m]

ring:
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -ruler.ring.store
    [store: <string> | default = "consul"]

    # The prefix for the keys in the store. Should end with a /.
    # CLI flag: -ruler.ring.prefix
    [prefix: <string> | default = "rulers/"]

    consul:
      # Hostname and port of Consul.
      # CLI flag: -ruler.ring.consul.hostname
      [host: <string> | default = "localhost:8500"]

      # ACL Token used to interact with Consul.
      # CLI flag: -ruler.ring.consul.acl-token
      [acl_token: <string> | default = ""]

      # HTTP timeout when talking to Consul
      # CLI flag: -ruler.ring.consul.client-timeout
      [http_client_timeout: <duration> | default = 20s]

      # Enable consistent reads to Consul.
      # CLI flag: -ruler.ring.consul.consistent-reads
      [consistent_reads: <boolean> | default = false]

      # Rate limit when watching key or prefix in Consul, in requests per
      # second. 0 disables the rate limit.
      # CLI flag: -ruler.ring.consul.watch-rate-limit
      [watch_rate_limit: <float> | default = 1]

      # Burst size used in rate limit. Values less than 1 are treated as 1.
      # CLI flag: -ruler.ring.consul.watch-burst-size
      [watch_burst_size: <int> | default = 1]

    etcd:
      # The etcd endpoints to connect to.
      # CLI flag: -ruler.ring.etcd.endpoints
      [endpoints: <list of string> | default = []]

      # The dial timeout for the etcd connection.
      # CLI flag: -ruler.ring.etcd.dial-timeout
      [dial_timeout: <duration> | default = 10s]

      # The maximum number of retries to do for failed ops.
      # CLI flag: -ruler.ring.etcd.max-retries
      [max_retries: <int> | default = 10]

      # Enable TLS.
      # CLI flag: -ruler.ring.etcd.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Path to the client certificate file, which will be used for
      # authenticating with the server. Also requires the key path to be
      # configured.
      # CLI flag: -ruler.ring.etcd.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # Path to the key file for the client certificate. Also requires the
      # client certificate to be configured.
      # CLI flag: -ruler.ring.etcd.tls-key-path
      [tls_key_path: <string> | default = ""]

      # Path to the CA certificates file to validate server certificate against.
      # If not set, the host's root CA certificates are used.
      # CLI flag: -ruler.ring.etcd.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # Override the expected name on the server certificate.
      # CLI flag: -ruler.ring.etcd.tls-server-name
      [tls_server_name: <string> | default = ""]

      # Skip validating server certificate.
      # CLI flag: -ruler.ring.etcd.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Etcd username.
      # CLI flag: -ruler.ring.etcd.username
      [username: <string> | default = ""]

      # Etcd password.
      # CLI flag: -ruler.ring.etcd.password
      [password: <string> | default = ""]

    multi:
      # Primary backend storage used by multi-client.
      # CLI flag: -ruler.ring.multi.primary
      [primary: <string> | default = ""]

      # Secondary backend storage used by multi-client.
      # CLI flag: -ruler.ring.multi.secondary
      [secondary: <string> | default = ""]

      # Mirror writes to secondary store.
      # CLI flag: -ruler.ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # Timeout for storing value to secondary store.
      # CLI flag: -ruler.ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -ruler.ring.heartbeat-period
  [heartbeat_period: <duration> | default = 5s]

  # The heartbeat timeout after which rulers are considered unhealthy within the
  # ring. 0 = never (timeout disabled).
  # CLI flag: -ruler.ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # Name of network interface to read address from.
  # CLI flag: -ruler.ring.instance-interface-names
  [instance_interface_names: <list of string> | default = [eth0 en0]]

  # Number of tokens for each ruler.
  # CLI flag: -ruler.ring.num-tokens
  [num_tokens: <int> | default = 128]

# Period with which to attempt to flush rule groups.
# CLI flag: -ruler.flush-period
[flush_period: <duration> | default = 1m]

# Enable the ruler api
# CLI flag: -ruler.enable-api
[enable_api: <boolean> | default = false]

# Comma separated list of tenants whose rules this ruler can evaluate. If
# specified, only these tenants will be handled by ruler, otherwise this ruler
# can process rules from all tenants. Subject to sharding.
# CLI flag: -ruler.enabled-tenants
[enabled_tenants: <string> | default = ""]

# Comma separated list of tenants whose rules this ruler cannot evaluate. If
# specified, a ruler that would normally pick the specified tenant(s) for
# processing will ignore them instead. Subject to sharding.
# CLI flag: -ruler.disabled-tenants
[disabled_tenants: <string> | default = ""]

# Report the wall time for ruler queries to complete as a per user metric and as
# an info level log message.
# CLI flag: -ruler.query-stats-enabled
[query_stats_enabled: <boolean> | default = false]

remote_write:
  # Remote-write client configuration to send rule samples to a Prometheus
  # remote-write endpoint.
  # See
  # https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write
  [client: <object> | default = none]

  # Remote-write recording rule samples to Prometheus-compatible remote-write
  # receiver.
  # CLI flag: -ruler.remote-write.enabled
  [enabled: <boolean> | default = false]

query_range_config

The query_range_config configures the query splitting and caching in the GEL query-frontend.

# Split queries by an interval and execute in parallel, 0 disables it. You
# should use an a multiple of 24 hours (same as the storage bucketing scheme),
# to avoid queriers downloading and processing the same chunks. This also
# determines how cache keys are chosen when result caching is enabled
# CLI flag: -querier.split-queries-by-interval
[split_queries_by_interval: <duration> | default = 0s]

# Mutate incoming queries to align their start and end with their step.
# CLI flag: -querier.align-querier-with-step
[align_queries_with_step: <boolean> | default = false]

results_cache:
  cache:
    # Enable in-memory cache.
    # CLI flag: -frontend.cache.enable-fifocache
    [enable_fifocache: <boolean> | default = false]

    # The default validity of entries for caches unless overridden.
    # CLI flag: -frontend.default-validity
    [default_validity: <duration> | default = 0s]

    background:
      # At what concurrency to write back to cache.
      # CLI flag: -frontend.background.write-back-concurrency
      [writeback_goroutines: <int> | default = 10]

      # How many key batches to buffer for background write-back.
      # CLI flag: -frontend.background.write-back-buffer
      [writeback_buffer: <int> | default = 10000]

    memcached:
      # How long keys stay in the memcache.
      # CLI flag: -frontend.memcached.expiration
      [expiration: <duration> | default = 0s]

      # How many keys to fetch in each batch.
      # CLI flag: -frontend.memcached.batchsize
      [batch_size: <int> | default = 1024]

      # Maximum active requests to memcache.
      # CLI flag: -frontend.memcached.parallelism
      [parallelism: <int> | default = 100]

    memcached_client:
      # Hostname for memcached service to use. If empty and if addresses is
      # unset, no memcached will be used.
      # CLI flag: -frontend.memcached.hostname
      [host: <string> | default = ""]

      # SRV service used to discover memcache servers.
      # CLI flag: -frontend.memcached.service
      [service: <string> | default = "memcached"]

      # EXPERIMENTAL: Comma separated addresses list in DNS Service Discovery
      # format:
      # https://cortexmetrics.io/docs/configuration/arguments/#dns-service-discovery
      # CLI flag: -frontend.memcached.addresses
      [addresses: <string> | default = ""]

      # Maximum time to wait before giving up on memcached requests.
      # CLI flag: -frontend.memcached.timeout
      [timeout: <duration> | default = 100ms]

      # Maximum number of idle connections in pool.
      # CLI flag: -frontend.memcached.max-idle-conns
      [max_idle_conns: <int> | default = 16]

      # The maximum size of an item stored in memcached. Bigger items are not
      # stored. If set to 0, no maximum size is enforced.
      # CLI flag: -frontend.memcached.max-item-size
      [max_item_size: <int> | default = 0]

      # Period with which to poll DNS for memcache servers.
      # CLI flag: -frontend.memcached.update-interval
      [update_interval: <duration> | default = 1m]

      # Use consistent hashing to distribute to memcache servers.
      # CLI flag: -frontend.memcached.consistent-hash
      [consistent_hash: <boolean> | default = true]

      # Trip circuit-breaker after this number of consecutive dial failures (if
      # zero then circuit-breaker is disabled).
      # CLI flag: -frontend.memcached.circuit-breaker-consecutive-failures
      [circuit_breaker_consecutive_failures: <int> | default = 10]

      # Duration circuit-breaker remains open after tripping (if zero then 60
      # seconds is used).
      # CLI flag: -frontend.memcached.circuit-breaker-timeout
      [circuit_breaker_timeout: <duration> | default = 10s]

      # Reset circuit-breaker counts after this long (if zero then never reset).
      # CLI flag: -frontend.memcached.circuit-breaker-interval
      [circuit_breaker_interval: <duration> | default = 10s]

    redis:
      # Redis Server endpoint to use for caching. A comma-separated list of
      # endpoints for Redis Cluster or Redis Sentinel. If empty, no redis will
      # be used.
      # CLI flag: -frontend.redis.endpoint
      [endpoint: <string> | default = ""]

      # Redis Sentinel master name. An empty string for Redis Server or Redis
      # Cluster.
      # CLI flag: -frontend.redis.master-name
      [master_name: <string> | default = ""]

      # Maximum time to wait before giving up on redis requests.
      # CLI flag: -frontend.redis.timeout
      [timeout: <duration> | default = 500ms]

      # How long keys stay in the redis.
      # CLI flag: -frontend.redis.expiration
      [expiration: <duration> | default = 0s]

      # Database index.
      # CLI flag: -frontend.redis.db
      [db: <int> | default = 0]

      # Maximum number of connections in the pool.
      # CLI flag: -frontend.redis.pool-size
      [pool_size: <int> | default = 0]

      # Password to use when connecting to redis.
      # CLI flag: -frontend.redis.password
      [password: <string> | default = ""]

      # Enable connecting to redis with TLS.
      # CLI flag: -frontend.redis.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Skip validating server certificate.
      # CLI flag: -frontend.redis.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Close connections after remaining idle for this duration. If the value
      # is zero, then idle connections are not closed.
      # CLI flag: -frontend.redis.idle-timeout
      [idle_timeout: <duration> | default = 0s]

      # Close connections older than this duration. If the value is zero, then
      # the pool does not close connections based on age.
      # CLI flag: -frontend.redis.max-connection-age
      [max_connection_age: <duration> | default = 0s]

    fifocache:
      # Maximum memory size of the cache in bytes. A unit suffix (KB, MB, GB)
      # may be applied.
      # CLI flag: -frontend.fifocache.max-size-bytes
      [max_size_bytes: <string> | default = ""]

      # Maximum number of entries in the cache.
      # CLI flag: -frontend.fifocache.max-size-items
      [max_size_items: <int> | default = 0]

      # The expiry duration for the cache.
      # CLI flag: -frontend.fifocache.duration
      [validity: <duration> | default = 0s]

      # Deprecated (use max-size-items or max-size-bytes instead): The number of
      # entries to cache.
      # CLI flag: -frontend.fifocache.size
      [size: <int> | default = 0]

  # Use compression in results cache. Supported values are: 'snappy' and ''
  # (disable compression).
  # CLI flag: -frontend.compression
  [compression: <string> | default = ""]

# Cache query results.
# CLI flag: -querier.cache-results
[cache_results: <boolean> | default = false]

# Maximum number of retries for a single request; beyond this, the downstream
# error is returned.
# CLI flag: -querier.max-retries-per-request
[max_retries: <int> | default = 5]

# Perform query parallelisations based on storage sharding configuration and
# query ASTs. This feature is supported only by the chunks storage engine.
# CLI flag: -querier.parallelise-shardable-queries
[parallelise_shardable_queries: <boolean> | default = false]

runtime_config

The runtime_config configures the reloading of the runtime configuration file.

# How often to check runtime config file.
# CLI flag: -runtime-config.reload-period
[period: <duration> | default = 10s]

# File with the configuration that can be updated in runtime.
# CLI flag: -runtime-config.file
[file: <string> | default = ""]

memberlist_config

The memberlist_config block configures the gossip ring to discover and connect between distributors, ingesters and queriers.

# Name of the node in memberlist cluster. Defaults to hostname.
# CLI flag: -memberlist.nodename
[node_name: <string> | default = ""]

# Add random suffix to the node name.
# CLI flag: -memberlist.randomize-node-name
[randomize_node_name: <boolean> | default = true]

# The timeout for establishing a connection with a remote node, and for
# read/write operations.
# CLI flag: -memberlist.stream-timeout
[stream_timeout: <duration> | default = 10s]

# Multiplication factor used when sending out messages (factor * log(N+1)).
# CLI flag: -memberlist.retransmit-factor
[retransmit_factor: <int> | default = 4]

# How often to use pull/push sync.
# CLI flag: -memberlist.pullpush-interval
[pull_push_interval: <duration> | default = 30s]

# How often to gossip.
# CLI flag: -memberlist.gossip-interval
[gossip_interval: <duration> | default = 200ms]

# How many nodes to gossip to.
# CLI flag: -memberlist.gossip-nodes
[gossip_nodes: <int> | default = 3]

# How long to keep gossiping to dead nodes, to give them chance to refute their
# death.
# CLI flag: -memberlist.gossip-to-dead-nodes-time
[gossip_to_dead_nodes_time: <duration> | default = 30s]

# How soon can dead node's name be reclaimed with new address. 0 to disable.
# CLI flag: -memberlist.dead-node-reclaim-time
[dead_node_reclaim_time: <duration> | default = 0s]

# Enable message compression. This can be used to reduce bandwidth usage at the
# cost of slightly more CPU utilization.
# CLI flag: -memberlist.compression-enabled
[compression_enabled: <boolean> | default = true]

# Other cluster members to join. Can be specified multiple times. It can be an
# IP, hostname or an entry specified in the DNS Service Discovery format.
# CLI flag: -memberlist.join
[join_members: <list of string> | default = []]

# Min backoff duration to join other cluster members.
# CLI flag: -memberlist.min-join-backoff
[min_join_backoff: <duration> | default = 1s]

# Max backoff duration to join other cluster members.
# CLI flag: -memberlist.max-join-backoff
[max_join_backoff: <duration> | default = 1m]

# Max number of retries to join other cluster members.
# CLI flag: -memberlist.max-join-retries
[max_join_retries: <int> | default = 10]

# If this node fails to join memberlist cluster, abort.
# CLI flag: -memberlist.abort-if-join-fails
[abort_if_cluster_join_fails: <boolean> | default = true]

# If not 0, how often to rejoin the cluster. Occasional rejoin can help to fix
# the cluster split issue, and is harmless otherwise. For example when using
# only few components as a seed nodes (via -memberlist.join), then it's
# recommended to use rejoin. If -memberlist.join points to dynamic service that
# resolves to all gossiping nodes (eg. Kubernetes headless service), then rejoin
# is not needed.
# CLI flag: -memberlist.rejoin-interval
[rejoin_interval: <duration> | default = 0s]

# How long to keep LEFT ingesters in the ring.
# CLI flag: -memberlist.left-ingesters-timeout
[left_ingesters_timeout: <duration> | default = 5m]

# Timeout for leaving memberlist cluster.
# CLI flag: -memberlist.leave-timeout
[leave_timeout: <duration> | default = 5s]

# How much space to use for keeping received and sent messages in memory for
# troubleshooting (two buffers). 0 to disable.
# CLI flag: -memberlist.message-history-buffer-bytes
[message_history_buffer_bytes: <int> | default = 0]

# IP address to listen on for gossip messages. Multiple addresses may be
# specified. Defaults to 0.0.0.0
# CLI flag: -memberlist.bind-addr
[bind_addr: <list of string> | default = []]

# Port to listen on for gossip messages.
# CLI flag: -memberlist.bind-port
[bind_port: <int> | default = 7946]

# Timeout used when connecting to other nodes to send packet.
# CLI flag: -memberlist.packet-dial-timeout
[packet_dial_timeout: <duration> | default = 5s]

# Timeout for writing 'packet' data.
# CLI flag: -memberlist.packet-write-timeout
[packet_write_timeout: <duration> | default = 5s]

# Enable TLS on the memberlist transport layer.
# CLI flag: -memberlist.tls-enabled
[tls_enabled: <boolean> | default = false]

# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -memberlist.tls-cert-path
[tls_cert_path: <string> | default = ""]

# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -memberlist.tls-key-path
[tls_key_path: <string> | default = ""]

# Path to the CA certificates file to validate server certificate against. If
# not set, the host's root CA certificates are used.
# CLI flag: -memberlist.tls-ca-path
[tls_ca_path: <string> | default = ""]

# Override the expected name on the server certificate.
# CLI flag: -memberlist.tls-server-name
[tls_server_name: <string> | default = ""]

# Skip validating server certificate.
# CLI flag: -memberlist.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]

tracing_config

Configures application tracing.

# Set to false to disable tracing.
# CLI flag: -tracing.enabled
[enabled: <boolean> | default = true]

compactor_config

Configures the component which compacts index shards for performance.

# Directory where files can be downloaded for compaction.
# CLI flag: -boltdb.shipper.compactor.working-directory
[working_directory: <string> | default = ""]

# Shared store used for storing boltdb files. Supported types: gcs, s3, azure,
# swift, filesystem
# CLI flag: -boltdb.shipper.compactor.shared-store
[shared_store: <string> | default = ""]

# Prefix to add to Object Keys in Shared store. Path separator(if any) should
# always be a '/'. Prefix should never start with a separator but should always
# end with it.
# CLI flag: -boltdb.shipper.compactor.shared-store.key-prefix
[shared_store_key_prefix: <string> | default = "index/"]

# Interval at which to re-run the compaction operation.
# CLI flag: -boltdb.shipper.compactor.compaction-interval
[compaction_interval: <duration> | default = 10m]

# (Experimental) Activate custom (per-stream,per-tenant) retention.
# CLI flag: -boltdb.shipper.compactor.retention-enabled
[retention_enabled: <boolean> | default = false]

# Delay after which chunks will be fully deleted during retention.
# CLI flag: -boltdb.shipper.compactor.retention-delete-delay
[retention_delete_delay: <duration> | default = 2h]

# The total amount of worker to use to delete chunks.
# CLI flag: -boltdb.shipper.compactor.retention-delete-worker-count
[retention_delete_worker_count: <int> | default = 150]

# Allow cancellation of delete request until duration after they are created.
# Data would be deleted only after delete requests have been older than this
# duration. Ideally this should be set to at least 24h.
# CLI flag: -boltdb.shipper.compactor.delete-request-cancel-period
[delete_request_cancel_period: <duration> | default = 24h]

# Maximum number of tables to compact in parallel. While increasing this value,
# please make sure compactor has enough disk space allocated to be able to store
# and compact as many tables.
# CLI flag: -boltdb.shipper.compactor.max-compaction-parallelism
[max_compaction_parallelism: <int> | default = 1]