---
title: "Reference | Grafana Enterprise Metrics documentation"
description: "Grafana Enterprise Metrics can be configured using a YAML file - specified using the -config.file flag - or CLI flags. In case you combine both, CLI flags take precedence over the YAML config file."
---

> For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt).

Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. [Please view the current version](/docs/enterprise-metrics/latest/).

[Documentation](/docs/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [Grafana Enterprise Metrics Documentation](/docs/enterprise-metrics/v1.7.x/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) [Configuration](/docs/enterprise-metrics/v1.7.x/config/)![breadcrumb arrow](/static/assets/img/icons/grafana-icon-breadcrumb-arrow-gray.svg) Reference

Enterprise

Grafana Enterprise Metrics can be configured using a YAML file - specified using the `-config.file` flag - or CLI flags. In case you combine both, CLI flags take precedence over the YAML config file.

The current configuration of any GEM component can be seen by visiting the `/config` HTTP path. Passwords are filtered out of this endpoint.

## Reference

To specify which configuration file to load, pass the `-config.file` flag at the command line. The file is written in [YAML format](https://en.wikipedia.org/wiki/YAML), defined by the scheme below. Brackets indicate that a parameter is optional.

### Generic placeholders

- `<boolean>`: a boolean that can take the values `true` or `false`
- `<int>`: any integer matching the regular expression `[1-9]+[0-9]*`
- `<duration>`: a duration matching the regular expression `[0-9]+(ns|us|µs|ms|s|m|h|d|w|y)` where y = 365 days
- `<string>`: a regular string
- `<url>`: a URL
- `<prefix>`: a CLI flag prefix based on the context (look at the parent configuration block to see which CLI flags prefix should be used)
- `<relabel_config>`: a [Prometheus relabeling configuration](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config).
- `<time>`: a timestamp, with available formats: `2006-01-20` (midnight, local timezone), `2006-01-20T15:04` (local timezone), and RFC 3339 formats: `2006-01-20T15:04:05Z` (UTC) or `2006-01-20T15:04:05+07:00` (explicit timezone)

### Use environment variables in the configuration

You can use environment variable references in the config file to set values that need to be configurable during deployment by using the `-config.expand-env` flag. To do this, use:

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
${VAR}
```

Where VAR is the name of the environment variable.

Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.

To specify a default value, use:

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
${VAR:default_value}
```

Where default\_value is the value to use if the environment variable is undefined.

### Supported contents and default values of the config file

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Comma-separated list of modules to load. The alias 'all' can be used in the
# list to load a number of core modules and will enable single-binary mode. Use
# '-modules' command line flag to get a list of available modules, and to see
# which modules are included in 'all'.
# CLI flag: -target
[target: <string> | default = "all"]

# Set to false to disable auth.
# CLI flag: -auth.enabled
[auth_enabled: <boolean> | default = true]

# HTTP path prefix for API.
# CLI flag: -http.prefix
[http_prefix: <string> | default = "/api/prom"]

api:
  # Use GZIP compression for API responses. Some endpoints serve large YAML or
  # JSON blobs which can benefit from compression.
  # CLI flag: -api.response-compression-enabled
  [response_compression_enabled: <boolean> | default = false]

  # Allows to skip label name validation via header on the http write path. Use
  # with caution as it breaks PromQL. Allowing this for external clients allows
  # any client to send invalid label names. After enabling it, requests with
  # X-Mimir-SkipLabelNameValidation HTTP header set to true will not have label
  # names validated.
  # CLI flag: -api.skip-label-name-validation-header-enabled
  [skip_label_name_validation_header_enabled: <boolean> | default = false]

  # HTTP URL path under which the Alertmanager ui and api will be served.
  # CLI flag: -http.alertmanager-http-prefix
  [alertmanager_http_prefix: <string> | default = "/alertmanager"]

  # HTTP URL path under which the Prometheus api will be served.
  # CLI flag: -http.prometheus-http-prefix
  [prometheus_http_prefix: <string> | default = "/prometheus"]

# The server_config configures the HTTP and gRPC server of the launched
# service(s).
[server: <server_config>]

# The distributor_config configures the GEM distributor.
[distributor: <distributor_config>]

# The querier_config configures the GEM querier.
[querier: <querier_config>]

# The ingester_client_config configures how the GEM distributors connect to the
# ingesters.
[ingester_client: <ingester_client_config>]

# The ingester_config configures the GEM ingester.
[ingester: <ingester_config>]

# The flusher_config configures the WAL flusher target, used to manually run
# one-time flushes when scaling down ingesters.
[flusher: <flusher_config>]

# The storage_config configures where GEM stores the data (chunks storage
# engine).
[storage: <storage_config>]

# The chunk_store_config configures how GEM stores the data (chunks storage
# engine).
[chunk_store: <chunk_store_config>]

# The limits_config configures default and per-tenant limits imposed by GEM
# services (ie. distributor, ingester, ...).
[limits: <limits_config>]

# The frontend_worker_config configures the worker - running within the GEM
# querier - picking up and executing queries enqueued by the query-frontend or
# query-scheduler.
[frontend_worker: <frontend_worker_config>]

# The query_frontend_config configures the GEM query-frontend.
[frontend: <query_frontend_config>]

# The query_range_config configures the query splitting and caching in the GEM
# query-frontend.
[query_range: <query_range_config>]

# The table_manager_config configures the GEM table-manager.
[table_manager: <table_manager_config>]

# The blocks_storage_config configures the blocks storage.
[blocks_storage: <blocks_storage_config>]

# The compactor_config configures the compactor for the blocks storage.
[compactor: <compactor_config>]

# The store_gateway_config configures the store-gateway service used by the
# blocks storage.
[store_gateway: <store_gateway_config>]

# The purger_config configures the purger which takes care of delete requests.
[purger: <purger_config>]

tenant_federation:
  # If enabled on all services, queries can be federated across multiple
  # tenants. The tenant IDs involved need to be specified separated by a `|`
  # character in the `X-Scope-OrgID` header (experimental).
  # CLI flag: -tenant-federation.enabled
  [enabled: <boolean> | default = true]

# The ruler_config configures the GEM ruler.
[ruler: <ruler_config>]

# The ruler_storage_config configures the GEM ruler storage backend.
[ruler_storage: <ruler_storage_config>]

# The alertmanager_config configures the GEM alertmanager.
[alertmanager: <alertmanager_config>]

# The alertmanager_storage_config configures the GEM alertmanager storage
# backend.
[alertmanager_storage: <alertmanager_storage_config>]

runtime_config:
  # How often to check runtime config file.
  # CLI flag: -runtime-config.reload-period
  [period: <duration> | default = 10s]

  # File with the configuration that can be updated in runtime.
  # CLI flag: -runtime-config.file
  [file: <string> | default = ""]

# The memberlist_config configures the Gossip memberlist.
[memberlist: <memberlist_config>]

# The query_scheduler_config configures query scheduler module.
[query_scheduler: <query_scheduler_config>]

# The admin_api_config configures the admin api.
[admin_api: <admin_api_config>]

# The admin_client_config configures how the Admin API service connects to the
# storage backend.
[admin_client: <admin_client_config>]

# The auth_config configures the authentication type to use.
[auth: <auth_config>]

# This target is deprecated, use the `tokengen` target instead. In prior
# versions, `bootstrap_config` was used to configure the bootstrap target.
[bootstrap: <bootstrap_config>]

# Unique ID of this cortex cluster. If undefined the name in the license is
# used.
# CLI flag: -cluster-name
[cluster_name: <string> | default = ""]

# The federation_config configures the federation frontend component, which can
# be used to federate querier between multiple Grafana Enterprise Metrics
# clusters.
[federation: <federation_config>]

# The gateway_client configures the gateway proxy.
[gateway: <gateway_config>]

# The graphite_config configures the graphite compatibility services.
[graphite: <graphite_config>]

# The instrumentation_config configures the instrumentation module.
[instrumentation: <instrumentation_config>]

# The license_config configures the license validation module.
[license: <license_config>]

# The tokengen_config is used to configure the tokengen command.
[tokengen: <tokengen_config>]
```

### admin\_api\_config

The `admin_api_config` configures the admin api.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Designated header to parse when searching for the grafana user ID of the user
# accessing the API.
# CLI flag: -admin.api.user-header-name
[user_header_name: <string> | default = "X-WEBAUTH-USER"]

leader_election:
  # This flag enables leader election for the admin api.
  # CLI flag: -admin-api.leader-election.enabled
  [enabled: <boolean> | default = false]

  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -admin-api.leader-election.ring.store
      [store: <string> | default = "consul"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -admin-api.leader-election.ring.prefix
      [prefix: <string> | default = "leader-election/"]

      # The consul_config configures the consul client.
      # The CLI flags prefix for this block config is:
      # admin-api.leader-election.ring
      [consul: <consul_config>]

      # The etcd_config configures the etcd client.
      # The CLI flags prefix for this block config is:
      # admin-api.leader-election.ring
      [etcd: <etcd_config>]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # Period at which to heartbeat to the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-period
    [heartbeat_period: <duration> | default = 15s]

    # The heartbeat timeout after which admin-api instances are considered
    # unhealthy within the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # Period to wait after generating tokens to resolve collisions. Required
    # when using a gossip ring KV store.
    # CLI flag: -admin-api.leader-election.ring.tokens-observe-period
    [tokens_observe_period: <duration> | default = 1m]

    # Name of network interface to read address from.
    # CLI flag: -admin-api.leader-election.ring.instance-interface-names
    [instance_interface_names: <list of string> | default = [eth0 en0]]

  client_config:
    # gRPC client max receive message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-recv-msg-size
    [max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-send-msg-size
    [max_send_msg_size: <int> | default = 16777216]

    # Use compression when sending messages. Supported values are: 'gzip',
    # 'snappy' and '' (disable compression)
    # CLI flag: -admin-api.leader-election.client.grpc-compression
    [grpc_compression: <string> | default = ""]

    # Rate limit for gRPC client; 0 means disabled.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit
    [rate_limit: <float> | default = 0]

    # Rate limit burst for gRPC client.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit-burst
    [rate_limit_burst: <int> | default = 0]

    # Enable backoff and retry when we hit ratelimits.
    # CLI flag: -admin-api.leader-election.client.backoff-on-ratelimits
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # Minimum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-min-period
      [min_period: <duration> | default = 100ms]

      # Maximum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-max-period
      [max_period: <duration> | default = 10s]

      # Number of times to backoff and retry before failing.
      # CLI flag: -admin-api.leader-election.client.backoff-retries
      [max_retries: <int> | default = 10]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -admin-api.leader-election.client.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -admin-api.leader-election.client.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

limits:
  # Enable API based limits per-tenant.
  # CLI flag: -admin-api.limits.enabled
  [enabled: <boolean> | default = true]

  # Period with which to refresh per-tenant limits.
  # CLI flag: -admin-api.limits.refresh-period
  [refresh_period: <duration> | default = 1m]
```

### gateway\_config

The gateway\_client configures the gateway proxy.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
proxy:
  default:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.default.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.default.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.default.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.default.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.default.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.default.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.default.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.default.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

  admin_api:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.admin-api.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.admin-api.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.admin-api.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.admin-api.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.read-timeout
    [read_timeout: <duration> | default = 2m]

  alertmanager:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.alertmanager.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.alertmanager.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.alertmanager.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.alertmanager.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.alertmanager.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.alertmanager.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.alertmanager.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.alertmanager.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.alertmanager.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.alertmanager.read-timeout
    [read_timeout: <duration> | default = 2m]

  compactor:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.compactor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.compactor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.compactor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.compactor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.read-timeout
    [read_timeout: <duration> | default = 2m]

  distributor:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.distributor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.distributor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.distributor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.distributor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.read-timeout
    [read_timeout: <duration> | default = 2m]

  graphite:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.graphite.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.graphite.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.graphite.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.graphite.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.graphite.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.graphite.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.graphite.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.graphite.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.graphite.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.graphite.read-timeout
    [read_timeout: <duration> | default = 2m]

  ingester:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ingester.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ingester.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.ingester.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ingester.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.read-timeout
    [read_timeout: <duration> | default = 2m]

  query_frontend:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.query-frontend.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.query-frontend.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.query-frontend.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.query-frontend.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.read-timeout
    [read_timeout: <duration> | default = 2m]

  ruler:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ruler.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ruler.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.ruler.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.ruler.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.ruler.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ruler.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ruler.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.ruler.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ruler.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ruler.read-timeout
    [read_timeout: <duration> | default = 2m]

  store_gateway:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.store-gateway.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.store-gateway.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.store-gateway.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.store-gateway.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.store-gateway.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.store-gateway.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.store-gateway.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.store-gateway.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.store-gateway.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.store-gateway.read-timeout
    [read_timeout: <duration> | default = 2m]
```

### auth\_config

The `auth_config` configures the authentication type to use.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# method for authenticating incoming HTTP requests, (trust, enterprise).
# CLI flag: -auth.type
[type: <string> | default = "trust"]

# requires admin level auth for the /metrics endpoint.
# CLI flag: -auth.required-for-metrics
[required_for_metrics: <boolean> | default = false]

override:
  # Override admin token. If set, this string will always be accepted as a token
  # with admin level scope.
  # CLI flag: -auth.override.token
  [token: <string> | default = ""]

  # If set, this file will be read at startup and the string from that file will
  # be used as a admin scoped token.
  # CLI flag: -auth.override.token-file
  [token_file: <string> | default = ""]

admin:
  # how long auth responses should be cached
  # CLI flag: -auth.cache.ttl
  [cache_ttl: <duration> | default = 10m]

  oidc:
    # JWT token issuer URL (example "https://accounts.google.com")
    # CLI flag: -auth.admin.oidc.issuer-url
    [issuer_url: <string> | default = ""]

    # claim in the JWT token containing the access policy
    # CLI flag: -auth.admin.oidc.access-policy-claim
    [access_policy_claim: <string> | default = ""]

    # regex to extract the access policy from the JWT token. The first submatch
    # of the provided regex expression will be used.
    # CLI flag: -auth.admin.oidc.access-policy-regex
    [access_policy_regex: <string> | default = ""]

    # optional audience to check in JWT token
    # CLI flag: -auth.admin.oidc.audience
    [audience: <string> | default = ""]

    # name of the access policy to use when the token doesn't contain an access
    # policy
    # CLI flag: -auth.admin.oidc.default-access-policy
    [default_access_policy: <string> | default = ""]

    # enable ADFS compatibility
    # CLI flag: -auth.admin.oidc.adfs-compatibility
    [adfs_compatibility: <boolean> | default = false]
```

### admin\_client\_config

The `admin_client_config` configures how the Admin API service connects to the storage backend.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
storage:
  # Set a backend to use, (gcs, s3, azure)
  # CLI flag: -admin.client.backend-type
  [type: <string> | default = ""]

  # Enable caching on the versioned client
  # CLI flag: -admin.client.cache.enabled
  [enable_cache: <boolean> | default = true]

  s3:
    # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
    # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
    # S3-compatible service in hostname:port format.
    # CLI flag: -admin.client.s3.endpoint
    [endpoint: <string> | default = ""]

    # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
    # to autodetect it.
    # CLI flag: -admin.client.s3.region
    [region: <string> | default = ""]

    # S3 bucket name
    # CLI flag: -admin.client.s3.bucket-name
    [bucket_name: <string> | default = ""]

    # S3 secret access key
    # CLI flag: -admin.client.s3.secret-access-key
    [secret_access_key: <string> | default = ""]

    # S3 access key ID
    # CLI flag: -admin.client.s3.access-key-id
    [access_key_id: <string> | default = ""]

    # If enabled, use http:// for the S3 endpoint instead of https://. This
    # could be useful in local dev/test environments while using an
    # S3-compatible backend storage, like Minio.
    # CLI flag: -admin.client.s3.insecure
    [insecure: <boolean> | default = false]

    # The signature version to use for authenticating against S3. Supported
    # values are: v4, v2.
    # CLI flag: -admin.client.s3.signature-version
    [signature_version: <string> | default = "v4"]

    # The s3_sse_config configures the S3 server-side encryption.
    # The CLI flags prefix for this block config is: admin.client
    [sse: <s3_sse_config>]

    http:
      # The time an idle connection will remain idle before closing.
      # CLI flag: -admin.client.s3.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # The amount of time the client will wait for a servers response headers.
      # CLI flag: -admin.client.s3.http.response-header-timeout
      [response_header_timeout: <duration> | default = 2m]

      # If the client connects to S3 via HTTPS and this option is enabled, the
      # client will accept any certificate and hostname.
      # CLI flag: -admin.client.s3.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

      # Maximum time to wait for a TLS handshake. 0 means no limit.
      # CLI flag: -admin.client.s3.tls-handshake-timeout
      [tls_handshake_timeout: <duration> | default = 10s]

      # The time to wait for a server's first response headers after fully
      # writing the request headers if the request has an Expect header. 0 to
      # send the request body immediately.
      # CLI flag: -admin.client.s3.expect-continue-timeout
      [expect_continue_timeout: <duration> | default = 1s]

      # Maximum number of idle (keep-alive) connections across all hosts. 0
      # means no limit.
      # CLI flag: -admin.client.s3.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # Maximum number of idle (keep-alive) connections to keep per-host. If 0,
      # a built-in default value is used.
      # CLI flag: -admin.client.s3.max-idle-connections-per-host
      [max_idle_connections_per_host: <int> | default = 100]

      # Maximum number of connections per host. 0 means no limit.
      # CLI flag: -admin.client.s3.max-connections-per-host
      [max_connections_per_host: <int> | default = 0]

  gcs:
    # GCS bucket name
    # CLI flag: -admin.client.gcs.bucket-name
    [bucket_name: <string> | default = ""]

    # JSON representing either a Google Developers Console
    # client_credentials.json file or a Google Developers service account key
    # file. If empty, fallback to Google default logic.
    # CLI flag: -admin.client.gcs.service-account
    [service_account: <string> | default = ""]

  azure:
    # Azure storage account name
    # CLI flag: -admin.client.azure.account-name
    [account_name: <string> | default = ""]

    # Azure storage account key
    # CLI flag: -admin.client.azure.account-key
    [account_key: <string> | default = ""]

    # Azure storage container name
    # CLI flag: -admin.client.azure.container-name
    [container_name: <string> | default = ""]

    # Azure storage endpoint suffix without schema. The account name will be
    # prefixed to this value to create the FQDN
    # CLI flag: -admin.client.azure.endpoint-suffix
    [endpoint_suffix: <string> | default = ""]

    # Number of retries for recoverable errors
    # CLI flag: -admin.client.azure.max-retries
    [max_retries: <int> | default = 20]

# If set to true, the built-in __admin__ access policy will not be active.
# CLI flag: -admin.client.disable-default-admin-policy
[disable_default_admin_policy: <boolean> | default = false]
```

### graphite\_config

The `graphite_config` configures the graphite compatibility services.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Whether the Graphite APIs are enabled (Experimental).
# CLI flag: -graphite.enabled
[enabled: <boolean> | default = false]

querier:
  schemas:
    # Defines for how long schemas shall be cached.
    # CLI flag: -graphite.querier.schemas.schema-ttl
    [schema_ttl: <duration> | default = 10s]

    # Path to default storage-schemas.conf file.
    # CLI flag: -graphite.querier.schemas.default-storage-schemas-file
    [default_storage_schemas_file: <string> | default = "/etc/cortextank/storage-schemas.conf"]

    # Path to default storage-aggregation.conf file.
    # CLI flag: -graphite.querier.schemas.default-storage-aggregations-file
    [default_storage_aggregations_file: <string> | default = "/etc/cortextank/storage-aggregation.conf"]

    # Whether support for object store backed user overrides should be enabled.
    # CLI flag: -graphite.querier.schemas.enable-user-overrides
    [enable_user_overrides: <boolean> | default = false]

    # Backend storage to use. Supported backends are: s3, gcs, azure, swift,
    # filesystem.
    # CLI flag: -graphite.querier.schemas.backend
    [backend: <string> | default = "s3"]

    s3:
      # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
      # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of
      # an S3-compatible service in hostname:port format.
      # CLI flag: -graphite.querier.schemas.s3.endpoint
      [endpoint: <string> | default = ""]

      # S3 region. If unset, the client will issue a S3 GetBucketLocation API
      # call to autodetect it.
      # CLI flag: -graphite.querier.schemas.s3.region
      [region: <string> | default = ""]

      # S3 bucket name
      # CLI flag: -graphite.querier.schemas.s3.bucket-name
      [bucket_name: <string> | default = ""]

      # S3 secret access key
      # CLI flag: -graphite.querier.schemas.s3.secret-access-key
      [secret_access_key: <string> | default = ""]

      # S3 access key ID
      # CLI flag: -graphite.querier.schemas.s3.access-key-id
      [access_key_id: <string> | default = ""]

      # If enabled, use http:// for the S3 endpoint instead of https://. This
      # could be useful in local dev/test environments while using an
      # S3-compatible backend storage, like Minio.
      # CLI flag: -graphite.querier.schemas.s3.insecure
      [insecure: <boolean> | default = false]

      # The signature version to use for authenticating against S3. Supported
      # values are: v4, v2.
      # CLI flag: -graphite.querier.schemas.s3.signature-version
      [signature_version: <string> | default = "v4"]

      # The s3_sse_config configures the S3 server-side encryption.
      # The CLI flags prefix for this block config is: graphite.querier.schemas
      [sse: <s3_sse_config>]

      http:
        # The time an idle connection will remain idle before closing.
        # CLI flag: -graphite.querier.schemas.s3.http.idle-conn-timeout
        [idle_conn_timeout: <duration> | default = 1m30s]

        # The amount of time the client will wait for a servers response
        # headers.
        # CLI flag: -graphite.querier.schemas.s3.http.response-header-timeout
        [response_header_timeout: <duration> | default = 2m]

        # If the client connects to S3 via HTTPS and this option is enabled, the
        # client will accept any certificate and hostname.
        # CLI flag: -graphite.querier.schemas.s3.http.insecure-skip-verify
        [insecure_skip_verify: <boolean> | default = false]

        # Maximum time to wait for a TLS handshake. 0 means no limit.
        # CLI flag: -graphite.querier.schemas.s3.tls-handshake-timeout
        [tls_handshake_timeout: <duration> | default = 10s]

        # The time to wait for a server's first response headers after fully
        # writing the request headers if the request has an Expect header. 0 to
        # send the request body immediately.
        # CLI flag: -graphite.querier.schemas.s3.expect-continue-timeout
        [expect_continue_timeout: <duration> | default = 1s]

        # Maximum number of idle (keep-alive) connections across all hosts. 0
        # means no limit.
        # CLI flag: -graphite.querier.schemas.s3.max-idle-connections
        [max_idle_connections: <int> | default = 100]

        # Maximum number of idle (keep-alive) connections to keep per-host. If
        # 0, a built-in default value is used.
        # CLI flag: -graphite.querier.schemas.s3.max-idle-connections-per-host
        [max_idle_connections_per_host: <int> | default = 100]

        # Maximum number of connections per host. 0 means no limit.
        # CLI flag: -graphite.querier.schemas.s3.max-connections-per-host
        [max_connections_per_host: <int> | default = 0]

    gcs:
      # GCS bucket name
      # CLI flag: -graphite.querier.schemas.gcs.bucket-name
      [bucket_name: <string> | default = ""]

      # JSON representing either a Google Developers Console
      # client_credentials.json file or a Google Developers service account key
      # file. If empty, fallback to Google default logic.
      # CLI flag: -graphite.querier.schemas.gcs.service-account
      [service_account: <string> | default = ""]

    azure:
      # Azure storage account name
      # CLI flag: -graphite.querier.schemas.azure.account-name
      [account_name: <string> | default = ""]

      # Azure storage account key
      # CLI flag: -graphite.querier.schemas.azure.account-key
      [account_key: <string> | default = ""]

      # Azure storage container name
      # CLI flag: -graphite.querier.schemas.azure.container-name
      [container_name: <string> | default = ""]

      # Azure storage endpoint suffix without schema. The account name will be
      # prefixed to this value to create the FQDN
      # CLI flag: -graphite.querier.schemas.azure.endpoint-suffix
      [endpoint_suffix: <string> | default = ""]

      # Number of retries for recoverable errors
      # CLI flag: -graphite.querier.schemas.azure.max-retries
      [max_retries: <int> | default = 20]

    swift:
      # OpenStack Swift authentication API version. 0 to autodetect.
      # CLI flag: -graphite.querier.schemas.swift.auth-version
      [auth_version: <int> | default = 0]

      # OpenStack Swift authentication URL
      # CLI flag: -graphite.querier.schemas.swift.auth-url
      [auth_url: <string> | default = ""]

      # OpenStack Swift username.
      # CLI flag: -graphite.querier.schemas.swift.username
      [username: <string> | default = ""]

      # OpenStack Swift user's domain name.
      # CLI flag: -graphite.querier.schemas.swift.user-domain-name
      [user_domain_name: <string> | default = ""]

      # OpenStack Swift user's domain ID.
      # CLI flag: -graphite.querier.schemas.swift.user-domain-id
      [user_domain_id: <string> | default = ""]

      # OpenStack Swift user ID.
      # CLI flag: -graphite.querier.schemas.swift.user-id
      [user_id: <string> | default = ""]

      # OpenStack Swift API key.
      # CLI flag: -graphite.querier.schemas.swift.password
      [password: <string> | default = ""]

      # OpenStack Swift user's domain ID.
      # CLI flag: -graphite.querier.schemas.swift.domain-id
      [domain_id: <string> | default = ""]

      # OpenStack Swift user's domain name.
      # CLI flag: -graphite.querier.schemas.swift.domain-name
      [domain_name: <string> | default = ""]

      # OpenStack Swift project ID (v2,v3 auth only).
      # CLI flag: -graphite.querier.schemas.swift.project-id
      [project_id: <string> | default = ""]

      # OpenStack Swift project name (v2,v3 auth only).
      # CLI flag: -graphite.querier.schemas.swift.project-name
      [project_name: <string> | default = ""]

      # ID of the OpenStack Swift project's domain (v3 auth only), only needed
      # if it differs the from user domain.
      # CLI flag: -graphite.querier.schemas.swift.project-domain-id
      [project_domain_id: <string> | default = ""]

      # Name of the OpenStack Swift project's domain (v3 auth only), only needed
      # if it differs from the user domain.
      # CLI flag: -graphite.querier.schemas.swift.project-domain-name
      [project_domain_name: <string> | default = ""]

      # OpenStack Swift Region to use (v2,v3 auth only).
      # CLI flag: -graphite.querier.schemas.swift.region-name
      [region_name: <string> | default = ""]

      # Name of the OpenStack Swift container to put chunks in.
      # CLI flag: -graphite.querier.schemas.swift.container-name
      [container_name: <string> | default = ""]

      # Max retries on requests error.
      # CLI flag: -graphite.querier.schemas.swift.max-retries
      [max_retries: <int> | default = 3]

      # Time after which a connection attempt is aborted.
      # CLI flag: -graphite.querier.schemas.swift.connect-timeout
      [connect_timeout: <duration> | default = 10s]

      # Time after which an idle request is aborted. The timeout watchdog is
      # reset each time some data is received, so the timeout triggers after X
      # time no data is received on a request.
      # CLI flag: -graphite.querier.schemas.swift.request-timeout
      [request_timeout: <duration> | default = 5s]

    filesystem:
      # Local filesystem storage directory.
      # CLI flag: -graphite.querier.schemas.filesystem.dir
      [dir: <string> | default = ""]

  # Period to wait before expiring a cached item.
  # CLI flag: -graphite.querier.cache-grace-period
  [cache_grace_period: <duration> | default = 5m]

  metric_name_cache:
    # Cache config for metric names. Enable in-memory cache.
    # CLI flag: -graphite.querier.metric-name-cache.cache.enable-fifocache
    [enable_fifocache: <boolean> | default = false]

    # Cache config for metric names. The default validity of entries for caches
    # unless overridden.
    # CLI flag: -graphite.querier.metric-name-cache.default-validity
    [default_validity: <duration> | default = 0s]

    background:
      # Cache config for metric names. At what concurrency to write back to
      # cache.
      # CLI flag: -graphite.querier.metric-name-cache.background.write-back-concurrency
      [writeback_goroutines: <int> | default = 10]

      # Cache config for metric names. How many key batches to buffer for
      # background write-back.
      # CLI flag: -graphite.querier.metric-name-cache.background.write-back-buffer
      [writeback_buffer: <int> | default = 10000]

    memcached:
      # Cache config for metric names. How long keys stay in the memcache.
      # CLI flag: -graphite.querier.metric-name-cache.memcached.expiration
      [expiration: <duration> | default = 0s]

      # Cache config for metric names. How many keys to fetch in each batch.
      # CLI flag: -graphite.querier.metric-name-cache.memcached.batchsize
      [batch_size: <int> | default = 1024]

      # Cache config for metric names. Maximum active requests to memcache.
      # CLI flag: -graphite.querier.metric-name-cache.memcached.parallelism
      [parallelism: <int> | default = 100]

    memcached_client:
      # Cache config for metric names. Hostname for memcached service to use. If
      # empty and if addresses is unset, no memcached will be used.
      # CLI flag: -graphite.querier.metric-name-cache.memcached.hostname
      [host: <string> | default = ""]

      # Cache config for metric names. SRV service used to discover memcache
      # servers.
      # CLI flag: -graphite.querier.metric-name-cache.memcached.service
      [service: <string> | default = "memcached"]

      # Cache config for metric names. EXPERIMENTAL: Comma separated addresses
      # list in DNS Service Discovery format:
      # https://cortexmetrics.io/docs/configuration/arguments/#dns-service-discovery
      # CLI flag: -graphite.querier.metric-name-cache.memcached.addresses
      [addresses: <string> | default = ""]

      # Cache config for metric names. Maximum time to wait before giving up on
      # memcached requests.
      # CLI flag: -graphite.querier.metric-name-cache.memcached.timeout
      [timeout: <duration> | default = 100ms]

      # Cache config for metric names. Maximum number of idle connections in
      # pool.
      # CLI flag: -graphite.querier.metric-name-cache.memcached.max-idle-conns
      [max_idle_conns: <int> | default = 16]

      # Cache config for metric names. The maximum size of an item stored in
      # memcached. Bigger items are not stored. If set to 0, no maximum size is
      # enforced.
      # CLI flag: -graphite.querier.metric-name-cache.memcached.max-item-size
      [max_item_size: <int> | default = 0]

      # Cache config for metric names. Period with which to poll DNS for
      # memcache servers.
      # CLI flag: -graphite.querier.metric-name-cache.memcached.update-interval
      [update_interval: <duration> | default = 1m]

      # Cache config for metric names. Use consistent hashing to distribute to
      # memcache servers.
      # CLI flag: -graphite.querier.metric-name-cache.memcached.consistent-hash
      [consistent_hash: <boolean> | default = true]

      # Cache config for metric names. Trip circuit-breaker after this number of
      # consecutive dial failures (if zero then circuit-breaker is disabled).
      # CLI flag: -graphite.querier.metric-name-cache.memcached.circuit-breaker-consecutive-failures
      [circuit_breaker_consecutive_failures: <int> | default = 10]

      # Cache config for metric names. Duration circuit-breaker remains open
      # after tripping (if zero then 60 seconds is used).
      # CLI flag: -graphite.querier.metric-name-cache.memcached.circuit-breaker-timeout
      [circuit_breaker_timeout: <duration> | default = 10s]

      # Cache config for metric names. Reset circuit-breaker counts after this
      # long (if zero then never reset).
      # CLI flag: -graphite.querier.metric-name-cache.memcached.circuit-breaker-interval
      [circuit_breaker_interval: <duration> | default = 10s]

    redis:
      # Cache config for metric names. Redis Server endpoint to use for caching.
      # A comma-separated list of endpoints for Redis Cluster or Redis Sentinel.
      # If empty, no redis will be used.
      # CLI flag: -graphite.querier.metric-name-cache.redis.endpoint
      [endpoint: <string> | default = ""]

      # Cache config for metric names. Redis Sentinel master name. An empty
      # string for Redis Server or Redis Cluster.
      # CLI flag: -graphite.querier.metric-name-cache.redis.master-name
      [master_name: <string> | default = ""]

      # Cache config for metric names. Maximum time to wait before giving up on
      # redis requests.
      # CLI flag: -graphite.querier.metric-name-cache.redis.timeout
      [timeout: <duration> | default = 500ms]

      # Cache config for metric names. How long keys stay in the redis.
      # CLI flag: -graphite.querier.metric-name-cache.redis.expiration
      [expiration: <duration> | default = 0s]

      # Cache config for metric names. Database index.
      # CLI flag: -graphite.querier.metric-name-cache.redis.db
      [db: <int> | default = 0]

      # Cache config for metric names. Maximum number of connections in the
      # pool.
      # CLI flag: -graphite.querier.metric-name-cache.redis.pool-size
      [pool_size: <int> | default = 0]

      # Cache config for metric names. Password to use when connecting to redis.
      # CLI flag: -graphite.querier.metric-name-cache.redis.password
      [password: <string> | default = ""]

      # Cache config for metric names. Enable connecting to redis with TLS.
      # CLI flag: -graphite.querier.metric-name-cache.redis.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Cache config for metric names. Skip validating server certificate.
      # CLI flag: -graphite.querier.metric-name-cache.redis.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Cache config for metric names. Close connections after remaining idle
      # for this duration. If the value is zero, then idle connections are not
      # closed.
      # CLI flag: -graphite.querier.metric-name-cache.redis.idle-timeout
      [idle_timeout: <duration> | default = 0s]

      # Cache config for metric names. Close connections older than this
      # duration. If the value is zero, then the pool does not close connections
      # based on age.
      # CLI flag: -graphite.querier.metric-name-cache.redis.max-connection-age
      [max_connection_age: <duration> | default = 0s]

    fifocache:
      # Cache config for metric names. Maximum memory size of the cache in
      # bytes. A unit suffix (KB, MB, GB) may be applied.
      # CLI flag: -graphite.querier.metric-name-cache.fifocache.max-size-bytes
      [max_size_bytes: <string> | default = ""]

      # Cache config for metric names. Maximum number of entries in the cache.
      # CLI flag: -graphite.querier.metric-name-cache.fifocache.max-size-items
      [max_size_items: <int> | default = 0]

      # Cache config for metric names. The expiry duration for the cache.
      # CLI flag: -graphite.querier.metric-name-cache.fifocache.duration
      [validity: <duration> | default = 0s]

      # Deprecated (use max-size-items or max-size-bytes instead): Cache config
      # for metric names. The number of entries to cache.
      # CLI flag: -graphite.querier.metric-name-cache.fifocache.size
      [size: <int> | default = 0]

  aggregation_cache:
    # Cache config for aggregations. Enable in-memory cache.
    # CLI flag: -graphite.querier.aggregation-cache.cache.enable-fifocache
    [enable_fifocache: <boolean> | default = false]

    # Cache config for aggregations. The default validity of entries for caches
    # unless overridden.
    # CLI flag: -graphite.querier.aggregation-cache.default-validity
    [default_validity: <duration> | default = 0s]

    background:
      # Cache config for aggregations. At what concurrency to write back to
      # cache.
      # CLI flag: -graphite.querier.aggregation-cache.background.write-back-concurrency
      [writeback_goroutines: <int> | default = 10]

      # Cache config for aggregations. How many key batches to buffer for
      # background write-back.
      # CLI flag: -graphite.querier.aggregation-cache.background.write-back-buffer
      [writeback_buffer: <int> | default = 10000]

    memcached:
      # Cache config for aggregations. How long keys stay in the memcache.
      # CLI flag: -graphite.querier.aggregation-cache.memcached.expiration
      [expiration: <duration> | default = 0s]

      # Cache config for aggregations. How many keys to fetch in each batch.
      # CLI flag: -graphite.querier.aggregation-cache.memcached.batchsize
      [batch_size: <int> | default = 1024]

      # Cache config for aggregations. Maximum active requests to memcache.
      # CLI flag: -graphite.querier.aggregation-cache.memcached.parallelism
      [parallelism: <int> | default = 100]

    memcached_client:
      # Cache config for aggregations. Hostname for memcached service to use. If
      # empty and if addresses is unset, no memcached will be used.
      # CLI flag: -graphite.querier.aggregation-cache.memcached.hostname
      [host: <string> | default = ""]

      # Cache config for aggregations. SRV service used to discover memcache
      # servers.
      # CLI flag: -graphite.querier.aggregation-cache.memcached.service
      [service: <string> | default = "memcached"]

      # Cache config for aggregations. EXPERIMENTAL: Comma separated addresses
      # list in DNS Service Discovery format:
      # https://cortexmetrics.io/docs/configuration/arguments/#dns-service-discovery
      # CLI flag: -graphite.querier.aggregation-cache.memcached.addresses
      [addresses: <string> | default = ""]

      # Cache config for aggregations. Maximum time to wait before giving up on
      # memcached requests.
      # CLI flag: -graphite.querier.aggregation-cache.memcached.timeout
      [timeout: <duration> | default = 100ms]

      # Cache config for aggregations. Maximum number of idle connections in
      # pool.
      # CLI flag: -graphite.querier.aggregation-cache.memcached.max-idle-conns
      [max_idle_conns: <int> | default = 16]

      # Cache config for aggregations. The maximum size of an item stored in
      # memcached. Bigger items are not stored. If set to 0, no maximum size is
      # enforced.
      # CLI flag: -graphite.querier.aggregation-cache.memcached.max-item-size
      [max_item_size: <int> | default = 0]

      # Cache config for aggregations. Period with which to poll DNS for
      # memcache servers.
      # CLI flag: -graphite.querier.aggregation-cache.memcached.update-interval
      [update_interval: <duration> | default = 1m]

      # Cache config for aggregations. Use consistent hashing to distribute to
      # memcache servers.
      # CLI flag: -graphite.querier.aggregation-cache.memcached.consistent-hash
      [consistent_hash: <boolean> | default = true]

      # Cache config for aggregations. Trip circuit-breaker after this number of
      # consecutive dial failures (if zero then circuit-breaker is disabled).
      # CLI flag: -graphite.querier.aggregation-cache.memcached.circuit-breaker-consecutive-failures
      [circuit_breaker_consecutive_failures: <int> | default = 10]

      # Cache config for aggregations. Duration circuit-breaker remains open
      # after tripping (if zero then 60 seconds is used).
      # CLI flag: -graphite.querier.aggregation-cache.memcached.circuit-breaker-timeout
      [circuit_breaker_timeout: <duration> | default = 10s]

      # Cache config for aggregations. Reset circuit-breaker counts after this
      # long (if zero then never reset).
      # CLI flag: -graphite.querier.aggregation-cache.memcached.circuit-breaker-interval
      [circuit_breaker_interval: <duration> | default = 10s]

    redis:
      # Cache config for aggregations. Redis Server endpoint to use for caching.
      # A comma-separated list of endpoints for Redis Cluster or Redis Sentinel.
      # If empty, no redis will be used.
      # CLI flag: -graphite.querier.aggregation-cache.redis.endpoint
      [endpoint: <string> | default = ""]

      # Cache config for aggregations. Redis Sentinel master name. An empty
      # string for Redis Server or Redis Cluster.
      # CLI flag: -graphite.querier.aggregation-cache.redis.master-name
      [master_name: <string> | default = ""]

      # Cache config for aggregations. Maximum time to wait before giving up on
      # redis requests.
      # CLI flag: -graphite.querier.aggregation-cache.redis.timeout
      [timeout: <duration> | default = 500ms]

      # Cache config for aggregations. How long keys stay in the redis.
      # CLI flag: -graphite.querier.aggregation-cache.redis.expiration
      [expiration: <duration> | default = 0s]

      # Cache config for aggregations. Database index.
      # CLI flag: -graphite.querier.aggregation-cache.redis.db
      [db: <int> | default = 0]

      # Cache config for aggregations. Maximum number of connections in the
      # pool.
      # CLI flag: -graphite.querier.aggregation-cache.redis.pool-size
      [pool_size: <int> | default = 0]

      # Cache config for aggregations. Password to use when connecting to redis.
      # CLI flag: -graphite.querier.aggregation-cache.redis.password
      [password: <string> | default = ""]

      # Cache config for aggregations. Enable connecting to redis with TLS.
      # CLI flag: -graphite.querier.aggregation-cache.redis.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Cache config for aggregations. Skip validating server certificate.
      # CLI flag: -graphite.querier.aggregation-cache.redis.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Cache config for aggregations. Close connections after remaining idle
      # for this duration. If the value is zero, then idle connections are not
      # closed.
      # CLI flag: -graphite.querier.aggregation-cache.redis.idle-timeout
      [idle_timeout: <duration> | default = 0s]

      # Cache config for aggregations. Close connections older than this
      # duration. If the value is zero, then the pool does not close connections
      # based on age.
      # CLI flag: -graphite.querier.aggregation-cache.redis.max-connection-age
      [max_connection_age: <duration> | default = 0s]

    fifocache:
      # Cache config for aggregations. Maximum memory size of the cache in
      # bytes. A unit suffix (KB, MB, GB) may be applied.
      # CLI flag: -graphite.querier.aggregation-cache.fifocache.max-size-bytes
      [max_size_bytes: <string> | default = ""]

      # Cache config for aggregations. Maximum number of entries in the cache.
      # CLI flag: -graphite.querier.aggregation-cache.fifocache.max-size-items
      [max_size_items: <int> | default = 0]

      # Cache config for aggregations. The expiry duration for the cache.
      # CLI flag: -graphite.querier.aggregation-cache.fifocache.duration
      [validity: <duration> | default = 0s]

      # Deprecated (use max-size-items or max-size-bytes instead): Cache config
      # for aggregations. The number of entries to cache.
      # CLI flag: -graphite.querier.aggregation-cache.fifocache.size
      [size: <int> | default = 0]

  # Number of go routines to concurrently fetch and process data.
  # CLI flag: -graphite.querier.query-handling-concurrency
  [query_handling_concurrency: <int> | default = 8]

  # Split queries by this interval and execute in parallel, 0 disables query
  # splitting.
  # CLI flag: -graphite.querier.split-queries-by-interval
  [split_queries_by_interval: <duration> | default = 24h]

  # Proxy bad requests to graphite
  # CLI flag: -graphite.querier.proxy-bad-requests
  [proxy_bad_requests: <boolean> | default = true]

  # Graphite http listener fallback address
  # CLI flag: -graphite.querier.graphite-fallback
  [graphite_fallback: <string> | default = "http://graphite:80"]

  # How far into the past we perform index lookups for find calls
  # CLI flag: -graphite.querier.metrics-find-cutoff
  [metrics_find_cutoff: <string> | default = "32d"]

  # Max number of data points a query may return, if number of data points
  # exceeds this limit we aggregate them down to the limit.
  # CLI flag: -graphite.querier.max-points-per-req-soft
  [max_points_per_req_soft: <int> | default = 1000000]

  # If query results in more data points than this limit we directly cancel it
  # with an error message.
  # CLI flag: -graphite.querier.max-points-per-req-hard
  [max_points_per_req_hard: <int> | default = 20000000]

  remote_read:
    # Base URL for queries from upstream Prometheus API. The /api/v1 suffix will
    # be appended to this address. Defaults to http://localhost:80/prometheus.
    # CLI flag: -graphite.querier.query-address
    [query_address: <string> | default = "http://localhost:80/prometheus"]

    # Timeout for queries to upstream Prometheus API.
    # CLI flag: -graphite.querier.query-timeout
    [query_timeout: <duration> | default = 30s]

    # KeepAlive for queries to upstream Prometheus API.
    # CLI flag: -graphite.querier.query-keep-alive
    [query_keep_alive: <duration> | default = 30s]

    # Max idle conns for queries to upstream Prometheus API.
    # CLI flag: -graphite.querier.query-max-idle-conns
    [query_max_idle_conns: <int> | default = 10]

    # Max conns per host for queries to upstream Prometheus API.
    # CLI flag: -graphite.querier.query-max-conns
    [query_max_conns: <int> | default = 100]

    # Client name to use when identifying requests in Prometheus API.
    # CLI flag: -graphite.querier.query-client-name
    [query_client_name: <string> | default = "graphite-querier"]

# Enable usage of the querier on the read path of graphite, instead of accessing
# directly the ingesters and the block store.
# CLI flag: -graphite.querier.remote-read-enabled
[querier_remote_read_enabled: <boolean> | default = false]

write_proxy:
  distributor_client:
    # GRPC listen address of cortex distributor(s). Must be a DNS address
    # (prefixed with dns:///) to enable client side load balancing.
    # CLI flag: -graphite.write-proxy.distributor-client.address
    [address: <string> | default = "dns:///:9095"]

    # GRPC connection timeout for cortex distributor(s)
    # CLI flag: -graphite.write-proxy.distributor-client.connect-timeout
    [connect_timeout: <duration> | default = 5s]

    # Set to true if distributor connection requires TLS.
    # CLI flag: -graphite.write-proxy.distributor-client.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -graphite.write-proxy.distributor-client.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -graphite.write-proxy.distributor-client.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -graphite.write-proxy.distributor-client.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -graphite.write-proxy.distributor-client.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -graphite.write-proxy.distributor-client.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]
```

### instrumentation\_config

The `instrumentation_config` configures the instrumentation module.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Enable self-monitoring metrics recorded under the system tenant.
# CLI flag: -instrumentation.enabled
[enabled: <boolean> | default = false]

# How often to flush self-monitoring metrics to distributor
# CLI flag: -instrumentation.flush-period
[flush_period: <duration> | default = 15s]

# Timeout writing self-monitoring metrics to distributor
# CLI flag: -instrumentation.write-timeout
[write_timeout: <duration> | default = 10s]

distributor_client:
  # GRPC listen address of cortex distributor(s). Must be a DNS address
  # (prefixed with dns:///) to enable client side load balancing.
  # CLI flag: -instrumentation.distributor-client.address
  [address: <string> | default = "dns:///:9095"]

  # GRPC connection timeout for cortex distributor(s)
  # CLI flag: -instrumentation.distributor-client.connect-timeout
  [connect_timeout: <duration> | default = 5s]

  # Set to true if distributor connection requires TLS.
  # CLI flag: -instrumentation.distributor-client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -instrumentation.distributor-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -instrumentation.distributor-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -instrumentation.distributor-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -instrumentation.distributor-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -instrumentation.distributor-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

node_collector:
  # Mount point of the proc filesystem.
  # CLI flag: -instrumentation.node-collector.procfs-path
  [procfs_path: <string> | default = "/proc"]

  # Mount point of the root filesystem.
  # CLI flag: -instrumentation.node-collector.rootfs-path
  [rootfs_path: <string> | default = "/"]

  # Regex pattern of mount points to ignore for the filesystem collector
  # CLI flag: -instrumentation.node-collector.filesystem-ignored-mount-points
  [filesystem_ignored_mount_points: <string> | default = "^/(dev|proc|sys|var/lib/docker/.+)($|/)"]

  # Regex pattern of filesystem types to ignore for the filesystem collector
  # CLI flag: -instrumentation.node-collector.filesystem-ignored-fs-types
  [filesystem_ignored_fs_types: <string> | default = "^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$"]

  # Regex pattern of devices to ignore for the disktstats collector
  # CLI flag: -instrumentation.node-collector.diskstats-ignored-devices
  [diskstats_ignored_devices: <string> | default = "^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$"]
```

### bootstrap\_config

This target is deprecated, use the `tokengen` target instead. In prior versions, `bootstrap_config` was used to configure the bootstrap target.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Name of built in access policy.
# CLI flag: -bootstrap.policy-name
[policy_name: <string> | default = "admin-policy"]

# Write token to this instead of the standard out.
# CLI flag: -bootstrap.token-file
[token_file: <string> | default = ""]
```

### tokengen\_config

The `tokengen_config` is used to configure the tokengen command.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# The name of the access policy to generate a token for. It defaults to the
# built-in admin policy.
# CLI flag: -tokengen.access-policy
[access_policy: <string> | default = "__admin__"]

# If set, the generated token will be printed to a file at the provided path
# instead of stdout.
# CLI flag: -tokengen.token-file
[token_file: <string> | default = ""]
```

### license\_config

The `license_config` configures the license validation module.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Filepath to license jwt file.
# CLI flag: -license.path
[path: <string> | default = "./license.jwt"]

# Interval to check for new or existing licenses.
# CLI flag: -license.sync-interval
[sync_interval: <duration> | default = 1h]
```

### federation\_config

The `federation_config` configures the federation frontend component, which can be used to federate querier between multiple Grafana Enterprise Metrics clusters.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# A federation_target_config configures a particular cluster that queries should
# get federated to.
[proxy_targets: <federation_target_config>]
```

### federation\_target\_config

A `federation_target_config` configures a particular cluster that queries should get federated to.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Name contains the name of the proxy target, it will be used for the
# __cluster__ label.
[name: <string> | default = ""]

# URL is the URL to the Prometheus API endpoints.
[url: <string> | default = ""]

# Those optional Basic Auth parameters allow to override the client provided
# credentials.
basic_auth:
  # Basic Auth username
  [username: <string> | default = ""]

  # Basic Auth password
  [password: <string> | default = ""]

# TLS configuration for the target.
tls:
  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  [tls_insecure_skip_verify: <boolean> | default = false]
```

### server\_config

The `server_config` configures the HTTP and gRPC server of the launched service(s).

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# HTTP server listen network, default tcp
# CLI flag: -server.http-listen-network
[http_listen_network: <string> | default = "tcp"]

# HTTP server listen address.
# CLI flag: -server.http-listen-address
[http_listen_address: <string> | default = ""]

# HTTP server listen port.
# CLI flag: -server.http-listen-port
[http_listen_port: <int> | default = 80]

# Maximum number of simultaneous http connections, <=0 to disable
# CLI flag: -server.http-conn-limit
[http_listen_conn_limit: <int> | default = 0]

# gRPC server listen network
# CLI flag: -server.grpc-listen-network
[grpc_listen_network: <string> | default = "tcp"]

# gRPC server listen address.
# CLI flag: -server.grpc-listen-address
[grpc_listen_address: <string> | default = ""]

# gRPC server listen port.
# CLI flag: -server.grpc-listen-port
[grpc_listen_port: <int> | default = 9095]

# Maximum number of simultaneous grpc connections, <=0 to disable
# CLI flag: -server.grpc-conn-limit
[grpc_listen_conn_limit: <int> | default = 0]

http_tls_config:
  # HTTP server cert path.
  # CLI flag: -server.http-tls-cert-path
  [cert_file: <string> | default = ""]

  # HTTP server key path.
  # CLI flag: -server.http-tls-key-path
  [key_file: <string> | default = ""]

  # HTTP TLS Client Auth type.
  # CLI flag: -server.http-tls-client-auth
  [client_auth_type: <string> | default = ""]

  # HTTP TLS Client CA path.
  # CLI flag: -server.http-tls-ca-path
  [client_ca_file: <string> | default = ""]

grpc_tls_config:
  # GRPC TLS server cert path.
  # CLI flag: -server.grpc-tls-cert-path
  [cert_file: <string> | default = ""]

  # GRPC TLS server key path.
  # CLI flag: -server.grpc-tls-key-path
  [key_file: <string> | default = ""]

  # GRPC TLS Client Auth type.
  # CLI flag: -server.grpc-tls-client-auth
  [client_auth_type: <string> | default = ""]

  # GRPC TLS Client CA path.
  # CLI flag: -server.grpc-tls-ca-path
  [client_ca_file: <string> | default = ""]

# Register the intrumentation handlers (/metrics etc).
# CLI flag: -server.register-instrumentation
[register_instrumentation: <boolean> | default = true]

# Timeout for graceful shutdowns
# CLI flag: -server.graceful-shutdown-timeout
[graceful_shutdown_timeout: <duration> | default = 30s]

# Read timeout for HTTP server
# CLI flag: -server.http-read-timeout
[http_server_read_timeout: <duration> | default = 30s]

# Write timeout for HTTP server
# CLI flag: -server.http-write-timeout
[http_server_write_timeout: <duration> | default = 30s]

# Idle timeout for HTTP server
# CLI flag: -server.http-idle-timeout
[http_server_idle_timeout: <duration> | default = 2m]

# Limit on the size of a gRPC message this server can receive (bytes).
# CLI flag: -server.grpc-max-recv-msg-size-bytes
[grpc_server_max_recv_msg_size: <int> | default = 4194304]

# Limit on the size of a gRPC message this server can send (bytes).
# CLI flag: -server.grpc-max-send-msg-size-bytes
[grpc_server_max_send_msg_size: <int> | default = 4194304]

# Limit on the number of concurrent streams for gRPC calls (0 = unlimited)
# CLI flag: -server.grpc-max-concurrent-streams
[grpc_server_max_concurrent_streams: <int> | default = 100]

# The duration after which an idle connection should be closed. Default:
# infinity
# CLI flag: -server.grpc.keepalive.max-connection-idle
[grpc_server_max_connection_idle: <duration> | default = 2562047h47m16.854775807s]

# The duration for the maximum amount of time a connection may exist before it
# will be closed. Default: infinity
# CLI flag: -server.grpc.keepalive.max-connection-age
[grpc_server_max_connection_age: <duration> | default = 2562047h47m16.854775807s]

# An additive period after max-connection-age after which the connection will be
# forcibly closed. Default: infinity
# CLI flag: -server.grpc.keepalive.max-connection-age-grace
[grpc_server_max_connection_age_grace: <duration> | default = 2562047h47m16.854775807s]

# Duration after which a keepalive probe is sent in case of no activity over the
# connection., Default: 2h
# CLI flag: -server.grpc.keepalive.time
[grpc_server_keepalive_time: <duration> | default = 2h]

# After having pinged for keepalive check, the duration after which an idle
# connection should be closed, Default: 20s
# CLI flag: -server.grpc.keepalive.timeout
[grpc_server_keepalive_timeout: <duration> | default = 20s]

# Minimum amount of time a client should wait before sending a keepalive ping.
# If client sends keepalive ping more often, server will send GOAWAY and close
# the connection.
# CLI flag: -server.grpc.keepalive.min-time-between-pings
[grpc_server_min_time_between_pings: <duration> | default = 10s]

# If true, server allows keepalive pings even when there are no active
# streams(RPCs). If false, and client sends ping when there are no active
# streams, server will send GOAWAY and close the connection.
# CLI flag: -server.grpc.keepalive.ping-without-stream-allowed
[grpc_server_ping_without_stream_allowed: <boolean> | default = true]

# Output log messages in the given format. Valid formats: [logfmt, json]
# CLI flag: -log.format
[log_format: <string> | default = "logfmt"]

# Only log messages with the given severity or above. Valid levels: [debug,
# info, warn, error]
# CLI flag: -log.level
[log_level: <string> | default = "info"]

# Optionally log the source IPs.
# CLI flag: -server.log-source-ips-enabled
[log_source_ips_enabled: <boolean> | default = false]

# Header field storing the source IPs. Only used if
# server.log-source-ips-enabled is true. If not set the default Forwarded,
# X-Real-IP and X-Forwarded-For headers are used
# CLI flag: -server.log-source-ips-header
[log_source_ips_header: <string> | default = ""]

# Regex for matching the source IPs. Only used if server.log-source-ips-enabled
# is true. If not set the default Forwarded, X-Real-IP and X-Forwarded-For
# headers are used
# CLI flag: -server.log-source-ips-regex
[log_source_ips_regex: <string> | default = ""]

# Base path to serve all API routes from (e.g. /v1/)
# CLI flag: -server.path-prefix
[http_path_prefix: <string> | default = ""]
```

### distributor\_config

The `distributor_config` configures the GEM distributor.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
pool:
  # How frequently to clean up clients for ingesters that have gone away.
  # CLI flag: -distributor.client-cleanup-period
  [client_cleanup_period: <duration> | default = 15s]

  # Run a health check on each ingester client during periodic cleanup.
  # CLI flag: -distributor.health-check-ingesters
  [health_check_ingesters: <boolean> | default = true]

ha_tracker:
  # Enable the distributors HA tracker so that it can accept samples from
  # Prometheus HA replicas gracefully (requires labels).
  # CLI flag: -distributor.ha-tracker.enable
  [enable_ha_tracker: <boolean> | default = false]

  # Update the timestamp in the KV store for a given cluster/replica only after
  # this amount of time has passed since the current stored timestamp.
  # CLI flag: -distributor.ha-tracker.update-timeout
  [ha_tracker_update_timeout: <duration> | default = 15s]

  # Maximum jitter applied to the update timeout, in order to spread the HA
  # heartbeats over time.
  # CLI flag: -distributor.ha-tracker.update-timeout-jitter-max
  [ha_tracker_update_timeout_jitter_max: <duration> | default = 5s]

  # If we don't receive any samples from the accepted replica for a cluster in
  # this amount of time we will failover to the next replica we receive a sample
  # from. This value must be greater than the update timeout
  # CLI flag: -distributor.ha-tracker.failover-timeout
  [ha_tracker_failover_timeout: <duration> | default = 30s]

  # Backend storage to use for the ring. Please be aware that memberlist is not
  # supported by the HA tracker since gossip propagation is too slow for HA
  # purposes.
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -distributor.ha-tracker.store
    [store: <string> | default = "consul"]

    # The prefix for the keys in the store. Should end with a /.
    # CLI flag: -distributor.ha-tracker.prefix
    [prefix: <string> | default = "ha-tracker/"]

    # The consul_config configures the consul client.
    # The CLI flags prefix for this block config is: distributor.ha-tracker
    [consul: <consul_config>]

    # The etcd_config configures the etcd client.
    # The CLI flags prefix for this block config is: distributor.ha-tracker
    [etcd: <etcd_config>]

    multi:
      # Primary backend storage used by multi-client.
      # CLI flag: -distributor.ha-tracker.multi.primary
      [primary: <string> | default = ""]

      # Secondary backend storage used by multi-client.
      # CLI flag: -distributor.ha-tracker.multi.secondary
      [secondary: <string> | default = ""]

      # Mirror writes to secondary store.
      # CLI flag: -distributor.ha-tracker.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # Timeout for storing value to secondary store.
      # CLI flag: -distributor.ha-tracker.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

# remote_write API max receive message size (bytes).
# CLI flag: -distributor.max-recv-msg-size
[max_recv_msg_size: <int> | default = 104857600]

# Timeout for downstream ingesters.
# CLI flag: -distributor.remote-timeout
[remote_timeout: <duration> | default = 2s]

# Time to wait before sending more than the minimum successful query requests.
# CLI flag: -distributor.extra-query-delay
[extra_queue_delay: <duration> | default = 0s]

# The sharding strategy to use. Supported values are: default, shuffle-sharding.
# CLI flag: -distributor.sharding-strategy
[sharding_strategy: <string> | default = "default"]

# Distribute samples based on all labels, as opposed to solely by user and
# metric name.
# CLI flag: -distributor.shard-by-all-labels
[shard_by_all_labels: <boolean> | default = false]

# Try writing to an additional ingester in the presence of an ingester not in
# the ACTIVE state. It is useful to disable this along with
# -ingester.unregister-on-shutdown=false in order to not spread samples to extra
# ingesters during rolling restarts with consistent naming.
# CLI flag: -distributor.extend-writes
[extend_writes: <boolean> | default = true]

ring:
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -distributor.ring.store
    [store: <string> | default = "consul"]

    # The prefix for the keys in the store. Should end with a /.
    # CLI flag: -distributor.ring.prefix
    [prefix: <string> | default = "collectors/"]

    # The consul_config configures the consul client.
    # The CLI flags prefix for this block config is: distributor.ring
    [consul: <consul_config>]

    # The etcd_config configures the etcd client.
    # The CLI flags prefix for this block config is: distributor.ring
    [etcd: <etcd_config>]

    multi:
      # Primary backend storage used by multi-client.
      # CLI flag: -distributor.ring.multi.primary
      [primary: <string> | default = ""]

      # Secondary backend storage used by multi-client.
      # CLI flag: -distributor.ring.multi.secondary
      [secondary: <string> | default = ""]

      # Mirror writes to secondary store.
      # CLI flag: -distributor.ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # Timeout for storing value to secondary store.
      # CLI flag: -distributor.ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -distributor.ring.heartbeat-period
  [heartbeat_period: <duration> | default = 5s]

  # The heartbeat timeout after which distributors are considered unhealthy
  # within the ring. 0 = never (timeout disabled).
  # CLI flag: -distributor.ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # Name of network interface to read address from.
  # CLI flag: -distributor.ring.instance-interface-names
  [instance_interface_names: <list of string> | default = [eth0 en0]]

instance_limits:
  # Max ingestion rate (samples/sec) that this distributor will accept. This
  # limit is per-distributor, not per-tenant. Additional push requests will be
  # rejected. Current ingestion rate is computed as exponentially weighted
  # moving average, updated every second. 0 = unlimited.
  # CLI flag: -distributor.instance-limits.max-ingestion-rate
  [max_ingestion_rate: <float> | default = 0]

  # Max inflight push requests that this distributor can handle. This limit is
  # per-distributor, not per-tenant. Additional requests will be rejected. 0 =
  # unlimited.
  # CLI flag: -distributor.instance-limits.max-inflight-push-requests
  [max_inflight_push_requests: <int> | default = 0]
```

### ingester\_config

The `ingester_config` configures the GEM ingester.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Configures the Write-Ahead Log (WAL) for the GEM chunks storage. This config
# is ignored when running the GEM blocks storage.
walconfig:
  # Enable writing of ingested data into WAL.
  # CLI flag: -ingester.wal-enabled
  [wal_enabled: <boolean> | default = false]

  # Enable checkpointing of in-memory chunks. It should always be true when
  # using normally. Set it to false iff you are doing some small tests as there
  # is no mechanism to delete the old WAL yet if checkpoint is disabled.
  # CLI flag: -ingester.checkpoint-enabled
  [checkpoint_enabled: <boolean> | default = true]

  # Recover data from existing WAL irrespective of WAL enabled/disabled.
  # CLI flag: -ingester.recover-from-wal
  [recover_from_wal: <boolean> | default = false]

  # Directory to store the WAL and/or recover from WAL.
  # CLI flag: -ingester.wal-dir
  [wal_dir: <string> | default = "wal"]

  # Interval at which checkpoints should be created.
  # CLI flag: -ingester.checkpoint-duration
  [checkpoint_duration: <duration> | default = 30m]

  # When WAL is enabled, should chunks be flushed to long-term storage on
  # shutdown. Useful eg. for migration to blocks engine.
  # CLI flag: -ingester.flush-on-shutdown-with-wal-enabled
  [flush_on_shutdown_with_wal_enabled: <boolean> | default = false]

lifecycler:
  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -ring.store
      [store: <string> | default = "consul"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -ring.prefix
      [prefix: <string> | default = "collectors/"]

      # The consul_config configures the consul client.
      [consul: <consul_config>]

      # The etcd_config configures the etcd client.
      [etcd: <etcd_config>]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -multi.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -multi.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # The heartbeat timeout after which ingesters are skipped for reads/writes.
    # 0 = never (timeout disabled).
    # CLI flag: -ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # The number of ingesters to write to and read from.
    # CLI flag: -distributor.replication-factor
    [replication_factor: <int> | default = 3]

    # True to enable the zone-awareness and replicate ingested samples across
    # different availability zones.
    # CLI flag: -distributor.zone-awareness-enabled
    [zone_awareness_enabled: <boolean> | default = false]

    # Comma-separated list of zones to exclude from the ring. Instances in
    # excluded zones will be filtered out from the ring.
    # CLI flag: -distributor.excluded-zones
    [excluded_zones: <string> | default = ""]

  # Number of tokens for each ingester.
  # CLI flag: -ingester.num-tokens
  [num_tokens: <int> | default = 128]

  # Period at which to heartbeat to consul. 0 = disabled.
  # CLI flag: -ingester.heartbeat-period
  [heartbeat_period: <duration> | default = 5s]

  # Observe tokens after generating to resolve collisions. Useful when using
  # gossiping ring.
  # CLI flag: -ingester.observe-period
  [observe_period: <duration> | default = 0s]

  # Period to wait for a claim from another member; will join automatically
  # after this.
  # CLI flag: -ingester.join-after
  [join_after: <duration> | default = 0s]

  # Minimum duration to wait after the internal readiness checks have passed but
  # before succeeding the readiness endpoint. This is used to slowdown
  # deployment controllers (eg. Kubernetes) after an instance is ready and
  # before they proceed with a rolling update, to give the rest of the cluster
  # instances enough time to receive ring updates.
  # CLI flag: -ingester.min-ready-duration
  [min_ready_duration: <duration> | default = 15s]

  # Name of network interface to read address from.
  # CLI flag: -ingester.lifecycler.interface
  [interface_names: <list of string> | default = [eth0 en0]]

  # Duration to sleep for before exiting, to ensure metrics are scraped.
  # CLI flag: -ingester.final-sleep
  [final_sleep: <duration> | default = 30s]

  # File path where tokens are stored. If empty, tokens are not stored at
  # shutdown and restored at startup.
  # CLI flag: -ingester.tokens-file-path
  [tokens_file_path: <string> | default = ""]

  # The availability zone where this instance is running.
  # CLI flag: -ingester.availability-zone
  [availability_zone: <string> | default = ""]

  # Unregister from the ring upon clean shutdown. It can be useful to disable
  # for rolling restarts with consistent naming in conjunction with
  # -distributor.extend-writes=false.
  # CLI flag: -ingester.unregister-on-shutdown
  [unregister_on_shutdown: <boolean> | default = true]

  # When enabled the readiness probe succeeds only after all instances are
  # ACTIVE and healthy in the ring, otherwise only the instance itself is
  # checked. This option should be disabled if in your cluster multiple
  # instances can be rolled out simultaneously, otherwise rolling updates may be
  # slowed down.
  # CLI flag: -ingester.readiness-check-ring-health
  [readiness_check_ring_health: <boolean> | default = true]

# Number of times to try and transfer chunks before falling back to flushing.
# Negative value or zero disables hand-over. This feature is supported only by
# the chunks storage.
# CLI flag: -ingester.max-transfer-retries
[max_transfer_retries: <int> | default = 10]

# Period with which to attempt to flush chunks.
# CLI flag: -ingester.flush-period
[flush_period: <duration> | default = 1m]

# Period chunks will remain in memory after flushing.
# CLI flag: -ingester.retain-period
[retain_period: <duration> | default = 5m]

# Maximum chunk idle time before flushing.
# CLI flag: -ingester.max-chunk-idle
[max_chunk_idle_time: <duration> | default = 5m]

# Maximum chunk idle time for chunks terminating in stale markers before
# flushing. 0 disables it and a stale series is not flushed until the
# max-chunk-idle timeout is reached.
# CLI flag: -ingester.max-stale-chunk-idle
[max_stale_chunk_idle_time: <duration> | default = 2m]

# Timeout for individual flush operations.
# CLI flag: -ingester.flush-op-timeout
[flush_op_timeout: <duration> | default = 1m]

# Maximum chunk age before flushing.
# CLI flag: -ingester.max-chunk-age
[max_chunk_age: <duration> | default = 12h]

# Range of time to subtract from -ingester.max-chunk-age to spread out flushes
# CLI flag: -ingester.chunk-age-jitter
[chunk_age_jitter: <duration> | default = 0s]

# Number of concurrent goroutines flushing to dynamodb.
# CLI flag: -ingester.concurrent-flushes
[concurrent_flushes: <int> | default = 50]

# If true, spread series flushes across the whole period of
# -ingester.max-chunk-age.
# CLI flag: -ingester.spread-flushes
[spread_flushes: <boolean> | default = true]

# Period at which metadata we have not seen will remain in memory before being
# deleted.
# CLI flag: -ingester.metadata-retain-period
[metadata_retain_period: <duration> | default = 10m]

# Period with which to update the per-user ingestion rates.
# CLI flag: -ingester.rate-update-period
[rate_update_period: <duration> | default = 15s]

# Enable tracking of active series and export them as metrics.
# CLI flag: -ingester.active-series-metrics-enabled
[active_series_metrics_enabled: <boolean> | default = true]

# How often to update active series metrics.
# CLI flag: -ingester.active-series-metrics-update-period
[active_series_metrics_update_period: <duration> | default = 1m]

# After what time a series is considered to be inactive.
# CLI flag: -ingester.active-series-metrics-idle-timeout
[active_series_metrics_idle_timeout: <duration> | default = 10m]

# Additional custom trackers for active metrics. Active series matching a
# provided matcher (map value) will be exposed in the custom trackers metric
# labeled using the tracker name (map key).
# Example:
#   The following configuration will count the active series coming from dev and
#   prod namespaces for each tenant and label them as {name="dev"} and
#   {name="prod"} in the cortex_ingester_active_series_custom_tracker metric.
#   active_series_custom_trackers:
#       dev: '{namespace=~"dev-.*"}'
#       prod: '{namespace=~"prod-.*"}'
# CLI flag: -ingester.active-series-custom-trackers
[active_series_custom_trackers: <map of string to string> | default = ]

# Period with which to update per-user max exemplars.
# CLI flag: -ingester.exemplars-update-period
[exemplars_update_period: <duration> | default = 15s]

instance_limits:
  # Max ingestion rate (samples/sec) that ingester will accept. This limit is
  # per-ingester, not per-tenant. Additional push requests will be rejected.
  # Current ingestion rate is computed as exponentially weighted moving average,
  # updated every second. This limit only works when using blocks engine. 0 =
  # unlimited.
  # CLI flag: -ingester.instance-limits.max-ingestion-rate
  [max_ingestion_rate: <float> | default = 0]

  # Max users that this ingester can hold. Requests from additional users will
  # be rejected. This limit only works when using blocks engine. 0 = unlimited.
  # CLI flag: -ingester.instance-limits.max-tenants
  [max_tenants: <int> | default = 0]

  # Max series that this ingester can hold (across all tenants). Requests to
  # create additional series will be rejected. This limit only works when using
  # blocks engine. 0 = unlimited.
  # CLI flag: -ingester.instance-limits.max-series
  [max_series: <int> | default = 0]

  # Max inflight push requests that this ingester can handle (across all
  # tenants). Additional requests will be rejected. 0 = unlimited.
  # CLI flag: -ingester.instance-limits.max-inflight-push-requests
  [max_inflight_push_requests: <int> | default = 30000]

# Comma-separated list of metric names, for which
# -ingester.max-series-per-metric and -ingester.max-global-series-per-metric
# limits will be ignored. Does not affect max-series-per-user or
# max-global-series-per-metric limits.
# CLI flag: -ingester.ignore-series-limit-for-metric-names
[ignore_series_limit_for_metric_names: <string> | default = ""]
```

### querier\_config

The `querier_config` configures the GEM querier.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Use iterators to execute query, as opposed to fully materialising the series
# in memory.
# CLI flag: -querier.iterators
[iterators: <boolean> | default = false]

# Use batch iterators to execute query, as opposed to fully materialising the
# series in memory.  Takes precedent over the -querier.iterators flag.
# CLI flag: -querier.batch-iterators
[batch_iterators: <boolean> | default = true]

# Maximum lookback beyond which queries are not sent to ingester. 0 means all
# queries are sent to ingester.
# CLI flag: -querier.query-ingesters-within
[query_ingesters_within: <duration> | default = 0s]

# Query long-term store for series, label values and label names APIs. Works
# only with blocks engine.
# CLI flag: -querier.query-store-for-labels-enabled
[query_store_for_labels_enabled: <boolean> | default = false]

# True to enable queriers to use an optimized implementation which passes down
# to ingesters the label matchers when running the label names API. Can be
# enabled once all ingesters run a version >= the one where this option has been
# introduced.
# CLI flag: -querier.query-label-names-with-matchers-enabled
[query_label_names_with_matchers_enabled: <boolean> | default = false]

# The time after which a metric should be queried from storage and not just
# ingesters. 0 means all queries are sent to store. When running the blocks
# storage, if this option is enabled, the time range of the query sent to the
# store will be manipulated to ensure the query end is not more recent than 'now
# - query-store-after'.
# CLI flag: -querier.query-store-after
[query_store_after: <duration> | default = 0s]

# Maximum duration into the future you can query. 0 to disable.
# CLI flag: -querier.max-query-into-future
[max_query_into_future: <duration> | default = 10m]

# Comma separated list of store-gateway addresses in DNS Service Discovery
# format. This option should be set when using the blocks storage and the
# store-gateway sharding is disabled (when enabled, the store-gateway instances
# form a ring and addresses are picked from the ring).
# CLI flag: -querier.store-gateway-addresses
[store_gateway_addresses: <string> | default = ""]

store_gateway_client:
  # Enable TLS for gRPC client connecting to store-gateway.
  # CLI flag: -querier.store-gateway-client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -querier.store-gateway-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -querier.store-gateway-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -querier.store-gateway-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -querier.store-gateway-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -querier.store-gateway-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

# Second store engine to use for querying. Empty = disabled.
# CLI flag: -querier.second-store-engine
[second_store_engine: <string> | default = ""]

# If specified, second store is only used for queries before this timestamp.
# Default value 0 means secondary store is always queried.
# CLI flag: -querier.use-second-store-before-time
[use_second_store_before_time: <time> | default = 0]

# When distributor's sharding strategy is shuffle-sharding and this setting is >
# 0, queriers fetch in-memory series from the minimum set of required ingesters,
# selecting only ingesters which may have received series since 'now - lookback
# period'. The lookback period should be greater or equal than the configured
# 'query store after' and 'query ingesters within'. If this setting is 0,
# queriers always query all ingesters (ingesters shuffle sharding on read path
# is disabled).
# CLI flag: -querier.shuffle-sharding-ingesters-lookback-period
[shuffle_sharding_ingesters_lookback_period: <duration> | default = 0s]

# The maximum number of concurrent queries. This config option should be set on
# query-frontend too when query sharding is enabled.
# CLI flag: -querier.max-concurrent
[max_concurrent: <int> | default = 20]

# The timeout for a query. This config option should be set on query-frontend
# too when query sharding is enabled.
# CLI flag: -querier.timeout
[timeout: <duration> | default = 2m]

# Maximum number of samples a single query can load into memory. This config
# option should be set on query-frontend too when query sharding is enabled.
# CLI flag: -querier.max-samples
[max_samples: <int> | default = 50000000]

# Enable the @ modifier in PromQL. This config option should be set on
# query-frontend too when query sharding is enabled.
# CLI flag: -querier.at-modifier-enabled
[at_modifier_enabled: <boolean> | default = false]

# The default evaluation interval or step size for subqueries. This config
# option should be set on query-frontend too when query sharding is enabled.
# CLI flag: -querier.default-evaluation-interval
[default_evaluation_interval: <duration> | default = 1m]

# Active query tracker monitors active queries, and writes them to the file in
# given directory. If any queries are discovered in this file during startup, it
# will log them to the log file. Setting to empty value disables active query
# tracker, which also disables -querier.max-concurrent option. This config
# option should be set on query-frontend too when query sharding is enabled.
# CLI flag: -querier.active-query-tracker-dir
[active_query_tracker_dir: <string> | default = "./active-query-tracker"]

# Time since the last sample after which a time series is considered stale and
# ignored by expression evaluations. This config option should be set on
# query-frontend too when query sharding is enabled.
# CLI flag: -querier.lookback-delta
[lookback_delta: <duration> | default = 5m]
```

### query\_scheduler\_config

The `query_scheduler_config` configures query scheduler module.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Maximum number of outstanding requests per tenant per query-scheduler.
# In-flight requests above this limit will fail with HTTP response status code
# 429.
# CLI flag: -query-scheduler.max-outstanding-requests-per-tenant
[max_outstanding_requests_per_tenant: <int> | default = 100]

# If a querier disconnects without sending notification about graceful shutdown,
# the query-scheduler will keep the querier in the tenant's shard until the
# forget delay has passed. This feature is useful to reduce the blast radius
# when shuffle-sharding is enabled.
# CLI flag: -query-scheduler.querier-forget-delay
[querier_forget_delay: <duration> | default = 0s]

# This configures the gRPC client used to report errors back to the
# query-frontend.
grpc_client_config:
  # gRPC client max receive message size (bytes).
  # CLI flag: -query-scheduler.grpc-client-config.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # gRPC client max send message size (bytes).
  # CLI flag: -query-scheduler.grpc-client-config.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 16777216]

  # Use compression when sending messages. Supported values are: 'gzip',
  # 'snappy' and '' (disable compression)
  # CLI flag: -query-scheduler.grpc-client-config.grpc-compression
  [grpc_compression: <string> | default = ""]

  # Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -query-scheduler.grpc-client-config.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # Rate limit burst for gRPC client.
  # CLI flag: -query-scheduler.grpc-client-config.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # Enable backoff and retry when we hit ratelimits.
  # CLI flag: -query-scheduler.grpc-client-config.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # Minimum delay when backing off.
    # CLI flag: -query-scheduler.grpc-client-config.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # Maximum delay when backing off.
    # CLI flag: -query-scheduler.grpc-client-config.backoff-max-period
    [max_period: <duration> | default = 10s]

    # Number of times to backoff and retry before failing.
    # CLI flag: -query-scheduler.grpc-client-config.backoff-retries
    [max_retries: <int> | default = 10]

  # Enable TLS in the GRPC client. This flag needs to be enabled when any other
  # TLS flag is set. If set to false, insecure connection to gRPC server will be
  # used.
  # CLI flag: -query-scheduler.grpc-client-config.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -query-scheduler.grpc-client-config.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -query-scheduler.grpc-client-config.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -query-scheduler.grpc-client-config.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -query-scheduler.grpc-client-config.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -query-scheduler.grpc-client-config.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]
```

### query\_frontend\_config

The `query_frontend_config` configures the GEM query-frontend.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Log queries that are slower than the specified duration. Set to 0 to disable.
# Set to < 0 to enable on all queries.
# CLI flag: -frontend.log-queries-longer-than
[log_queries_longer_than: <duration> | default = 0s]

# Max body size for downstream prometheus.
# CLI flag: -frontend.max-body-size
[max_body_size: <int> | default = 10485760]

# False to disable query statistics tracking. When enabled, a message with some
# statistics is logged for every query.
# CLI flag: -frontend.query-stats-enabled
[query_stats_enabled: <boolean> | default = true]

# Maximum number of outstanding requests per tenant per frontend; requests
# beyond this error with HTTP 429.
# CLI flag: -querier.max-outstanding-requests-per-tenant
[max_outstanding_per_tenant: <int> | default = 100]

# If a querier disconnects without sending notification about graceful shutdown,
# the query-frontend will keep the querier in the tenant's shard until the
# forget delay has passed. This feature is useful to reduce the blast radius
# when shuffle-sharding is enabled.
# CLI flag: -query-frontend.querier-forget-delay
[querier_forget_delay: <duration> | default = 0s]

# DNS hostname used for finding query-schedulers.
# CLI flag: -frontend.scheduler-address
[scheduler_address: <string> | default = ""]

# How often to resolve the scheduler-address, in order to look for new
# query-scheduler instances.
# CLI flag: -frontend.scheduler-dns-lookup-period
[scheduler_dns_lookup_period: <duration> | default = 10s]

# Number of concurrent workers forwarding queries to single query-scheduler.
# CLI flag: -frontend.scheduler-worker-concurrency
[scheduler_worker_concurrency: <int> | default = 5]

grpc_client_config:
  # gRPC client max receive message size (bytes).
  # CLI flag: -frontend.grpc-client-config.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # gRPC client max send message size (bytes).
  # CLI flag: -frontend.grpc-client-config.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 16777216]

  # Use compression when sending messages. Supported values are: 'gzip',
  # 'snappy' and '' (disable compression)
  # CLI flag: -frontend.grpc-client-config.grpc-compression
  [grpc_compression: <string> | default = ""]

  # Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -frontend.grpc-client-config.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # Rate limit burst for gRPC client.
  # CLI flag: -frontend.grpc-client-config.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # Enable backoff and retry when we hit ratelimits.
  # CLI flag: -frontend.grpc-client-config.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # Minimum delay when backing off.
    # CLI flag: -frontend.grpc-client-config.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # Maximum delay when backing off.
    # CLI flag: -frontend.grpc-client-config.backoff-max-period
    [max_period: <duration> | default = 10s]

    # Number of times to backoff and retry before failing.
    # CLI flag: -frontend.grpc-client-config.backoff-retries
    [max_retries: <int> | default = 10]

  # Enable TLS in the GRPC client. This flag needs to be enabled when any other
  # TLS flag is set. If set to false, insecure connection to gRPC server will be
  # used.
  # CLI flag: -frontend.grpc-client-config.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -frontend.grpc-client-config.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -frontend.grpc-client-config.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -frontend.grpc-client-config.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -frontend.grpc-client-config.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -frontend.grpc-client-config.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

# Name of network interface to read address from. This address is sent to
# query-scheduler and querier, which uses it to send the query response back to
# query-frontend.
# CLI flag: -frontend.instance-interface-names
[instance_interface_names: <list of string> | default = [eth0 en0]]

# URL of downstream Prometheus.
# CLI flag: -frontend.downstream-url
[downstream_url: <string> | default = ""]
```

### query\_range\_config

The `query_range_config` configures the query splitting and caching in the GEM query-frontend.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Split queries by an interval and execute in parallel, 0 disables it. You
# should use an a multiple of 24 hours (same as the storage bucketing scheme),
# to avoid queriers downloading and processing the same chunks. This also
# determines how cache keys are chosen when result caching is enabled
# CLI flag: -querier.split-queries-by-interval
[split_queries_by_interval: <duration> | default = 0s]

# Mutate incoming queries to align their start and end with their step.
# CLI flag: -querier.align-querier-with-step
[align_queries_with_step: <boolean> | default = false]

results_cache:
  cache:
    # Enable in-memory cache.
    # CLI flag: -frontend.cache.enable-fifocache
    [enable_fifocache: <boolean> | default = false]

    # The default validity of entries for caches unless overridden.
    # CLI flag: -frontend.default-validity
    [default_validity: <duration> | default = 0s]

    background:
      # At what concurrency to write back to cache.
      # CLI flag: -frontend.background.write-back-concurrency
      [writeback_goroutines: <int> | default = 10]

      # How many key batches to buffer for background write-back.
      # CLI flag: -frontend.background.write-back-buffer
      [writeback_buffer: <int> | default = 10000]

    memcached:
      # How long keys stay in the memcache.
      # CLI flag: -frontend.memcached.expiration
      [expiration: <duration> | default = 0s]

      # How many keys to fetch in each batch.
      # CLI flag: -frontend.memcached.batchsize
      [batch_size: <int> | default = 1024]

      # Maximum active requests to memcache.
      # CLI flag: -frontend.memcached.parallelism
      [parallelism: <int> | default = 100]

    memcached_client:
      # Hostname for memcached service to use. If empty and if addresses is
      # unset, no memcached will be used.
      # CLI flag: -frontend.memcached.hostname
      [host: <string> | default = ""]

      # SRV service used to discover memcache servers.
      # CLI flag: -frontend.memcached.service
      [service: <string> | default = "memcached"]

      # EXPERIMENTAL: Comma separated addresses list in DNS Service Discovery
      # format:
      # https://cortexmetrics.io/docs/configuration/arguments/#dns-service-discovery
      # CLI flag: -frontend.memcached.addresses
      [addresses: <string> | default = ""]

      # Maximum time to wait before giving up on memcached requests.
      # CLI flag: -frontend.memcached.timeout
      [timeout: <duration> | default = 100ms]

      # Maximum number of idle connections in pool.
      # CLI flag: -frontend.memcached.max-idle-conns
      [max_idle_conns: <int> | default = 16]

      # The maximum size of an item stored in memcached. Bigger items are not
      # stored. If set to 0, no maximum size is enforced.
      # CLI flag: -frontend.memcached.max-item-size
      [max_item_size: <int> | default = 0]

      # Period with which to poll DNS for memcache servers.
      # CLI flag: -frontend.memcached.update-interval
      [update_interval: <duration> | default = 1m]

      # Use consistent hashing to distribute to memcache servers.
      # CLI flag: -frontend.memcached.consistent-hash
      [consistent_hash: <boolean> | default = true]

      # Trip circuit-breaker after this number of consecutive dial failures (if
      # zero then circuit-breaker is disabled).
      # CLI flag: -frontend.memcached.circuit-breaker-consecutive-failures
      [circuit_breaker_consecutive_failures: <int> | default = 10]

      # Duration circuit-breaker remains open after tripping (if zero then 60
      # seconds is used).
      # CLI flag: -frontend.memcached.circuit-breaker-timeout
      [circuit_breaker_timeout: <duration> | default = 10s]

      # Reset circuit-breaker counts after this long (if zero then never reset).
      # CLI flag: -frontend.memcached.circuit-breaker-interval
      [circuit_breaker_interval: <duration> | default = 10s]

    redis:
      # Redis Server endpoint to use for caching. A comma-separated list of
      # endpoints for Redis Cluster or Redis Sentinel. If empty, no redis will
      # be used.
      # CLI flag: -frontend.redis.endpoint
      [endpoint: <string> | default = ""]

      # Redis Sentinel master name. An empty string for Redis Server or Redis
      # Cluster.
      # CLI flag: -frontend.redis.master-name
      [master_name: <string> | default = ""]

      # Maximum time to wait before giving up on redis requests.
      # CLI flag: -frontend.redis.timeout
      [timeout: <duration> | default = 500ms]

      # How long keys stay in the redis.
      # CLI flag: -frontend.redis.expiration
      [expiration: <duration> | default = 0s]

      # Database index.
      # CLI flag: -frontend.redis.db
      [db: <int> | default = 0]

      # Maximum number of connections in the pool.
      # CLI flag: -frontend.redis.pool-size
      [pool_size: <int> | default = 0]

      # Password to use when connecting to redis.
      # CLI flag: -frontend.redis.password
      [password: <string> | default = ""]

      # Enable connecting to redis with TLS.
      # CLI flag: -frontend.redis.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Skip validating server certificate.
      # CLI flag: -frontend.redis.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Close connections after remaining idle for this duration. If the value
      # is zero, then idle connections are not closed.
      # CLI flag: -frontend.redis.idle-timeout
      [idle_timeout: <duration> | default = 0s]

      # Close connections older than this duration. If the value is zero, then
      # the pool does not close connections based on age.
      # CLI flag: -frontend.redis.max-connection-age
      [max_connection_age: <duration> | default = 0s]

    fifocache:
      # Maximum memory size of the cache in bytes. A unit suffix (KB, MB, GB)
      # may be applied.
      # CLI flag: -frontend.fifocache.max-size-bytes
      [max_size_bytes: <string> | default = ""]

      # Maximum number of entries in the cache.
      # CLI flag: -frontend.fifocache.max-size-items
      [max_size_items: <int> | default = 0]

      # The expiry duration for the cache.
      # CLI flag: -frontend.fifocache.duration
      [validity: <duration> | default = 0s]

      # Deprecated (use max-size-items or max-size-bytes instead): The number of
      # entries to cache.
      # CLI flag: -frontend.fifocache.size
      [size: <int> | default = 0]

  # Use compression in results cache. Supported values are: 'snappy' and ''
  # (disable compression).
  # CLI flag: -frontend.compression
  [compression: <string> | default = ""]

# Cache query results.
# CLI flag: -querier.cache-results
[cache_results: <boolean> | default = false]

# Maximum number of retries for a single request; beyond this, the downstream
# error is returned.
# CLI flag: -querier.max-retries-per-request
[max_retries: <int> | default = 5]

# Perform query parallelizations based on storage sharding configuration and
# query ASTs. This feature is supported only by the blocks storage engine.
# CLI flag: -query-frontend.parallelize-shardable-queries
[parallelize_shardable_queries: <boolean> | default = false]

# Cache requests that are not step-aligned.
# CLI flag: -query-frontend.cache-unaligned-requests
[cache_unaligned_requests: <boolean> | default = false]
```

### ruler\_config

The `ruler_config` configures the GEM ruler.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# URL of alerts return path.
# CLI flag: -ruler.external.url
[external_url: <url> | default = ]

ruler_client:
  # gRPC client max receive message size (bytes).
  # CLI flag: -ruler.client.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # gRPC client max send message size (bytes).
  # CLI flag: -ruler.client.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 16777216]

  # Use compression when sending messages. Supported values are: 'gzip',
  # 'snappy' and '' (disable compression)
  # CLI flag: -ruler.client.grpc-compression
  [grpc_compression: <string> | default = ""]

  # Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -ruler.client.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # Rate limit burst for gRPC client.
  # CLI flag: -ruler.client.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # Enable backoff and retry when we hit ratelimits.
  # CLI flag: -ruler.client.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # Minimum delay when backing off.
    # CLI flag: -ruler.client.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # Maximum delay when backing off.
    # CLI flag: -ruler.client.backoff-max-period
    [max_period: <duration> | default = 10s]

    # Number of times to backoff and retry before failing.
    # CLI flag: -ruler.client.backoff-retries
    [max_retries: <int> | default = 10]

  # Enable TLS in the GRPC client. This flag needs to be enabled when any other
  # TLS flag is set. If set to false, insecure connection to gRPC server will be
  # used.
  # CLI flag: -ruler.client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -ruler.client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -ruler.client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -ruler.client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -ruler.client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -ruler.client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

# How frequently to evaluate rules
# CLI flag: -ruler.evaluation-interval
[evaluation_interval: <duration> | default = 1m]

# How frequently to poll for rule changes
# CLI flag: -ruler.poll-interval
[poll_interval: <duration> | default = 1m]

# Deprecated. Use -ruler-storage.* CLI flags and their respective YAML config
# options instead.
storage:
  # Method to use for backend rule storage (azure, gcs, s3, swift, local)
  # CLI flag: -ruler.storage.type
  [type: <string> | default = "local"]

  azure:
    # Azure Cloud environment. Supported values are: AzureGlobal,
    # AzureChinaCloud, AzureGermanCloud, AzureUSGovernment.
    # CLI flag: -ruler.storage.azure.environment
    [environment: <string> | default = "AzureGlobal"]

    # Name of the blob container used to store chunks. This container must be
    # created prior to execution.
    # CLI flag: -ruler.storage.azure.container-name
    [container_name: <string> | default = "cortex"]

    # The Microsoft Azure account name to be used
    # CLI flag: -ruler.storage.azure.account-name
    [account_name: <string> | default = ""]

    # The Microsoft Azure account key to use.
    # CLI flag: -ruler.storage.azure.account-key
    [account_key: <string> | default = ""]

    # Preallocated buffer size for downloads.
    # CLI flag: -ruler.storage.azure.download-buffer-size
    [download_buffer_size: <int> | default = 512000]

    # Preallocated buffer size for uploads.
    # CLI flag: -ruler.storage.azure.upload-buffer-size
    [upload_buffer_size: <int> | default = 256000]

    # Number of buffers used to used to upload a chunk.
    # CLI flag: -ruler.storage.azure.download-buffer-count
    [upload_buffer_count: <int> | default = 1]

    # Timeout for requests made against azure blob storage.
    # CLI flag: -ruler.storage.azure.request-timeout
    [request_timeout: <duration> | default = 30s]

    # Number of retries for a request which times out.
    # CLI flag: -ruler.storage.azure.max-retries
    [max_retries: <int> | default = 5]

    # Minimum time to wait before retrying a request.
    # CLI flag: -ruler.storage.azure.min-retry-delay
    [min_retry_delay: <duration> | default = 10ms]

    # Maximum time to wait before retrying a request.
    # CLI flag: -ruler.storage.azure.max-retry-delay
    [max_retry_delay: <duration> | default = 500ms]

  gcs:
    # Name of GCS bucket. Please refer to
    # https://cloud.google.com/docs/authentication/production for more
    # information about how to configure authentication.
    # CLI flag: -ruler.storage.gcs.bucketname
    [bucket_name: <string> | default = ""]

    # The size of the buffer that GCS client for each PUT request. 0 to disable
    # buffering.
    # CLI flag: -ruler.storage.gcs.chunk-buffer-size
    [chunk_buffer_size: <int> | default = 0]

    # The duration after which the requests to GCS should be timed out.
    # CLI flag: -ruler.storage.gcs.request-timeout
    [request_timeout: <duration> | default = 0s]

    # Enabled OpenCensus (OC) instrumentation for all requests.
    # CLI flag: -ruler.storage.gcs.enable-opencensus
    [enable_opencensus: <boolean> | default = true]

  s3:
    # S3 endpoint URL with escaped Key and Secret encoded. If only region is
    # specified as a host, proper endpoint will be deduced. Use
    # inmemory:///<bucket-name> to use a mock in-memory implementation.
    # CLI flag: -ruler.storage.s3.url
    [s3: <url> | default = ]

    # Set this to `true` to force the request to use path-style addressing.
    # CLI flag: -ruler.storage.s3.force-path-style
    [s3forcepathstyle: <boolean> | default = false]

    # Comma separated list of bucket names to evenly distribute chunks over.
    # Overrides any buckets specified in s3.url flag
    # CLI flag: -ruler.storage.s3.buckets
    [bucketnames: <string> | default = ""]

    # S3 Endpoint to connect to.
    # CLI flag: -ruler.storage.s3.endpoint
    [endpoint: <string> | default = ""]

    # AWS region to use.
    # CLI flag: -ruler.storage.s3.region
    [region: <string> | default = ""]

    # AWS Access Key ID
    # CLI flag: -ruler.storage.s3.access-key-id
    [access_key_id: <string> | default = ""]

    # AWS Secret Access Key
    # CLI flag: -ruler.storage.s3.secret-access-key
    [secret_access_key: <string> | default = ""]

    # Disable https on s3 connection.
    # CLI flag: -ruler.storage.s3.insecure
    [insecure: <boolean> | default = false]

    # Enable AWS Server Side Encryption [Deprecated: Use .sse instead. if
    # s3.sse-encryption is enabled, it assumes .sse.type SSE-S3]
    # CLI flag: -ruler.storage.s3.sse-encryption
    [sse_encryption: <boolean> | default = false]

    http_config:
      # The maximum amount of time an idle connection will be held open.
      # CLI flag: -ruler.storage.s3.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # If non-zero, specifies the amount of time to wait for a server's
      # response headers after fully writing the request.
      # CLI flag: -ruler.storage.s3.http.response-header-timeout
      [response_header_timeout: <duration> | default = 0s]

      # Set to false to skip verifying the certificate chain and hostname.
      # CLI flag: -ruler.storage.s3.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

    # The signature version to use for authenticating against S3. Supported
    # values are: v4, v2.
    # CLI flag: -ruler.storage.s3.signature-version
    [signature_version: <string> | default = "v4"]

    # The s3_sse_config configures the S3 server-side encryption.
    # The CLI flags prefix for this block config is: ruler.storage
    [sse: <s3_sse_config>]

  swift:
    # OpenStack Swift authentication API version. 0 to autodetect.
    # CLI flag: -ruler.storage.swift.auth-version
    [auth_version: <int> | default = 0]

    # OpenStack Swift authentication URL
    # CLI flag: -ruler.storage.swift.auth-url
    [auth_url: <string> | default = ""]

    # OpenStack Swift username.
    # CLI flag: -ruler.storage.swift.username
    [username: <string> | default = ""]

    # OpenStack Swift user's domain name.
    # CLI flag: -ruler.storage.swift.user-domain-name
    [user_domain_name: <string> | default = ""]

    # OpenStack Swift user's domain ID.
    # CLI flag: -ruler.storage.swift.user-domain-id
    [user_domain_id: <string> | default = ""]

    # OpenStack Swift user ID.
    # CLI flag: -ruler.storage.swift.user-id
    [user_id: <string> | default = ""]

    # OpenStack Swift API key.
    # CLI flag: -ruler.storage.swift.password
    [password: <string> | default = ""]

    # OpenStack Swift user's domain ID.
    # CLI flag: -ruler.storage.swift.domain-id
    [domain_id: <string> | default = ""]

    # OpenStack Swift user's domain name.
    # CLI flag: -ruler.storage.swift.domain-name
    [domain_name: <string> | default = ""]

    # OpenStack Swift project ID (v2,v3 auth only).
    # CLI flag: -ruler.storage.swift.project-id
    [project_id: <string> | default = ""]

    # OpenStack Swift project name (v2,v3 auth only).
    # CLI flag: -ruler.storage.swift.project-name
    [project_name: <string> | default = ""]

    # ID of the OpenStack Swift project's domain (v3 auth only), only needed if
    # it differs the from user domain.
    # CLI flag: -ruler.storage.swift.project-domain-id
    [project_domain_id: <string> | default = ""]

    # Name of the OpenStack Swift project's domain (v3 auth only), only needed
    # if it differs from the user domain.
    # CLI flag: -ruler.storage.swift.project-domain-name
    [project_domain_name: <string> | default = ""]

    # OpenStack Swift Region to use (v2,v3 auth only).
    # CLI flag: -ruler.storage.swift.region-name
    [region_name: <string> | default = ""]

    # Name of the OpenStack Swift container to put chunks in.
    # CLI flag: -ruler.storage.swift.container-name
    [container_name: <string> | default = ""]

    # Max retries on requests error.
    # CLI flag: -ruler.storage.swift.max-retries
    [max_retries: <int> | default = 3]

    # Time after which a connection attempt is aborted.
    # CLI flag: -ruler.storage.swift.connect-timeout
    [connect_timeout: <duration> | default = 10s]

    # Time after which an idle request is aborted. The timeout watchdog is reset
    # each time some data is received, so the timeout triggers after X time no
    # data is received on a request.
    # CLI flag: -ruler.storage.swift.request-timeout
    [request_timeout: <duration> | default = 5s]

  local:
    # Directory to scan for rules
    # CLI flag: -ruler.storage.local.directory
    [directory: <string> | default = ""]

# file path to store temporary rule files for the prometheus rule managers
# CLI flag: -ruler.rule-path
[rule_path: <string> | default = "/rules"]

# Comma-separated list of URL(s) of the Alertmanager(s) to send notifications
# to. Each Alertmanager URL is treated as a separate group in the configuration.
# Multiple Alertmanagers in HA per group can be supported by using DNS
# resolution via -ruler.alertmanager-discovery.
# CLI flag: -ruler.alertmanager-url
[alertmanager_url: <string> | default = ""]

# Use DNS SRV records to discover Alertmanager hosts.
# CLI flag: -ruler.alertmanager-discovery
[enable_alertmanager_discovery: <boolean> | default = false]

# How long to wait between refreshing DNS resolutions of Alertmanager hosts.
# CLI flag: -ruler.alertmanager-refresh-interval
[alertmanager_refresh_interval: <duration> | default = 1m]

# If enabled requests to Alertmanager will utilize the V2 API.
# CLI flag: -ruler.alertmanager-use-v2
[enable_alertmanager_v2: <boolean> | default = false]

# Capacity of the queue for notifications to be sent to the Alertmanager.
# CLI flag: -ruler.notification-queue-capacity
[notification_queue_capacity: <int> | default = 10000]

# HTTP timeout duration when sending notifications to the Alertmanager.
# CLI flag: -ruler.notification-timeout
[notification_timeout: <duration> | default = 10s]

alertmanager_client:
  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -ruler.alertmanager-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -ruler.alertmanager-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -ruler.alertmanager-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -ruler.alertmanager-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -ruler.alertmanager-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # HTTP Basic authentication username. It overrides the username set in the URL
  # (if any).
  # CLI flag: -ruler.alertmanager-client.basic-auth-username
  [basic_auth_username: <string> | default = ""]

  # HTTP Basic authentication password. It overrides the password set in the URL
  # (if any).
  # CLI flag: -ruler.alertmanager-client.basic-auth-password
  [basic_auth_password: <string> | default = ""]

# Max time to tolerate outage for restoring "for" state of alert.
# CLI flag: -ruler.for-outage-tolerance
[for_outage_tolerance: <duration> | default = 1h]

# Minimum duration between alert and restored "for" state. This is maintained
# only for alerts with configured "for" time greater than grace period.
# CLI flag: -ruler.for-grace-period
[for_grace_period: <duration> | default = 10m]

# Minimum amount of time to wait before resending an alert to Alertmanager.
# CLI flag: -ruler.resend-delay
[resend_delay: <duration> | default = 1m]

# Distribute rule evaluation using ring backend
# CLI flag: -ruler.enable-sharding
[enable_sharding: <boolean> | default = false]

# The sharding strategy to use. Supported values are: default, shuffle-sharding.
# CLI flag: -ruler.sharding-strategy
[sharding_strategy: <string> | default = "default"]

# Time to spend searching for a pending ruler when shutting down.
# CLI flag: -ruler.search-pending-for
[search_pending_for: <duration> | default = 5m]

ring:
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -ruler.ring.store
    [store: <string> | default = "consul"]

    # The prefix for the keys in the store. Should end with a /.
    # CLI flag: -ruler.ring.prefix
    [prefix: <string> | default = "rulers/"]

    # The consul_config configures the consul client.
    # The CLI flags prefix for this block config is: ruler.ring
    [consul: <consul_config>]

    # The etcd_config configures the etcd client.
    # The CLI flags prefix for this block config is: ruler.ring
    [etcd: <etcd_config>]

    multi:
      # Primary backend storage used by multi-client.
      # CLI flag: -ruler.ring.multi.primary
      [primary: <string> | default = ""]

      # Secondary backend storage used by multi-client.
      # CLI flag: -ruler.ring.multi.secondary
      [secondary: <string> | default = ""]

      # Mirror writes to secondary store.
      # CLI flag: -ruler.ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # Timeout for storing value to secondary store.
      # CLI flag: -ruler.ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -ruler.ring.heartbeat-period
  [heartbeat_period: <duration> | default = 5s]

  # The heartbeat timeout after which rulers are considered unhealthy within the
  # ring. 0 = never (timeout disabled).
  # CLI flag: -ruler.ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # Name of network interface to read address from.
  # CLI flag: -ruler.ring.instance-interface-names
  [instance_interface_names: <list of string> | default = [eth0 en0]]

  # Number of tokens for each ruler.
  # CLI flag: -ruler.ring.num-tokens
  [num_tokens: <int> | default = 128]

# Period with which to attempt to flush rule groups.
# CLI flag: -ruler.flush-period
[flush_period: <duration> | default = 1m]

# Enable the ruler api
# CLI flag: -experimental.ruler.enable-api
[enable_api: <boolean> | default = false]

# Comma separated list of tenants whose rules this ruler can evaluate. If
# specified, only these tenants will be handled by ruler, otherwise this ruler
# can process rules from all tenants. Subject to sharding.
# CLI flag: -ruler.enabled-tenants
[enabled_tenants: <string> | default = ""]

# Comma separated list of tenants whose rules this ruler cannot evaluate. If
# specified, a ruler that would normally pick the specified tenant(s) for
# processing will ignore them instead. Subject to sharding.
# CLI flag: -ruler.disabled-tenants
[disabled_tenants: <string> | default = ""]

# Report the wall time for ruler queries to complete as a per user metric and as
# an info level log message.
# CLI flag: -ruler.query-stats-enabled
[query_stats_enabled: <boolean> | default = false]

remote_write:
  # Directory to store WAL (for Ruler Remote Write).
  # CLI flag: -ruler.remote-write.wal-dir
  [wal_dir: <string> | default = "wal"]

  # Enable remote write rules for the Ruler.
  # CLI flag: -ruler.remote-write.enabled
  [enabled: <boolean> | default = false]

  # Frequency for truncating WAL
  # CLI flag: -ruler.remote-write.wal-truncate-frequency
  [wal_truncate_frequency: <duration> | default = 1h]

  # Minimum time to stay in WAL
  # CLI flag: -ruler.remote-write.min-wal-time
  [min_wal_time: <duration> | default = 5m]

  # Maximum time to stay in WAL
  # CLI flag: -ruler.remote-write.max-wal-time
  [max_wal_time: <duration> | default = 4h]
```

### ruler\_storage\_config

The `ruler_storage_config` configures the GEM ruler storage backend.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Backend storage to use. Supported backends are: s3, gcs, azure, swift,
# filesystem, local.
# CLI flag: -ruler-storage.backend
[backend: <string> | default = "s3"]

s3:
  # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
  # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
  # S3-compatible service in hostname:port format.
  # CLI flag: -ruler-storage.s3.endpoint
  [endpoint: <string> | default = ""]

  # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
  # to autodetect it.
  # CLI flag: -ruler-storage.s3.region
  [region: <string> | default = ""]

  # S3 bucket name
  # CLI flag: -ruler-storage.s3.bucket-name
  [bucket_name: <string> | default = ""]

  # S3 secret access key
  # CLI flag: -ruler-storage.s3.secret-access-key
  [secret_access_key: <string> | default = ""]

  # S3 access key ID
  # CLI flag: -ruler-storage.s3.access-key-id
  [access_key_id: <string> | default = ""]

  # If enabled, use http:// for the S3 endpoint instead of https://. This could
  # be useful in local dev/test environments while using an S3-compatible
  # backend storage, like Minio.
  # CLI flag: -ruler-storage.s3.insecure
  [insecure: <boolean> | default = false]

  # The signature version to use for authenticating against S3. Supported values
  # are: v4, v2.
  # CLI flag: -ruler-storage.s3.signature-version
  [signature_version: <string> | default = "v4"]

  # The s3_sse_config configures the S3 server-side encryption.
  # The CLI flags prefix for this block config is: ruler-storage
  [sse: <s3_sse_config>]

  http:
    # The time an idle connection will remain idle before closing.
    # CLI flag: -ruler-storage.s3.http.idle-conn-timeout
    [idle_conn_timeout: <duration> | default = 1m30s]

    # The amount of time the client will wait for a servers response headers.
    # CLI flag: -ruler-storage.s3.http.response-header-timeout
    [response_header_timeout: <duration> | default = 2m]

    # If the client connects to S3 via HTTPS and this option is enabled, the
    # client will accept any certificate and hostname.
    # CLI flag: -ruler-storage.s3.http.insecure-skip-verify
    [insecure_skip_verify: <boolean> | default = false]

    # Maximum time to wait for a TLS handshake. 0 means no limit.
    # CLI flag: -ruler-storage.s3.tls-handshake-timeout
    [tls_handshake_timeout: <duration> | default = 10s]

    # The time to wait for a server's first response headers after fully writing
    # the request headers if the request has an Expect header. 0 to send the
    # request body immediately.
    # CLI flag: -ruler-storage.s3.expect-continue-timeout
    [expect_continue_timeout: <duration> | default = 1s]

    # Maximum number of idle (keep-alive) connections across all hosts. 0 means
    # no limit.
    # CLI flag: -ruler-storage.s3.max-idle-connections
    [max_idle_connections: <int> | default = 100]

    # Maximum number of idle (keep-alive) connections to keep per-host. If 0, a
    # built-in default value is used.
    # CLI flag: -ruler-storage.s3.max-idle-connections-per-host
    [max_idle_connections_per_host: <int> | default = 100]

    # Maximum number of connections per host. 0 means no limit.
    # CLI flag: -ruler-storage.s3.max-connections-per-host
    [max_connections_per_host: <int> | default = 0]

gcs:
  # GCS bucket name
  # CLI flag: -ruler-storage.gcs.bucket-name
  [bucket_name: <string> | default = ""]

  # JSON representing either a Google Developers Console client_credentials.json
  # file or a Google Developers service account key file. If empty, fallback to
  # Google default logic.
  # CLI flag: -ruler-storage.gcs.service-account
  [service_account: <string> | default = ""]

azure:
  # Azure storage account name
  # CLI flag: -ruler-storage.azure.account-name
  [account_name: <string> | default = ""]

  # Azure storage account key
  # CLI flag: -ruler-storage.azure.account-key
  [account_key: <string> | default = ""]

  # Azure storage container name
  # CLI flag: -ruler-storage.azure.container-name
  [container_name: <string> | default = ""]

  # Azure storage endpoint suffix without schema. The account name will be
  # prefixed to this value to create the FQDN
  # CLI flag: -ruler-storage.azure.endpoint-suffix
  [endpoint_suffix: <string> | default = ""]

  # Number of retries for recoverable errors
  # CLI flag: -ruler-storage.azure.max-retries
  [max_retries: <int> | default = 20]

swift:
  # OpenStack Swift authentication API version. 0 to autodetect.
  # CLI flag: -ruler-storage.swift.auth-version
  [auth_version: <int> | default = 0]

  # OpenStack Swift authentication URL
  # CLI flag: -ruler-storage.swift.auth-url
  [auth_url: <string> | default = ""]

  # OpenStack Swift username.
  # CLI flag: -ruler-storage.swift.username
  [username: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -ruler-storage.swift.user-domain-name
  [user_domain_name: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -ruler-storage.swift.user-domain-id
  [user_domain_id: <string> | default = ""]

  # OpenStack Swift user ID.
  # CLI flag: -ruler-storage.swift.user-id
  [user_id: <string> | default = ""]

  # OpenStack Swift API key.
  # CLI flag: -ruler-storage.swift.password
  [password: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -ruler-storage.swift.domain-id
  [domain_id: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -ruler-storage.swift.domain-name
  [domain_name: <string> | default = ""]

  # OpenStack Swift project ID (v2,v3 auth only).
  # CLI flag: -ruler-storage.swift.project-id
  [project_id: <string> | default = ""]

  # OpenStack Swift project name (v2,v3 auth only).
  # CLI flag: -ruler-storage.swift.project-name
  [project_name: <string> | default = ""]

  # ID of the OpenStack Swift project's domain (v3 auth only), only needed if it
  # differs the from user domain.
  # CLI flag: -ruler-storage.swift.project-domain-id
  [project_domain_id: <string> | default = ""]

  # Name of the OpenStack Swift project's domain (v3 auth only), only needed if
  # it differs from the user domain.
  # CLI flag: -ruler-storage.swift.project-domain-name
  [project_domain_name: <string> | default = ""]

  # OpenStack Swift Region to use (v2,v3 auth only).
  # CLI flag: -ruler-storage.swift.region-name
  [region_name: <string> | default = ""]

  # Name of the OpenStack Swift container to put chunks in.
  # CLI flag: -ruler-storage.swift.container-name
  [container_name: <string> | default = ""]

  # Max retries on requests error.
  # CLI flag: -ruler-storage.swift.max-retries
  [max_retries: <int> | default = 3]

  # Time after which a connection attempt is aborted.
  # CLI flag: -ruler-storage.swift.connect-timeout
  [connect_timeout: <duration> | default = 10s]

  # Time after which an idle request is aborted. The timeout watchdog is reset
  # each time some data is received, so the timeout triggers after X time no
  # data is received on a request.
  # CLI flag: -ruler-storage.swift.request-timeout
  [request_timeout: <duration> | default = 5s]

filesystem:
  # Local filesystem storage directory.
  # CLI flag: -ruler-storage.filesystem.dir
  [dir: <string> | default = ""]

local:
  # Directory to scan for rules
  # CLI flag: -ruler-storage.local.directory
  [directory: <string> | default = ""]
```

### alertmanager\_config

The `alertmanager_config` configures the GEM alertmanager.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Base path for data storage.
# CLI flag: -alertmanager.storage.path
[data_dir: <string> | default = "data/"]

# How long to keep data for.
# CLI flag: -alertmanager.storage.retention
[retention: <duration> | default = 120h]

# The URL under which Alertmanager is externally reachable (for example, if
# Alertmanager is served via a reverse proxy). Used for generating relative and
# absolute links back to Alertmanager itself. If the URL has a path portion, it
# will be used to prefix all HTTP endpoints served by Alertmanager. If omitted,
# relevant URL components will be derived automatically.
# CLI flag: -alertmanager.web.external-url
[external_url: <url> | default = ]

# How frequently to poll Alertmanager configs.
# CLI flag: -alertmanager.configs.poll-interval
[poll_interval: <duration> | default = 15s]

# Maximum size (bytes) of an accepted HTTP request body.
# CLI flag: -alertmanager.max-recv-msg-size
[max_recv_msg_size: <int> | default = 16777216]

# Shard tenants across multiple alertmanager instances.
# CLI flag: -alertmanager.sharding-enabled
[sharding_enabled: <boolean> | default = false]

sharding_ring:
  # The key-value store used to share the hash ring across multiple instances.
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -alertmanager.sharding-ring.store
    [store: <string> | default = "consul"]

    # The prefix for the keys in the store. Should end with a /.
    # CLI flag: -alertmanager.sharding-ring.prefix
    [prefix: <string> | default = "alertmanagers/"]

    # The consul_config configures the consul client.
    # The CLI flags prefix for this block config is: alertmanager.sharding-ring
    [consul: <consul_config>]

    # The etcd_config configures the etcd client.
    # The CLI flags prefix for this block config is: alertmanager.sharding-ring
    [etcd: <etcd_config>]

    multi:
      # Primary backend storage used by multi-client.
      # CLI flag: -alertmanager.sharding-ring.multi.primary
      [primary: <string> | default = ""]

      # Secondary backend storage used by multi-client.
      # CLI flag: -alertmanager.sharding-ring.multi.secondary
      [secondary: <string> | default = ""]

      # Mirror writes to secondary store.
      # CLI flag: -alertmanager.sharding-ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # Timeout for storing value to secondary store.
      # CLI flag: -alertmanager.sharding-ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -alertmanager.sharding-ring.heartbeat-period
  [heartbeat_period: <duration> | default = 15s]

  # The heartbeat timeout after which alertmanagers are considered unhealthy
  # within the ring. 0 = never (timeout disabled).
  # CLI flag: -alertmanager.sharding-ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # The replication factor to use when sharding the alertmanager.
  # CLI flag: -alertmanager.sharding-ring.replication-factor
  [replication_factor: <int> | default = 3]

  # True to enable zone-awareness and replicate alerts across different
  # availability zones.
  # CLI flag: -alertmanager.sharding-ring.zone-awareness-enabled
  [zone_awareness_enabled: <boolean> | default = false]

  # Name of network interface to read address from.
  # CLI flag: -alertmanager.sharding-ring.instance-interface-names
  [instance_interface_names: <list of string> | default = [eth0 en0]]

  # The availability zone where this instance is running. Required if
  # zone-awareness is enabled.
  # CLI flag: -alertmanager.sharding-ring.instance-availability-zone
  [instance_availability_zone: <string> | default = ""]

# Filename of fallback config to use if none specified for instance.
# CLI flag: -alertmanager.configs.fallback
[fallback_config_file: <string> | default = ""]

# Root of URL to generate if config is http://internal.monitor
# CLI flag: -alertmanager.configs.auto-webhook-root
[auto_webhook_root: <string> | default = ""]

# Deprecated. Use -alertmanager-storage.* CLI flags and their respective YAML
# config options instead.
storage:
  # Type of backend to use to store alertmanager configs. Supported values are:
  # "gcs", "s3", "local".
  # CLI flag: -alertmanager.storage.type
  [type: <string> | default = "local"]

  azure:
    # Azure Cloud environment. Supported values are: AzureGlobal,
    # AzureChinaCloud, AzureGermanCloud, AzureUSGovernment.
    # CLI flag: -alertmanager.storage.azure.environment
    [environment: <string> | default = "AzureGlobal"]

    # Name of the blob container used to store chunks. This container must be
    # created prior to execution.
    # CLI flag: -alertmanager.storage.azure.container-name
    [container_name: <string> | default = "cortex"]

    # The Microsoft Azure account name to be used
    # CLI flag: -alertmanager.storage.azure.account-name
    [account_name: <string> | default = ""]

    # The Microsoft Azure account key to use.
    # CLI flag: -alertmanager.storage.azure.account-key
    [account_key: <string> | default = ""]

    # Preallocated buffer size for downloads.
    # CLI flag: -alertmanager.storage.azure.download-buffer-size
    [download_buffer_size: <int> | default = 512000]

    # Preallocated buffer size for uploads.
    # CLI flag: -alertmanager.storage.azure.upload-buffer-size
    [upload_buffer_size: <int> | default = 256000]

    # Number of buffers used to used to upload a chunk.
    # CLI flag: -alertmanager.storage.azure.download-buffer-count
    [upload_buffer_count: <int> | default = 1]

    # Timeout for requests made against azure blob storage.
    # CLI flag: -alertmanager.storage.azure.request-timeout
    [request_timeout: <duration> | default = 30s]

    # Number of retries for a request which times out.
    # CLI flag: -alertmanager.storage.azure.max-retries
    [max_retries: <int> | default = 5]

    # Minimum time to wait before retrying a request.
    # CLI flag: -alertmanager.storage.azure.min-retry-delay
    [min_retry_delay: <duration> | default = 10ms]

    # Maximum time to wait before retrying a request.
    # CLI flag: -alertmanager.storage.azure.max-retry-delay
    [max_retry_delay: <duration> | default = 500ms]

  gcs:
    # Name of GCS bucket. Please refer to
    # https://cloud.google.com/docs/authentication/production for more
    # information about how to configure authentication.
    # CLI flag: -alertmanager.storage.gcs.bucketname
    [bucket_name: <string> | default = ""]

    # The size of the buffer that GCS client for each PUT request. 0 to disable
    # buffering.
    # CLI flag: -alertmanager.storage.gcs.chunk-buffer-size
    [chunk_buffer_size: <int> | default = 0]

    # The duration after which the requests to GCS should be timed out.
    # CLI flag: -alertmanager.storage.gcs.request-timeout
    [request_timeout: <duration> | default = 0s]

    # Enabled OpenCensus (OC) instrumentation for all requests.
    # CLI flag: -alertmanager.storage.gcs.enable-opencensus
    [enable_opencensus: <boolean> | default = true]

  s3:
    # S3 endpoint URL with escaped Key and Secret encoded. If only region is
    # specified as a host, proper endpoint will be deduced. Use
    # inmemory:///<bucket-name> to use a mock in-memory implementation.
    # CLI flag: -alertmanager.storage.s3.url
    [s3: <url> | default = ]

    # Set this to `true` to force the request to use path-style addressing.
    # CLI flag: -alertmanager.storage.s3.force-path-style
    [s3forcepathstyle: <boolean> | default = false]

    # Comma separated list of bucket names to evenly distribute chunks over.
    # Overrides any buckets specified in s3.url flag
    # CLI flag: -alertmanager.storage.s3.buckets
    [bucketnames: <string> | default = ""]

    # S3 Endpoint to connect to.
    # CLI flag: -alertmanager.storage.s3.endpoint
    [endpoint: <string> | default = ""]

    # AWS region to use.
    # CLI flag: -alertmanager.storage.s3.region
    [region: <string> | default = ""]

    # AWS Access Key ID
    # CLI flag: -alertmanager.storage.s3.access-key-id
    [access_key_id: <string> | default = ""]

    # AWS Secret Access Key
    # CLI flag: -alertmanager.storage.s3.secret-access-key
    [secret_access_key: <string> | default = ""]

    # Disable https on s3 connection.
    # CLI flag: -alertmanager.storage.s3.insecure
    [insecure: <boolean> | default = false]

    # Enable AWS Server Side Encryption [Deprecated: Use .sse instead. if
    # s3.sse-encryption is enabled, it assumes .sse.type SSE-S3]
    # CLI flag: -alertmanager.storage.s3.sse-encryption
    [sse_encryption: <boolean> | default = false]

    http_config:
      # The maximum amount of time an idle connection will be held open.
      # CLI flag: -alertmanager.storage.s3.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # If non-zero, specifies the amount of time to wait for a server's
      # response headers after fully writing the request.
      # CLI flag: -alertmanager.storage.s3.http.response-header-timeout
      [response_header_timeout: <duration> | default = 0s]

      # Set to false to skip verifying the certificate chain and hostname.
      # CLI flag: -alertmanager.storage.s3.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

    # The signature version to use for authenticating against S3. Supported
    # values are: v4, v2.
    # CLI flag: -alertmanager.storage.s3.signature-version
    [signature_version: <string> | default = "v4"]

    # The s3_sse_config configures the S3 server-side encryption.
    # The CLI flags prefix for this block config is: alertmanager.storage
    [sse: <s3_sse_config>]

  local:
    # Path at which alertmanager configurations are stored.
    # CLI flag: -alertmanager.storage.local.path
    [path: <string> | default = ""]

cluster:
  # Listen address and port for the cluster. Not specifying this flag disables
  # high-availability mode.
  # CLI flag: -alertmanager.cluster.listen-address
  [listen_address: <string> | default = "0.0.0.0:9094"]

  # Explicit address or hostname to advertise in cluster.
  # CLI flag: -alertmanager.cluster.advertise-address
  [advertise_address: <string> | default = ""]

  # Comma-separated list of initial peers.
  # CLI flag: -alertmanager.cluster.peers
  [peers: <string> | default = ""]

  # Time to wait between peers to send notifications.
  # CLI flag: -alertmanager.cluster.peer-timeout
  [peer_timeout: <duration> | default = 15s]

  # The interval between sending gossip messages. By lowering this value (more
  # frequent) gossip messages are propagated across cluster more quickly at the
  # expense of increased bandwidth usage.
  # CLI flag: -alertmanager.cluster.gossip-interval
  [gossip_interval: <duration> | default = 200ms]

  # The interval between gossip state syncs. Setting this interval lower (more
  # frequent) will increase convergence speeds across larger clusters at the
  # expense of increased bandwidth usage.
  # CLI flag: -alertmanager.cluster.push-pull-interval
  [push_pull_interval: <duration> | default = 1m]

# Enable the experimental alertmanager config api.
# CLI flag: -experimental.alertmanager.enable-api
[enable_api: <boolean> | default = false]

alertmanager_client:
  # Timeout for downstream alertmanagers.
  # CLI flag: -alertmanager.alertmanager-client.remote-timeout
  [remote_timeout: <duration> | default = 2s]

  # Enable TLS in the GRPC client. This flag needs to be enabled when any other
  # TLS flag is set. If set to false, insecure connection to gRPC server will be
  # used.
  # CLI flag: -alertmanager.alertmanager-client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -alertmanager.alertmanager-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -alertmanager.alertmanager-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -alertmanager.alertmanager-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -alertmanager.alertmanager-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -alertmanager.alertmanager-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

# The interval between persisting the current alertmanager state (notification
# log and silences) to object storage. This is only used when sharding is
# enabled. This state is read when all replicas for a shard can not be
# contacted. In this scenario, having persisted the state more frequently will
# result in potentially fewer lost silences, and fewer duplicate notifications.
# CLI flag: -alertmanager.persist-interval
[persist_interval: <duration> | default = 15m]
```

### alertmanager\_storage\_config

The `alertmanager_storage_config` configures the GEM alertmanager storage backend.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Backend storage to use. Supported backends are: s3, gcs, azure, swift,
# filesystem, local.
# CLI flag: -alertmanager-storage.backend
[backend: <string> | default = "s3"]

s3:
  # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
  # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
  # S3-compatible service in hostname:port format.
  # CLI flag: -alertmanager-storage.s3.endpoint
  [endpoint: <string> | default = ""]

  # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
  # to autodetect it.
  # CLI flag: -alertmanager-storage.s3.region
  [region: <string> | default = ""]

  # S3 bucket name
  # CLI flag: -alertmanager-storage.s3.bucket-name
  [bucket_name: <string> | default = ""]

  # S3 secret access key
  # CLI flag: -alertmanager-storage.s3.secret-access-key
  [secret_access_key: <string> | default = ""]

  # S3 access key ID
  # CLI flag: -alertmanager-storage.s3.access-key-id
  [access_key_id: <string> | default = ""]

  # If enabled, use http:// for the S3 endpoint instead of https://. This could
  # be useful in local dev/test environments while using an S3-compatible
  # backend storage, like Minio.
  # CLI flag: -alertmanager-storage.s3.insecure
  [insecure: <boolean> | default = false]

  # The signature version to use for authenticating against S3. Supported values
  # are: v4, v2.
  # CLI flag: -alertmanager-storage.s3.signature-version
  [signature_version: <string> | default = "v4"]

  # The s3_sse_config configures the S3 server-side encryption.
  # The CLI flags prefix for this block config is: alertmanager-storage
  [sse: <s3_sse_config>]

  http:
    # The time an idle connection will remain idle before closing.
    # CLI flag: -alertmanager-storage.s3.http.idle-conn-timeout
    [idle_conn_timeout: <duration> | default = 1m30s]

    # The amount of time the client will wait for a servers response headers.
    # CLI flag: -alertmanager-storage.s3.http.response-header-timeout
    [response_header_timeout: <duration> | default = 2m]

    # If the client connects to S3 via HTTPS and this option is enabled, the
    # client will accept any certificate and hostname.
    # CLI flag: -alertmanager-storage.s3.http.insecure-skip-verify
    [insecure_skip_verify: <boolean> | default = false]

    # Maximum time to wait for a TLS handshake. 0 means no limit.
    # CLI flag: -alertmanager-storage.s3.tls-handshake-timeout
    [tls_handshake_timeout: <duration> | default = 10s]

    # The time to wait for a server's first response headers after fully writing
    # the request headers if the request has an Expect header. 0 to send the
    # request body immediately.
    # CLI flag: -alertmanager-storage.s3.expect-continue-timeout
    [expect_continue_timeout: <duration> | default = 1s]

    # Maximum number of idle (keep-alive) connections across all hosts. 0 means
    # no limit.
    # CLI flag: -alertmanager-storage.s3.max-idle-connections
    [max_idle_connections: <int> | default = 100]

    # Maximum number of idle (keep-alive) connections to keep per-host. If 0, a
    # built-in default value is used.
    # CLI flag: -alertmanager-storage.s3.max-idle-connections-per-host
    [max_idle_connections_per_host: <int> | default = 100]

    # Maximum number of connections per host. 0 means no limit.
    # CLI flag: -alertmanager-storage.s3.max-connections-per-host
    [max_connections_per_host: <int> | default = 0]

gcs:
  # GCS bucket name
  # CLI flag: -alertmanager-storage.gcs.bucket-name
  [bucket_name: <string> | default = ""]

  # JSON representing either a Google Developers Console client_credentials.json
  # file or a Google Developers service account key file. If empty, fallback to
  # Google default logic.
  # CLI flag: -alertmanager-storage.gcs.service-account
  [service_account: <string> | default = ""]

azure:
  # Azure storage account name
  # CLI flag: -alertmanager-storage.azure.account-name
  [account_name: <string> | default = ""]

  # Azure storage account key
  # CLI flag: -alertmanager-storage.azure.account-key
  [account_key: <string> | default = ""]

  # Azure storage container name
  # CLI flag: -alertmanager-storage.azure.container-name
  [container_name: <string> | default = ""]

  # Azure storage endpoint suffix without schema. The account name will be
  # prefixed to this value to create the FQDN
  # CLI flag: -alertmanager-storage.azure.endpoint-suffix
  [endpoint_suffix: <string> | default = ""]

  # Number of retries for recoverable errors
  # CLI flag: -alertmanager-storage.azure.max-retries
  [max_retries: <int> | default = 20]

swift:
  # OpenStack Swift authentication API version. 0 to autodetect.
  # CLI flag: -alertmanager-storage.swift.auth-version
  [auth_version: <int> | default = 0]

  # OpenStack Swift authentication URL
  # CLI flag: -alertmanager-storage.swift.auth-url
  [auth_url: <string> | default = ""]

  # OpenStack Swift username.
  # CLI flag: -alertmanager-storage.swift.username
  [username: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -alertmanager-storage.swift.user-domain-name
  [user_domain_name: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -alertmanager-storage.swift.user-domain-id
  [user_domain_id: <string> | default = ""]

  # OpenStack Swift user ID.
  # CLI flag: -alertmanager-storage.swift.user-id
  [user_id: <string> | default = ""]

  # OpenStack Swift API key.
  # CLI flag: -alertmanager-storage.swift.password
  [password: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -alertmanager-storage.swift.domain-id
  [domain_id: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -alertmanager-storage.swift.domain-name
  [domain_name: <string> | default = ""]

  # OpenStack Swift project ID (v2,v3 auth only).
  # CLI flag: -alertmanager-storage.swift.project-id
  [project_id: <string> | default = ""]

  # OpenStack Swift project name (v2,v3 auth only).
  # CLI flag: -alertmanager-storage.swift.project-name
  [project_name: <string> | default = ""]

  # ID of the OpenStack Swift project's domain (v3 auth only), only needed if it
  # differs the from user domain.
  # CLI flag: -alertmanager-storage.swift.project-domain-id
  [project_domain_id: <string> | default = ""]

  # Name of the OpenStack Swift project's domain (v3 auth only), only needed if
  # it differs from the user domain.
  # CLI flag: -alertmanager-storage.swift.project-domain-name
  [project_domain_name: <string> | default = ""]

  # OpenStack Swift Region to use (v2,v3 auth only).
  # CLI flag: -alertmanager-storage.swift.region-name
  [region_name: <string> | default = ""]

  # Name of the OpenStack Swift container to put chunks in.
  # CLI flag: -alertmanager-storage.swift.container-name
  [container_name: <string> | default = ""]

  # Max retries on requests error.
  # CLI flag: -alertmanager-storage.swift.max-retries
  [max_retries: <int> | default = 3]

  # Time after which a connection attempt is aborted.
  # CLI flag: -alertmanager-storage.swift.connect-timeout
  [connect_timeout: <duration> | default = 10s]

  # Time after which an idle request is aborted. The timeout watchdog is reset
  # each time some data is received, so the timeout triggers after X time no
  # data is received on a request.
  # CLI flag: -alertmanager-storage.swift.request-timeout
  [request_timeout: <duration> | default = 5s]

filesystem:
  # Local filesystem storage directory.
  # CLI flag: -alertmanager-storage.filesystem.dir
  [dir: <string> | default = ""]

local:
  # Path at which alertmanager configurations are stored.
  # CLI flag: -alertmanager-storage.local.path
  [path: <string> | default = ""]
```

### ingester\_client\_config

The `ingester_client_config` configures how the GEM distributors connect to the ingesters.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
grpc_client_config:
  # gRPC client max receive message size (bytes).
  # CLI flag: -ingester.client.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # gRPC client max send message size (bytes).
  # CLI flag: -ingester.client.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 16777216]

  # Use compression when sending messages. Supported values are: 'gzip',
  # 'snappy' and '' (disable compression)
  # CLI flag: -ingester.client.grpc-compression
  [grpc_compression: <string> | default = ""]

  # Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -ingester.client.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # Rate limit burst for gRPC client.
  # CLI flag: -ingester.client.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # Enable backoff and retry when we hit ratelimits.
  # CLI flag: -ingester.client.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # Minimum delay when backing off.
    # CLI flag: -ingester.client.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # Maximum delay when backing off.
    # CLI flag: -ingester.client.backoff-max-period
    [max_period: <duration> | default = 10s]

    # Number of times to backoff and retry before failing.
    # CLI flag: -ingester.client.backoff-retries
    [max_retries: <int> | default = 10]

  # Enable TLS in the GRPC client. This flag needs to be enabled when any other
  # TLS flag is set. If set to false, insecure connection to gRPC server will be
  # used.
  # CLI flag: -ingester.client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -ingester.client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -ingester.client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -ingester.client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -ingester.client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -ingester.client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]
```

### frontend\_worker\_config

The `frontend_worker_config` configures the worker - running within the GEM querier - picking up and executing queries enqueued by the query-frontend or query-scheduler.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Address of query frontend service, in host:port format. If
# -querier.scheduler-address is set as well, querier will use scheduler instead.
# Only one of -querier.frontend-address or -querier.scheduler-address can be
# set. If neither is set, queries are only received via HTTP endpoint.
# CLI flag: -querier.frontend-address
[frontend_address: <string> | default = ""]

# Hostname (and port) of scheduler that querier will periodically resolve,
# connect to and receive queries from. Only one of -querier.frontend-address or
# -querier.scheduler-address can be set. If neither is set, queries are only
# received via HTTP endpoint.
# CLI flag: -querier.scheduler-address
[scheduler_address: <string> | default = ""]

# How often to query DNS for query-frontend or query-scheduler address.
# CLI flag: -querier.dns-lookup-period
[dns_lookup_duration: <duration> | default = 10s]

# Number of simultaneous queries to process per query-frontend or
# query-scheduler.
# CLI flag: -querier.worker-parallelism
[parallelism: <int> | default = 10]

# Force worker concurrency to match the -querier.max-concurrent option.
# Overrides querier.worker-parallelism.
# CLI flag: -querier.worker-match-max-concurrent
[match_max_concurrent: <boolean> | default = false]

# Querier ID, sent to frontend service to identify requests from the same
# querier. Defaults to hostname.
# CLI flag: -querier.id
[id: <string> | default = ""]

grpc_client_config:
  # gRPC client max receive message size (bytes).
  # CLI flag: -querier.frontend-client.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # gRPC client max send message size (bytes).
  # CLI flag: -querier.frontend-client.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 16777216]

  # Use compression when sending messages. Supported values are: 'gzip',
  # 'snappy' and '' (disable compression)
  # CLI flag: -querier.frontend-client.grpc-compression
  [grpc_compression: <string> | default = ""]

  # Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -querier.frontend-client.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # Rate limit burst for gRPC client.
  # CLI flag: -querier.frontend-client.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # Enable backoff and retry when we hit ratelimits.
  # CLI flag: -querier.frontend-client.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # Minimum delay when backing off.
    # CLI flag: -querier.frontend-client.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # Maximum delay when backing off.
    # CLI flag: -querier.frontend-client.backoff-max-period
    [max_period: <duration> | default = 10s]

    # Number of times to backoff and retry before failing.
    # CLI flag: -querier.frontend-client.backoff-retries
    [max_retries: <int> | default = 10]

  # Enable TLS in the GRPC client. This flag needs to be enabled when any other
  # TLS flag is set. If set to false, insecure connection to gRPC server will be
  # used.
  # CLI flag: -querier.frontend-client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate file, which will be used for authenticating
  # with the server. Also requires the key path to be configured.
  # CLI flag: -querier.frontend-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key file for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -querier.frontend-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates file to validate server certificate against. If
  # not set, the host's root CA certificates are used.
  # CLI flag: -querier.frontend-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -querier.frontend-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -querier.frontend-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]
```

### etcd\_config

The `etcd_config` configures the etcd client. The supported CLI flags `<prefix>` used to reference this config block are:

- *no prefix*
- `admin-api.leader-election.ring`
- `alertmanager.sharding-ring`
- `compactor.ring`
- `distributor.ha-tracker`
- `distributor.ring`
- `ruler.ring`
- `store-gateway.sharding-ring`

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# The etcd endpoints to connect to.
# CLI flag: -<prefix>.etcd.endpoints
[endpoints: <list of string> | default = []]

# The dial timeout for the etcd connection.
# CLI flag: -<prefix>.etcd.dial-timeout
[dial_timeout: <duration> | default = 10s]

# The maximum number of retries to do for failed ops.
# CLI flag: -<prefix>.etcd.max-retries
[max_retries: <int> | default = 10]

# Enable TLS.
# CLI flag: -<prefix>.etcd.tls-enabled
[tls_enabled: <boolean> | default = false]

# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -<prefix>.etcd.tls-cert-path
[tls_cert_path: <string> | default = ""]

# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -<prefix>.etcd.tls-key-path
[tls_key_path: <string> | default = ""]

# Path to the CA certificates file to validate server certificate against. If
# not set, the host's root CA certificates are used.
# CLI flag: -<prefix>.etcd.tls-ca-path
[tls_ca_path: <string> | default = ""]

# Override the expected name on the server certificate.
# CLI flag: -<prefix>.etcd.tls-server-name
[tls_server_name: <string> | default = ""]

# Skip validating server certificate.
# CLI flag: -<prefix>.etcd.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]

# Etcd username.
# CLI flag: -<prefix>.etcd.username
[username: <string> | default = ""]

# Etcd password.
# CLI flag: -<prefix>.etcd.password
[password: <string> | default = ""]
```

### consul\_config

The `consul_config` configures the consul client. The supported CLI flags `<prefix>` used to reference this config block are:

- *no prefix*
- `admin-api.leader-election.ring`
- `alertmanager.sharding-ring`
- `compactor.ring`
- `distributor.ha-tracker`
- `distributor.ring`
- `ruler.ring`
- `store-gateway.sharding-ring`

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Hostname and port of Consul.
# CLI flag: -<prefix>.consul.hostname
[host: <string> | default = "localhost:8500"]

# ACL Token used to interact with Consul.
# CLI flag: -<prefix>.consul.acl-token
[acl_token: <string> | default = ""]

# HTTP timeout when talking to Consul
# CLI flag: -<prefix>.consul.client-timeout
[http_client_timeout: <duration> | default = 20s]

# Enable consistent reads to Consul.
# CLI flag: -<prefix>.consul.consistent-reads
[consistent_reads: <boolean> | default = false]

# Rate limit when watching key or prefix in Consul, in requests per second. 0
# disables the rate limit.
# CLI flag: -<prefix>.consul.watch-rate-limit
[watch_rate_limit: <float> | default = 1]

# Burst size used in rate limit. Values less than 1 are treated as 1.
# CLI flag: -<prefix>.consul.watch-burst-size
[watch_burst_size: <int> | default = 1]
```

### memberlist\_config

The `memberlist_config` configures the Gossip memberlist.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Name of the node in memberlist cluster. Defaults to hostname.
# CLI flag: -memberlist.nodename
[node_name: <string> | default = ""]

# Add random suffix to the node name.
# CLI flag: -memberlist.randomize-node-name
[randomize_node_name: <boolean> | default = true]

# The timeout for establishing a connection with a remote node, and for
# read/write operations.
# CLI flag: -memberlist.stream-timeout
[stream_timeout: <duration> | default = 10s]

# Multiplication factor used when sending out messages (factor * log(N+1)).
# CLI flag: -memberlist.retransmit-factor
[retransmit_factor: <int> | default = 4]

# How often to use pull/push sync.
# CLI flag: -memberlist.pullpush-interval
[pull_push_interval: <duration> | default = 30s]

# How often to gossip.
# CLI flag: -memberlist.gossip-interval
[gossip_interval: <duration> | default = 200ms]

# How many nodes to gossip to.
# CLI flag: -memberlist.gossip-nodes
[gossip_nodes: <int> | default = 3]

# How long to keep gossiping to dead nodes, to give them chance to refute their
# death.
# CLI flag: -memberlist.gossip-to-dead-nodes-time
[gossip_to_dead_nodes_time: <duration> | default = 30s]

# How soon can dead node's name be reclaimed with new address. 0 to disable.
# CLI flag: -memberlist.dead-node-reclaim-time
[dead_node_reclaim_time: <duration> | default = 0s]

# Enable message compression. This can be used to reduce bandwidth usage at the
# cost of slightly more CPU utilization.
# CLI flag: -memberlist.compression-enabled
[compression_enabled: <boolean> | default = true]

# Gossip address to advertise to other members in the cluster. Used for NAT
# traversal.
# CLI flag: -memberlist.advertise-addr
[advertise_addr: <string> | default = ""]

# Gossip port to advertise to other members in the cluster. Used for NAT
# traversal.
# CLI flag: -memberlist.advertise-port
[advertise_port: <int> | default = 7946]

# Other cluster members to join. Can be specified multiple times. It can be an
# IP, hostname or an entry specified in the DNS Service Discovery format.
# CLI flag: -memberlist.join
[join_members: <list of string> | default = []]

# Min backoff duration to join other cluster members.
# CLI flag: -memberlist.min-join-backoff
[min_join_backoff: <duration> | default = 1s]

# Max backoff duration to join other cluster members.
# CLI flag: -memberlist.max-join-backoff
[max_join_backoff: <duration> | default = 1m]

# Max number of retries to join other cluster members.
# CLI flag: -memberlist.max-join-retries
[max_join_retries: <int> | default = 10]

# If this node fails to join memberlist cluster, abort.
# CLI flag: -memberlist.abort-if-join-fails
[abort_if_cluster_join_fails: <boolean> | default = true]

# If not 0, how often to rejoin the cluster. Occasional rejoin can help to fix
# the cluster split issue, and is harmless otherwise. For example when using
# only few components as a seed nodes (via -memberlist.join), then it's
# recommended to use rejoin. If -memberlist.join points to dynamic service that
# resolves to all gossiping nodes (eg. Kubernetes headless service), then rejoin
# is not needed.
# CLI flag: -memberlist.rejoin-interval
[rejoin_interval: <duration> | default = 0s]

# How long to keep LEFT ingesters in the ring.
# CLI flag: -memberlist.left-ingesters-timeout
[left_ingesters_timeout: <duration> | default = 5m]

# Timeout for leaving memberlist cluster.
# CLI flag: -memberlist.leave-timeout
[leave_timeout: <duration> | default = 5s]

# How much space to use for keeping received and sent messages in memory for
# troubleshooting (two buffers). 0 to disable.
# CLI flag: -memberlist.message-history-buffer-bytes
[message_history_buffer_bytes: <int> | default = 0]

# IP address to listen on for gossip messages. Multiple addresses may be
# specified. Defaults to 0.0.0.0
# CLI flag: -memberlist.bind-addr
[bind_addr: <list of string> | default = []]

# Port to listen on for gossip messages.
# CLI flag: -memberlist.bind-port
[bind_port: <int> | default = 7946]

# Timeout used when connecting to other nodes to send packet.
# CLI flag: -memberlist.packet-dial-timeout
[packet_dial_timeout: <duration> | default = 5s]

# Timeout for writing 'packet' data.
# CLI flag: -memberlist.packet-write-timeout
[packet_write_timeout: <duration> | default = 5s]

# Enable TLS on the memberlist transport layer.
# CLI flag: -memberlist.tls-enabled
[tls_enabled: <boolean> | default = false]

# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -memberlist.tls-cert-path
[tls_cert_path: <string> | default = ""]

# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -memberlist.tls-key-path
[tls_key_path: <string> | default = ""]

# Path to the CA certificates file to validate server certificate against. If
# not set, the host's root CA certificates are used.
# CLI flag: -memberlist.tls-ca-path
[tls_ca_path: <string> | default = ""]

# Override the expected name on the server certificate.
# CLI flag: -memberlist.tls-server-name
[tls_server_name: <string> | default = ""]

# Skip validating server certificate.
# CLI flag: -memberlist.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
```

### limits\_config

The `limits_config` configures default and per-tenant limits imposed by GEM services (ie. distributor, ingester, …).

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Per-user ingestion rate limit in samples per second.
# CLI flag: -distributor.ingestion-rate-limit
[ingestion_rate: <float> | default = 25000]

# Whether the ingestion rate limit should be applied individually to each
# distributor instance (local), or evenly shared across the cluster (global).
# CLI flag: -distributor.ingestion-rate-limit-strategy
[ingestion_rate_strategy: <string> | default = "local"]

# Per-user allowed ingestion burst size (in number of samples).
# CLI flag: -distributor.ingestion-burst-size
[ingestion_burst_size: <int> | default = 50000]

# Flag to enable, for all users, handling of samples with external labels
# identifying replicas in an HA Prometheus setup.
# CLI flag: -distributor.ha-tracker.enable-for-all-users
[accept_ha_samples: <boolean> | default = false]

# Prometheus label to look for in samples to identify a Prometheus HA cluster.
# CLI flag: -distributor.ha-tracker.cluster
[ha_cluster_label: <string> | default = "cluster"]

# Prometheus label to look for in samples to identify a Prometheus HA replica.
# CLI flag: -distributor.ha-tracker.replica
[ha_replica_label: <string> | default = "__replica__"]

# Maximum number of clusters that HA tracker will keep track of for single user.
# 0 to disable the limit.
# CLI flag: -distributor.ha-tracker.max-clusters
[ha_max_clusters: <int> | default = 0]

# This flag can be used to specify label names that to drop during sample
# ingestion within the distributor and can be repeated in order to drop multiple
# labels.
# CLI flag: -distributor.drop-label
[drop_labels: <list of string> | default = []]

# Maximum length accepted for label names
# CLI flag: -validation.max-length-label-name
[max_label_name_length: <int> | default = 1024]

# Maximum length accepted for label value. This setting also applies to the
# metric name
# CLI flag: -validation.max-length-label-value
[max_label_value_length: <int> | default = 2048]

# Maximum number of label names per series.
# CLI flag: -validation.max-label-names-per-series
[max_label_names_per_series: <int> | default = 30]

# Maximum length accepted for metric metadata. Metadata refers to Metric Name,
# HELP and UNIT.
# CLI flag: -validation.max-metadata-length
[max_metadata_length: <int> | default = 1024]

# Reject old samples.
# CLI flag: -validation.reject-old-samples
[reject_old_samples: <boolean> | default = false]

# Maximum accepted sample age before rejecting.
# CLI flag: -validation.reject-old-samples.max-age
[reject_old_samples_max_age: <duration> | default = 2w]

# Duration which table will be created/deleted before/after it's needed; we
# won't accept sample from before this time.
# CLI flag: -validation.create-grace-period
[creation_grace_period: <duration> | default = 10m]

# Enforce every metadata has a metric name.
# CLI flag: -validation.enforce-metadata-metric-name
[enforce_metadata_metric_name: <boolean> | default = true]

# Enforce every sample has a metric name.
# CLI flag: -validation.enforce-metric-name
[enforce_metric_name: <boolean> | default = true]

# The tenant's shard size when the shuffle-sharding strategy is used. Must be
# set both on ingesters and distributors. When this setting is specified in the
# per-tenant overrides, a value of 0 disables shuffle sharding for the tenant.
# CLI flag: -distributor.ingestion-tenant-shard-size
[ingestion_tenant_shard_size: <int> | default = 0]

# List of metric relabel configurations. Note that in most situations, it is
# more effective to use metrics relabeling directly in the Prometheus server,
# e.g. remote_write.write_relabel_configs.
[metric_relabel_configs: <relabel_config...> | default = []]

# The maximum number of series for which a query can fetch samples from each
# ingester. This limit is enforced only in the ingesters (when querying samples
# not flushed to the storage yet) and it's a per-instance limit. This limit is
# ignored when using blocks storage. When running with blocks storage use
# -querier.max-fetched-series-per-query limit instead.
# CLI flag: -ingester.max-series-per-query
[max_series_per_query: <int> | default = 100000]

# The maximum number of active series per user, per ingester. 0 to disable.
# CLI flag: -ingester.max-series-per-user
[max_series_per_user: <int> | default = 5000000]

# The maximum number of active series per metric name, per ingester. 0 to
# disable.
# CLI flag: -ingester.max-series-per-metric
[max_series_per_metric: <int> | default = 50000]

# The maximum number of active series per user, across the cluster before
# replication. 0 to disable. Supported only if -distributor.shard-by-all-labels
# is true.
# CLI flag: -ingester.max-global-series-per-user
[max_global_series_per_user: <int> | default = 0]

# The maximum number of active series per metric name, across the cluster before
# replication. 0 to disable.
# CLI flag: -ingester.max-global-series-per-metric
[max_global_series_per_metric: <int> | default = 0]

# Minimum number of samples in an idle chunk to flush it to the store. Use with
# care, if chunks are less than this size they will be discarded. This option is
# ignored when using blocks storage. 0 to disable.
# CLI flag: -ingester.min-chunk-length
[min_chunk_length: <int> | default = 0]

# The maximum number of active metrics with metadata per user, per ingester. 0
# to disable.
# CLI flag: -ingester.max-metadata-per-user
[max_metadata_per_user: <int> | default = 8000]

# The maximum number of metadata per metric, per ingester. 0 to disable.
# CLI flag: -ingester.max-metadata-per-metric
[max_metadata_per_metric: <int> | default = 10]

# The maximum number of active metrics with metadata per user, across the
# cluster. 0 to disable. Supported only if -distributor.shard-by-all-labels is
# true.
# CLI flag: -ingester.max-global-metadata-per-user
[max_global_metadata_per_user: <int> | default = 0]

# The maximum number of metadata per metric, across the cluster. 0 to disable.
# CLI flag: -ingester.max-global-metadata-per-metric
[max_global_metadata_per_metric: <int> | default = 0]

# The maximum number of exemplars in memory, across the cluster. 0 to disable
# exemplars ingestion.
# CLI flag: -ingester.max-global-exemplars-per-user
[max_global_exemplars_per_user: <int> | default = 0]

# Deprecated. Use -querier.max-fetched-chunks-per-query CLI flag and its
# respective YAML config option instead. Maximum number of chunks that can be
# fetched in a single query. This limit is enforced when fetching chunks from
# the long-term storage only. When using chunks storage, this limit is enforced
# in the querier and ruler, while when using blocks storage this limit is
# enforced in the querier, ruler and store-gateway. 0 to disable.
# CLI flag: -store.query-chunk-limit
[max_chunks_per_query: <int> | default = 2000000]

# Maximum number of chunks that can be fetched in a single query from ingesters
# and long-term storage. This limit is enforced in the querier, ruler and
# store-gateway. Takes precedence over the deprecated -store.query-chunk-limit.
# 0 to disable.
# CLI flag: -querier.max-fetched-chunks-per-query
[max_fetched_chunks_per_query: <int> | default = 0]

# The maximum number of unique series for which a query can fetch samples from
# each ingesters and blocks storage. This limit is enforced in the querier only
# when running with blocks storage. 0 to disable
# CLI flag: -querier.max-fetched-series-per-query
[max_fetched_series_per_query: <int> | default = 0]

# The maximum size of all chunks in bytes that a query can fetch from each
# ingester and storage. This limit is enforced in the querier and ruler only
# when running with blocks storage. 0 to disable.
# CLI flag: -querier.max-fetched-chunk-bytes-per-query
[max_fetched_chunk_bytes_per_query: <int> | default = 0]

# Limit how long back data (series and metadata) can be queried, up until
# <lookback> duration ago. This limit is enforced in the query-frontend, querier
# and ruler. If the requested time range is outside the allowed range, the
# request will not fail but will be manipulated to only query data within the
# allowed time range. 0 to disable.
# CLI flag: -querier.max-query-lookback
[max_query_lookback: <duration> | default = 0s]

# Limit the query time range (end - start time). This limit is enforced in the
# query-frontend (on the received query), in the querier (on the query possibly
# split by the query-frontend) and in the chunks storage. 0 to disable.
# CLI flag: -store.max-query-length
[max_query_length: <duration> | default = 0s]

# Maximum number of split queries will be scheduled in parallel by the frontend.
# CLI flag: -querier.max-query-parallelism
[max_query_parallelism: <int> | default = 14]

# Cardinality limit for index queries. This limit is ignored when using blocks
# storage. 0 to disable.
# CLI flag: -store.cardinality-limit
[cardinality_limit: <int> | default = 100000]

# Most recent allowed cacheable result per-tenant, to prevent caching very
# recent results that might still be in flux.
# CLI flag: -frontend.max-cache-freshness
[max_cache_freshness: <duration> | default = 1m]

# Maximum number of queriers that can handle requests for a single tenant. If
# set to 0 or value higher than number of available queriers, *all* queriers
# will handle requests for the tenant. Each frontend (or query-scheduler, if
# used) will select the same set of queriers for the same tenant (given that all
# queriers are connected to all frontends / query-schedulers). This option only
# works with queriers connecting to the query-frontend / query-scheduler, not
# when using downstream URL.
# CLI flag: -frontend.max-queriers-per-tenant
[max_queriers_per_tenant: <int> | default = 0]

# The amount of shards to use when doing parallelisation via query sharding by
# tenant. 0 to disable query sharding for tenant. Query sharding implementation
# will adjust the number of query shards based on compactor shards used by
# split-and-merge compaction strategy. This allows querier to not search the
# blocks which cannot possibly have the series for given query shard.
# CLI flag: -frontend.query-sharding-total-shards
[query_sharding_total_shards: <int> | default = 16]

# The max number of sharded queries that can be run for a given received query.
# 0 to disable limit.
# CLI flag: -frontend.query-sharding-max-sharded-queries
[query_sharding_max_sharded_queries: <int> | default = 128]

# Enables endpoints used for cardinality analysis.
# CLI flag: -querier.cardinality-analysis-enabled
[cardinality_analysis_enabled: <boolean> | default = false]

# Maximum size in bytes of distinct label names and values. When querier
# receives response from ingester, it merges the response with responses from
# other ingesters. This maximum size limit is applied to the merged(distinct)
# results. If the limit is reached, an error is returned.
# CLI flag: -querier.label-names-and-values-results-max-size-bytes
[label_names_and_values_results_max_size_bytes: <int> | default = 419430400]

# Maximum number of label names allowed to be queried in a single
# /api/v1/cardinality/label_values API call.
# CLI flag: -querier.label-values-max-cardinality-label-names-per-request
[label_values_max_cardinality_label_names_per_request: <int> | default = 100]

# Duration to delay the evaluation of rules to ensure the underlying metrics
# have been pushed.
# CLI flag: -ruler.evaluation-delay-duration
[ruler_evaluation_delay_duration: <duration> | default = 0s]

# The tenant's shard size when the shuffle-sharding strategy is used by ruler.
# When this setting is specified in the per-tenant overrides, a value of 0
# disables shuffle sharding for the tenant.
# CLI flag: -ruler.tenant-shard-size
[ruler_tenant_shard_size: <int> | default = 0]

# Maximum number of rules per rule group per-tenant. 0 to disable.
# CLI flag: -ruler.max-rules-per-rule-group
[ruler_max_rules_per_rule_group: <int> | default = 0]

# Maximum number of rule groups per-tenant. 0 to disable.
# CLI flag: -ruler.max-rule-groups-per-tenant
[ruler_max_rule_groups_per_tenant: <int> | default = 0]

# The tenant's shard size when the shuffle-sharding strategy is used. Must be
# set when the store-gateway sharding is enabled with the shuffle-sharding
# strategy. When this setting is specified in the per-tenant overrides, a value
# of 0 disables shuffle sharding for the tenant.
# CLI flag: -store-gateway.tenant-shard-size
[store_gateway_tenant_shard_size: <int> | default = 0]

# Delete blocks containing samples older than the specified retention period. 0
# to disable.
# CLI flag: -compactor.blocks-retention-period
[compactor_blocks_retention_period: <duration> | default = 0s]

# The number of shards to use when splitting blocks. This config option is used
# only when split-and-merge compaction strategy is in use. 0 to disable
# splitting but keep using the split-and-merge compaction strategy.
# CLI flag: -compactor.split-and-merge-shards
[compactor_split_and_merge_shards: <int> | default = 0]

# Number of groups that blocks for splitting should be grouped into. Each group
# of blocks is then split separately. Number of output split shards is
# controlled by -compactor.split-and-merge-shards. Only used when
# split-and-merge compaction strategy is in used.
# CLI flag: -compactor.split-groups
[compactor_split_groups: <int> | default = 4]

# Max number of compactors that can compact blocks for single tenant. Only used
# when split-and-merge compaction strategy is in use. 0 to disable the limit and
# use all compactors.
# CLI flag: -compactor.compactor-tenant-shard-size
[compactor_tenant_shard_size: <int> | default = 1]

# S3 server-side encryption type. Required to enable server-side encryption
# overrides for a specific tenant. If not set, the default S3 client settings
# are used.
[s3_sse_type: <string> | default = ""]

# S3 server-side encryption KMS Key ID. Ignored if the SSE type override is not
# set.
[s3_sse_kms_key_id: <string> | default = ""]

# S3 server-side encryption KMS encryption context. If unset and the key ID
# override is set, the encryption context will not be provided to S3. Ignored if
# the SSE type override is not set.
[s3_sse_kms_encryption_context: <string> | default = ""]

# Comma-separated list of network CIDRs to block in Alertmanager receiver
# integrations.
# CLI flag: -alertmanager.receivers-firewall-block-cidr-networks
[alertmanager_receivers_firewall_block_cidr_networks: <string> | default = ""]

# True to block private and local addresses in Alertmanager receiver
# integrations. It blocks private addresses defined by  RFC 1918 (IPv4
# addresses) and RFC 4193 (IPv6 addresses), as well as loopback, local unicast
# and local multicast addresses.
# CLI flag: -alertmanager.receivers-firewall-block-private-addresses
[alertmanager_receivers_firewall_block_private_addresses: <boolean> | default = false]

# Per-user rate limit for sending notifications from Alertmanager in
# notifications/sec. 0 = rate limit disabled. Negative value = no notifications
# are allowed.
# CLI flag: -alertmanager.notification-rate-limit
[alertmanager_notification_rate_limit: <float> | default = 0]

# Per-integration notification rate limits. Value is a map, where each key is
# integration name and value is a rate-limit (float). On command line, this map
# is given in JSON format. Rate limit has the same meaning as
# -alertmanager.notification-rate-limit, but only applies for specific
# integration. Allowed integration names: webhook, email, pagerduty, opsgenie,
# wechat, slack, victorops, pushover, sns.
# CLI flag: -alertmanager.notification-rate-limit-per-integration
[alertmanager_notification_rate_limit_per_integration: <map of string to float64> | default = {}]

# Maximum size of configuration file for Alertmanager that tenant can upload via
# Alertmanager API. 0 = no limit.
# CLI flag: -alertmanager.max-config-size-bytes
[alertmanager_max_config_size_bytes: <int> | default = 0]

# Maximum number of templates in tenant's Alertmanager configuration uploaded
# via Alertmanager API. 0 = no limit.
# CLI flag: -alertmanager.max-templates-count
[alertmanager_max_templates_count: <int> | default = 0]

# Maximum size of single template in tenant's Alertmanager configuration
# uploaded via Alertmanager API. 0 = no limit.
# CLI flag: -alertmanager.max-template-size-bytes
[alertmanager_max_template_size_bytes: <int> | default = 0]

# Maximum number of aggregation groups in Alertmanager's dispatcher that a
# tenant can have. Each active aggregation group uses single goroutine. When the
# limit is reached, dispatcher will not dispatch alerts that belong to
# additional aggregation groups, but existing groups will keep working properly.
# 0 = no limit.
# CLI flag: -alertmanager.max-dispatcher-aggregation-groups
[alertmanager_max_dispatcher_aggregation_groups: <int> | default = 0]

# Maximum number of alerts that a single user can have. Inserting more alerts
# will fail with a log message and metric increment. 0 = no limit.
# CLI flag: -alertmanager.max-alerts-count
[alertmanager_max_alerts_count: <int> | default = 0]

# Maximum total size of alerts that a single user can have, alert size is the
# sum of the bytes of its labels, annotations and generatorURL. Inserting more
# alerts will fail with a log message and metric increment. 0 = no limit.
# CLI flag: -alertmanager.max-alerts-size-bytes
[alertmanager_max_alerts_size_bytes: <int> | default = 0]
```

### blocks\_storage\_config

The `blocks_storage_config` configures the blocks storage.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Backend storage to use. Supported backends are: s3, gcs, azure, swift,
# filesystem.
# CLI flag: -blocks-storage.backend
[backend: <string> | default = "s3"]

s3:
  # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
  # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
  # S3-compatible service in hostname:port format.
  # CLI flag: -blocks-storage.s3.endpoint
  [endpoint: <string> | default = ""]

  # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
  # to autodetect it.
  # CLI flag: -blocks-storage.s3.region
  [region: <string> | default = ""]

  # S3 bucket name
  # CLI flag: -blocks-storage.s3.bucket-name
  [bucket_name: <string> | default = ""]

  # S3 secret access key
  # CLI flag: -blocks-storage.s3.secret-access-key
  [secret_access_key: <string> | default = ""]

  # S3 access key ID
  # CLI flag: -blocks-storage.s3.access-key-id
  [access_key_id: <string> | default = ""]

  # If enabled, use http:// for the S3 endpoint instead of https://. This could
  # be useful in local dev/test environments while using an S3-compatible
  # backend storage, like Minio.
  # CLI flag: -blocks-storage.s3.insecure
  [insecure: <boolean> | default = false]

  # The signature version to use for authenticating against S3. Supported values
  # are: v4, v2.
  # CLI flag: -blocks-storage.s3.signature-version
  [signature_version: <string> | default = "v4"]

  # The s3_sse_config configures the S3 server-side encryption.
  # The CLI flags prefix for this block config is: blocks-storage
  [sse: <s3_sse_config>]

  http:
    # The time an idle connection will remain idle before closing.
    # CLI flag: -blocks-storage.s3.http.idle-conn-timeout
    [idle_conn_timeout: <duration> | default = 1m30s]

    # The amount of time the client will wait for a servers response headers.
    # CLI flag: -blocks-storage.s3.http.response-header-timeout
    [response_header_timeout: <duration> | default = 2m]

    # If the client connects to S3 via HTTPS and this option is enabled, the
    # client will accept any certificate and hostname.
    # CLI flag: -blocks-storage.s3.http.insecure-skip-verify
    [insecure_skip_verify: <boolean> | default = false]

    # Maximum time to wait for a TLS handshake. 0 means no limit.
    # CLI flag: -blocks-storage.s3.tls-handshake-timeout
    [tls_handshake_timeout: <duration> | default = 10s]

    # The time to wait for a server's first response headers after fully writing
    # the request headers if the request has an Expect header. 0 to send the
    # request body immediately.
    # CLI flag: -blocks-storage.s3.expect-continue-timeout
    [expect_continue_timeout: <duration> | default = 1s]

    # Maximum number of idle (keep-alive) connections across all hosts. 0 means
    # no limit.
    # CLI flag: -blocks-storage.s3.max-idle-connections
    [max_idle_connections: <int> | default = 100]

    # Maximum number of idle (keep-alive) connections to keep per-host. If 0, a
    # built-in default value is used.
    # CLI flag: -blocks-storage.s3.max-idle-connections-per-host
    [max_idle_connections_per_host: <int> | default = 100]

    # Maximum number of connections per host. 0 means no limit.
    # CLI flag: -blocks-storage.s3.max-connections-per-host
    [max_connections_per_host: <int> | default = 0]

gcs:
  # GCS bucket name
  # CLI flag: -blocks-storage.gcs.bucket-name
  [bucket_name: <string> | default = ""]

  # JSON representing either a Google Developers Console client_credentials.json
  # file or a Google Developers service account key file. If empty, fallback to
  # Google default logic.
  # CLI flag: -blocks-storage.gcs.service-account
  [service_account: <string> | default = ""]

azure:
  # Azure storage account name
  # CLI flag: -blocks-storage.azure.account-name
  [account_name: <string> | default = ""]

  # Azure storage account key
  # CLI flag: -blocks-storage.azure.account-key
  [account_key: <string> | default = ""]

  # Azure storage container name
  # CLI flag: -blocks-storage.azure.container-name
  [container_name: <string> | default = ""]

  # Azure storage endpoint suffix without schema. The account name will be
  # prefixed to this value to create the FQDN
  # CLI flag: -blocks-storage.azure.endpoint-suffix
  [endpoint_suffix: <string> | default = ""]

  # Number of retries for recoverable errors
  # CLI flag: -blocks-storage.azure.max-retries
  [max_retries: <int> | default = 20]

swift:
  # OpenStack Swift authentication API version. 0 to autodetect.
  # CLI flag: -blocks-storage.swift.auth-version
  [auth_version: <int> | default = 0]

  # OpenStack Swift authentication URL
  # CLI flag: -blocks-storage.swift.auth-url
  [auth_url: <string> | default = ""]

  # OpenStack Swift username.
  # CLI flag: -blocks-storage.swift.username
  [username: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -blocks-storage.swift.user-domain-name
  [user_domain_name: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -blocks-storage.swift.user-domain-id
  [user_domain_id: <string> | default = ""]

  # OpenStack Swift user ID.
  # CLI flag: -blocks-storage.swift.user-id
  [user_id: <string> | default = ""]

  # OpenStack Swift API key.
  # CLI flag: -blocks-storage.swift.password
  [password: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -blocks-storage.swift.domain-id
  [domain_id: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -blocks-storage.swift.domain-name
  [domain_name: <string> | default = ""]

  # OpenStack Swift project ID (v2,v3 auth only).
  # CLI flag: -blocks-storage.swift.project-id
  [project_id: <string> | default = ""]

  # OpenStack Swift project name (v2,v3 auth only).
  # CLI flag: -blocks-storage.swift.project-name
  [project_name: <string> | default = ""]

  # ID of the OpenStack Swift project's domain (v3 auth only), only needed if it
  # differs the from user domain.
  # CLI flag: -blocks-storage.swift.project-domain-id
  [project_domain_id: <string> | default = ""]

  # Name of the OpenStack Swift project's domain (v3 auth only), only needed if
  # it differs from the user domain.
  # CLI flag: -blocks-storage.swift.project-domain-name
  [project_domain_name: <string> | default = ""]

  # OpenStack Swift Region to use (v2,v3 auth only).
  # CLI flag: -blocks-storage.swift.region-name
  [region_name: <string> | default = ""]

  # Name of the OpenStack Swift container to put chunks in.
  # CLI flag: -blocks-storage.swift.container-name
  [container_name: <string> | default = ""]

  # Max retries on requests error.
  # CLI flag: -blocks-storage.swift.max-retries
  [max_retries: <int> | default = 3]

  # Time after which a connection attempt is aborted.
  # CLI flag: -blocks-storage.swift.connect-timeout
  [connect_timeout: <duration> | default = 10s]

  # Time after which an idle request is aborted. The timeout watchdog is reset
  # each time some data is received, so the timeout triggers after X time no
  # data is received on a request.
  # CLI flag: -blocks-storage.swift.request-timeout
  [request_timeout: <duration> | default = 5s]

filesystem:
  # Local filesystem storage directory.
  # CLI flag: -blocks-storage.filesystem.dir
  [dir: <string> | default = ""]

# This configures how the querier and store-gateway discover and synchronize
# blocks stored in the bucket.
bucket_store:
  # Directory to store synchronized TSDB index headers.
  # CLI flag: -blocks-storage.bucket-store.sync-dir
  [sync_dir: <string> | default = "tsdb-sync"]

  # How frequently to scan the bucket, or to refresh the bucket index (if
  # enabled), in order to look for changes (new blocks shipped by ingesters and
  # blocks deleted by retention or compaction).
  # CLI flag: -blocks-storage.bucket-store.sync-interval
  [sync_interval: <duration> | default = 15m]

  # Max number of concurrent queries to execute against the long-term storage.
  # The limit is shared across all tenants.
  # CLI flag: -blocks-storage.bucket-store.max-concurrent
  [max_concurrent: <int> | default = 100]

  # Maximum number of concurrent tenants synching blocks.
  # CLI flag: -blocks-storage.bucket-store.tenant-sync-concurrency
  [tenant_sync_concurrency: <int> | default = 10]

  # Maximum number of concurrent blocks synching per tenant.
  # CLI flag: -blocks-storage.bucket-store.block-sync-concurrency
  [block_sync_concurrency: <int> | default = 20]

  # Number of Go routines to use when syncing block meta files from object
  # storage per tenant.
  # CLI flag: -blocks-storage.bucket-store.meta-sync-concurrency
  [meta_sync_concurrency: <int> | default = 20]

  # Minimum age of a block before it's being read. Set it to safe value (e.g
  # 30m) if your object storage is eventually consistent. GCS and S3 are
  # (roughly) strongly consistent.
  # CLI flag: -blocks-storage.bucket-store.consistency-delay
  [consistency_delay: <duration> | default = 0s]

  index_cache:
    # The index cache backend type. Supported values: inmemory, memcached.
    # CLI flag: -blocks-storage.bucket-store.index-cache.backend
    [backend: <string> | default = "inmemory"]

    inmemory:
      # Maximum size in bytes of in-memory index cache used to speed up blocks
      # index lookups (shared between all tenants).
      # CLI flag: -blocks-storage.bucket-store.index-cache.inmemory.max-size-bytes
      [max_size_bytes: <int> | default = 1073741824]

    memcached:
      # Comma separated list of memcached addresses. Supported prefixes are:
      # dns+ (looked up as an A/AAAA query), dnssrv+ (looked up as a SRV query,
      # dnssrvnoa+ (looked up as a SRV query, with no A/AAAA lookup made after
      # that).
      # CLI flag: -blocks-storage.bucket-store.index-cache.memcached.addresses
      [addresses: <string> | default = ""]

      # The socket read/write timeout.
      # CLI flag: -blocks-storage.bucket-store.index-cache.memcached.timeout
      [timeout: <duration> | default = 100ms]

      # The maximum number of idle connections that will be maintained per
      # address.
      # CLI flag: -blocks-storage.bucket-store.index-cache.memcached.max-idle-connections
      [max_idle_connections: <int> | default = 16]

      # The maximum number of concurrent asynchronous operations can occur.
      # CLI flag: -blocks-storage.bucket-store.index-cache.memcached.max-async-concurrency
      [max_async_concurrency: <int> | default = 50]

      # The maximum number of enqueued asynchronous operations allowed.
      # CLI flag: -blocks-storage.bucket-store.index-cache.memcached.max-async-buffer-size
      [max_async_buffer_size: <int> | default = 10000]

      # The maximum number of concurrent connections running get operations. If
      # set to 0, concurrency is unlimited.
      # CLI flag: -blocks-storage.bucket-store.index-cache.memcached.max-get-multi-concurrency
      [max_get_multi_concurrency: <int> | default = 100]

      # The maximum number of keys a single underlying get operation should run.
      # If more keys are specified, internally keys are split into multiple
      # batches and fetched concurrently, honoring the max concurrency. If set
      # to 0, the max batch size is unlimited.
      # CLI flag: -blocks-storage.bucket-store.index-cache.memcached.max-get-multi-batch-size
      [max_get_multi_batch_size: <int> | default = 0]

      # The maximum size of an item stored in memcached. Bigger items are not
      # stored. If set to 0, no maximum size is enforced.
      # CLI flag: -blocks-storage.bucket-store.index-cache.memcached.max-item-size
      [max_item_size: <int> | default = 1048576]

  chunks_cache:
    # Backend for chunks cache, if not empty. Supported values: memcached.
    # CLI flag: -blocks-storage.bucket-store.chunks-cache.backend
    [backend: <string> | default = ""]

    memcached:
      # Comma separated list of memcached addresses. Supported prefixes are:
      # dns+ (looked up as an A/AAAA query), dnssrv+ (looked up as a SRV query,
      # dnssrvnoa+ (looked up as a SRV query, with no A/AAAA lookup made after
      # that).
      # CLI flag: -blocks-storage.bucket-store.chunks-cache.memcached.addresses
      [addresses: <string> | default = ""]

      # The socket read/write timeout.
      # CLI flag: -blocks-storage.bucket-store.chunks-cache.memcached.timeout
      [timeout: <duration> | default = 100ms]

      # The maximum number of idle connections that will be maintained per
      # address.
      # CLI flag: -blocks-storage.bucket-store.chunks-cache.memcached.max-idle-connections
      [max_idle_connections: <int> | default = 16]

      # The maximum number of concurrent asynchronous operations can occur.
      # CLI flag: -blocks-storage.bucket-store.chunks-cache.memcached.max-async-concurrency
      [max_async_concurrency: <int> | default = 50]

      # The maximum number of enqueued asynchronous operations allowed.
      # CLI flag: -blocks-storage.bucket-store.chunks-cache.memcached.max-async-buffer-size
      [max_async_buffer_size: <int> | default = 10000]

      # The maximum number of concurrent connections running get operations. If
      # set to 0, concurrency is unlimited.
      # CLI flag: -blocks-storage.bucket-store.chunks-cache.memcached.max-get-multi-concurrency
      [max_get_multi_concurrency: <int> | default = 100]

      # The maximum number of keys a single underlying get operation should run.
      # If more keys are specified, internally keys are split into multiple
      # batches and fetched concurrently, honoring the max concurrency. If set
      # to 0, the max batch size is unlimited.
      # CLI flag: -blocks-storage.bucket-store.chunks-cache.memcached.max-get-multi-batch-size
      [max_get_multi_batch_size: <int> | default = 0]

      # The maximum size of an item stored in memcached. Bigger items are not
      # stored. If set to 0, no maximum size is enforced.
      # CLI flag: -blocks-storage.bucket-store.chunks-cache.memcached.max-item-size
      [max_item_size: <int> | default = 1048576]

    # Size of each subrange that bucket object is split into for better caching.
    # CLI flag: -blocks-storage.bucket-store.chunks-cache.subrange-size
    [subrange_size: <int> | default = 16000]

    # Maximum number of sub-GetRange requests that a single GetRange request can
    # be split into when fetching chunks. Zero or negative value = unlimited
    # number of sub-requests.
    # CLI flag: -blocks-storage.bucket-store.chunks-cache.max-get-range-requests
    [max_get_range_requests: <int> | default = 3]

    # TTL for caching object attributes for chunks. If the metadata cache is
    # configured, attributes will be stored under this cache backend, otherwise
    # attributes are stored in the chunks cache backend.
    # CLI flag: -blocks-storage.bucket-store.chunks-cache.attributes-ttl
    [attributes_ttl: <duration> | default = 168h]

    # Maximum number of object attribute items to keep in a first level
    # in-memory LRU cache. Metadata will be stored and fetched in-memory before
    # hitting the cache backend. 0 to disable the in-memory cache.
    # CLI flag: -blocks-storage.bucket-store.chunks-cache.attributes-in-memory-max-items
    [attributes_in_memory_max_items: <int> | default = 0]

    # TTL for caching individual chunks subranges.
    # CLI flag: -blocks-storage.bucket-store.chunks-cache.subrange-ttl
    [subrange_ttl: <duration> | default = 24h]

  metadata_cache:
    # Backend for metadata cache, if not empty. Supported values: memcached.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.backend
    [backend: <string> | default = ""]

    memcached:
      # Comma separated list of memcached addresses. Supported prefixes are:
      # dns+ (looked up as an A/AAAA query), dnssrv+ (looked up as a SRV query,
      # dnssrvnoa+ (looked up as a SRV query, with no A/AAAA lookup made after
      # that).
      # CLI flag: -blocks-storage.bucket-store.metadata-cache.memcached.addresses
      [addresses: <string> | default = ""]

      # The socket read/write timeout.
      # CLI flag: -blocks-storage.bucket-store.metadata-cache.memcached.timeout
      [timeout: <duration> | default = 100ms]

      # The maximum number of idle connections that will be maintained per
      # address.
      # CLI flag: -blocks-storage.bucket-store.metadata-cache.memcached.max-idle-connections
      [max_idle_connections: <int> | default = 16]

      # The maximum number of concurrent asynchronous operations can occur.
      # CLI flag: -blocks-storage.bucket-store.metadata-cache.memcached.max-async-concurrency
      [max_async_concurrency: <int> | default = 50]

      # The maximum number of enqueued asynchronous operations allowed.
      # CLI flag: -blocks-storage.bucket-store.metadata-cache.memcached.max-async-buffer-size
      [max_async_buffer_size: <int> | default = 10000]

      # The maximum number of concurrent connections running get operations. If
      # set to 0, concurrency is unlimited.
      # CLI flag: -blocks-storage.bucket-store.metadata-cache.memcached.max-get-multi-concurrency
      [max_get_multi_concurrency: <int> | default = 100]

      # The maximum number of keys a single underlying get operation should run.
      # If more keys are specified, internally keys are split into multiple
      # batches and fetched concurrently, honoring the max concurrency. If set
      # to 0, the max batch size is unlimited.
      # CLI flag: -blocks-storage.bucket-store.metadata-cache.memcached.max-get-multi-batch-size
      [max_get_multi_batch_size: <int> | default = 0]

      # The maximum size of an item stored in memcached. Bigger items are not
      # stored. If set to 0, no maximum size is enforced.
      # CLI flag: -blocks-storage.bucket-store.metadata-cache.memcached.max-item-size
      [max_item_size: <int> | default = 1048576]

    # How long to cache list of tenants in the bucket.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.tenants-list-ttl
    [tenants_list_ttl: <duration> | default = 15m]

    # How long to cache list of blocks for each tenant.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.tenant-blocks-list-ttl
    [tenant_blocks_list_ttl: <duration> | default = 5m]

    # How long to cache list of chunks for a block.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.chunks-list-ttl
    [chunks_list_ttl: <duration> | default = 24h]

    # How long to cache information that block metafile exists. Also used for
    # user deletion mark file.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.metafile-exists-ttl
    [metafile_exists_ttl: <duration> | default = 2h]

    # How long to cache information that block metafile doesn't exist. Also used
    # for user deletion mark file.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.metafile-doesnt-exist-ttl
    [metafile_doesnt_exist_ttl: <duration> | default = 5m]

    # How long to cache content of the metafile.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.metafile-content-ttl
    [metafile_content_ttl: <duration> | default = 24h]

    # Maximum size of metafile content to cache in bytes. Caching will be
    # skipped if the content exceeds this size. This is useful to avoid network
    # round trip for large content if the configured caching backend has an hard
    # limit on cached items size (in this case, you should set this limit to the
    # same limit in the caching backend).
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.metafile-max-size-bytes
    [metafile_max_size_bytes: <int> | default = 1048576]

    # How long to cache attributes of the block metafile.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.metafile-attributes-ttl
    [metafile_attributes_ttl: <duration> | default = 168h]

    # How long to cache attributes of the block index.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.block-index-attributes-ttl
    [block_index_attributes_ttl: <duration> | default = 168h]

    # How long to cache content of the bucket index.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.bucket-index-content-ttl
    [bucket_index_content_ttl: <duration> | default = 5m]

    # Maximum size of bucket index content to cache in bytes. Caching will be
    # skipped if the content exceeds this size. This is useful to avoid network
    # round trip for large content if the configured caching backend has an hard
    # limit on cached items size (in this case, you should set this limit to the
    # same limit in the caching backend).
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.bucket-index-max-size-bytes
    [bucket_index_max_size_bytes: <int> | default = 1048576]

  # Duration after which the blocks marked for deletion will be filtered out
  # while fetching blocks. The idea of ignore-deletion-marks-delay is to ignore
  # blocks that are marked for deletion with some delay. This ensures store can
  # still serve blocks that are meant to be deleted but do not have a
  # replacement yet. Default is 6h, half of the default value for
  # -compactor.deletion-delay.
  # CLI flag: -blocks-storage.bucket-store.ignore-deletion-marks-delay
  [ignore_deletion_mark_delay: <duration> | default = 6h]

  bucket_index:
    # True to enable querier and store-gateway to discover blocks in the storage
    # via bucket index instead of bucket scanning.
    # CLI flag: -blocks-storage.bucket-store.bucket-index.enabled
    [enabled: <boolean> | default = false]

    # How frequently a bucket index, which previously failed to load, should be
    # tried to load again. This option is used only by querier.
    # CLI flag: -blocks-storage.bucket-store.bucket-index.update-on-error-interval
    [update_on_error_interval: <duration> | default = 1m]

    # How long a unused bucket index should be cached. Once this timeout
    # expires, the unused bucket index is removed from the in-memory cache. This
    # option is used only by querier.
    # CLI flag: -blocks-storage.bucket-store.bucket-index.idle-timeout
    [idle_timeout: <duration> | default = 1h]

    # The maximum allowed age of a bucket index (last updated) before queries
    # start failing because the bucket index is too old. The bucket index is
    # periodically updated by the compactor, while this check is enforced in the
    # querier (at query time).
    # CLI flag: -blocks-storage.bucket-store.bucket-index.max-stale-period
    [max_stale_period: <duration> | default = 1h]

  # Max size - in bytes - of a chunks pool, used to reduce memory allocations.
  # The pool is shared across all tenants. 0 to disable the limit.
  # CLI flag: -blocks-storage.bucket-store.max-chunk-pool-bytes
  [max_chunk_pool_bytes: <int> | default = 2147483648]

  # Max size - in bytes - of the in-memory series hash cache. The cache is
  # shared across all tenants and it's used only when query sharding is enabled.
  # CLI flag: -blocks-storage.bucket-store.series-hash-cache-max-size-bytes
  [series_hash_cache_max_size_bytes: <int> | default = 1073741824]

  # If enabled, store-gateway will lazy load an index-header only once required
  # by a query.
  # CLI flag: -blocks-storage.bucket-store.index-header-lazy-loading-enabled
  [index_header_lazy_loading_enabled: <boolean> | default = false]

  # If index-header lazy loading is enabled and this setting is > 0, the
  # store-gateway will offload unused index-headers after 'idle timeout'
  # inactivity.
  # CLI flag: -blocks-storage.bucket-store.index-header-lazy-loading-idle-timeout
  [index_header_lazy_loading_idle_timeout: <duration> | default = 20m]

tsdb:
  # Local directory to store TSDBs in the ingesters.
  # CLI flag: -blocks-storage.tsdb.dir
  [dir: <string> | default = "tsdb"]

  # TSDB blocks range period.
  # CLI flag: -blocks-storage.tsdb.block-ranges-period
  [block_ranges_period: <list of duration> | default = 2h0m0s]

  # TSDB blocks retention in the ingester before a block is removed. This should
  # be larger than the block_ranges_period and large enough to give
  # store-gateways and queriers enough time to discover newly uploaded blocks.
  # CLI flag: -blocks-storage.tsdb.retention-period
  [retention_period: <duration> | default = 6h]

  # How frequently the TSDB blocks are scanned and new ones are shipped to the
  # storage. 0 means shipping is disabled.
  # CLI flag: -blocks-storage.tsdb.ship-interval
  [ship_interval: <duration> | default = 1m]

  # Maximum number of tenants concurrently shipping blocks to the storage.
  # CLI flag: -blocks-storage.tsdb.ship-concurrency
  [ship_concurrency: <int> | default = 10]

  # How frequently ingesters try to compact TSDB head. Block is only created if
  # data covers smallest block range. Must be greater than 0 and max 5 minutes.
  # CLI flag: -blocks-storage.tsdb.head-compaction-interval
  [head_compaction_interval: <duration> | default = 1m]

  # Maximum number of tenants concurrently compacting TSDB head into a new block
  # CLI flag: -blocks-storage.tsdb.head-compaction-concurrency
  [head_compaction_concurrency: <int> | default = 5]

  # If TSDB head is idle for this duration, it is compacted. Note that up to 25%
  # jitter is added to the value to avoid ingesters compacting concurrently. 0
  # means disabled.
  # CLI flag: -blocks-storage.tsdb.head-compaction-idle-timeout
  [head_compaction_idle_timeout: <duration> | default = 1h]

  # The write buffer size used by the head chunks mapper. Lower values reduce
  # memory utilisation on clusters with a large number of tenants at the cost of
  # increased disk I/O operations.
  # CLI flag: -blocks-storage.tsdb.head-chunks-write-buffer-size-bytes
  [head_chunks_write_buffer_size_bytes: <int> | default = 4194304]

  # The number of shards of series to use in TSDB (must be a power of 2).
  # Reducing this will decrease memory footprint, but can negatively impact
  # performance.
  # CLI flag: -blocks-storage.tsdb.stripe-size
  [stripe_size: <int> | default = 16384]

  # True to enable TSDB WAL compression.
  # CLI flag: -blocks-storage.tsdb.wal-compression-enabled
  [wal_compression_enabled: <boolean> | default = false]

  # TSDB WAL segments files max size (bytes).
  # CLI flag: -blocks-storage.tsdb.wal-segment-size-bytes
  [wal_segment_size_bytes: <int> | default = 134217728]

  # True to flush blocks to storage on shutdown. If false, incomplete blocks
  # will be reused after restart.
  # CLI flag: -blocks-storage.tsdb.flush-blocks-on-shutdown
  [flush_blocks_on_shutdown: <boolean> | default = false]

  # If TSDB has not received any data for this duration, and all blocks from
  # TSDB have been shipped, TSDB is closed and deleted from local disk. If set
  # to positive value, this value should be equal or higher than
  # -querier.query-ingesters-within flag to make sure that TSDB is not closed
  # prematurely, which could cause partial query results. 0 or negative value
  # disables closing of idle TSDB.
  # CLI flag: -blocks-storage.tsdb.close-idle-tsdb-timeout
  [close_idle_tsdb_timeout: <duration> | default = 0s]

  # True to enable snapshotting of in-memory TSDB data on disk when shutting
  # down.
  # CLI flag: -blocks-storage.tsdb.memory-snapshot-on-shutdown
  [memory_snapshot_on_shutdown: <boolean> | default = false]

  # Max size - in bytes - of the in-memory series hash cache. The cache is
  # shared across all tenants and it's used only when query sharding is enabled.
  # CLI flag: -blocks-storage.tsdb.series-hash-cache-max-size-bytes
  [series_hash_cache_max_size_bytes: <int> | default = 1073741824]

  # limit the number of concurrently opening TSDB's on startup
  # CLI flag: -blocks-storage.tsdb.max-tsdb-opening-concurrency-on-startup
  [max_tsdb_opening_concurrency_on_startup: <int> | default = 10]

# Rate limit (per second), if set <= 0 rate limiting is disabled.
# CLI flag: -blocks-storage.bucket-rate-limit.limit
[bucket_rate_limit: <float> | default = 0]

# Burst size
# CLI flag: -blocks-storage.bucket-rate-limit.burst
[bucket_rate_limit_burst: <int> | default = 1]
```

### compactor\_config

The `compactor_config` configures the compactor for the blocks storage.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# List of compaction time ranges.
# CLI flag: -compactor.block-ranges
[block_ranges: <list of duration> | default = 2h0m0s,12h0m0s,24h0m0s]

# Number of Go routines to use when syncing block index and chunks files from
# the long term storage.
# CLI flag: -compactor.block-sync-concurrency
[block_sync_concurrency: <int> | default = 20]

# Number of Go routines to use when syncing block meta files from the long term
# storage.
# CLI flag: -compactor.meta-sync-concurrency
[meta_sync_concurrency: <int> | default = 20]

# Minimum age of fresh (non-compacted) blocks before they are being processed.
# Malformed blocks older than the maximum of consistency-delay and 48h0m0s will
# be removed.
# CLI flag: -compactor.consistency-delay
[consistency_delay: <duration> | default = 0s]

# Data directory in which to cache blocks and process compactions
# CLI flag: -compactor.data-dir
[data_dir: <string> | default = "./data"]

# The frequency at which the compaction runs
# CLI flag: -compactor.compaction-interval
[compaction_interval: <duration> | default = 1h]

# How many times to retry a failed compaction within a single compaction run.
# CLI flag: -compactor.compaction-retries
[compaction_retries: <int> | default = 3]

# Max number of concurrent compactions running.
# CLI flag: -compactor.compaction-concurrency
[compaction_concurrency: <int> | default = 1]

# How frequently compactor should run blocks cleanup and maintenance, as well as
# update the bucket index.
# CLI flag: -compactor.cleanup-interval
[cleanup_interval: <duration> | default = 15m]

# Max number of tenants for which blocks cleanup and maintenance should run
# concurrently.
# CLI flag: -compactor.cleanup-concurrency
[cleanup_concurrency: <int> | default = 20]

# Time before a block marked for deletion is deleted from bucket. If not 0,
# blocks will be marked for deletion and compactor component will permanently
# delete blocks marked for deletion from the bucket. If 0, blocks will be
# deleted straight away. Note that deleting blocks immediately can cause query
# failures.
# CLI flag: -compactor.deletion-delay
[deletion_delay: <duration> | default = 12h]

# For tenants marked for deletion, this is time between deleting of last block,
# and doing final cleanup (marker files, debug files) of the tenant.
# CLI flag: -compactor.tenant-cleanup-delay
[tenant_cleanup_delay: <duration> | default = 6h]

# Comma separated list of tenants that can be compacted. If specified, only
# these tenants will be compacted by compactor, otherwise all tenants can be
# compacted. Subject to sharding.
# CLI flag: -compactor.enabled-tenants
[enabled_tenants: <string> | default = ""]

# Comma separated list of tenants that cannot be compacted by this compactor. If
# specified, and compactor would normally pick given tenant for compaction (via
# -compactor.enabled-tenants or sharding), it will be ignored instead.
# CLI flag: -compactor.disabled-tenants
[disabled_tenants: <string> | default = ""]

# Shard tenants across multiple compactor instances. Sharding is required if you
# run multiple compactor instances, in order to coordinate compactions and avoid
# race conditions leading to the same tenant blocks simultaneously compacted by
# different instances.
# CLI flag: -compactor.sharding-enabled
[sharding_enabled: <boolean> | default = false]

sharding_ring:
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -compactor.ring.store
    [store: <string> | default = "consul"]

    # The prefix for the keys in the store. Should end with a /.
    # CLI flag: -compactor.ring.prefix
    [prefix: <string> | default = "collectors/"]

    # The consul_config configures the consul client.
    # The CLI flags prefix for this block config is: compactor.ring
    [consul: <consul_config>]

    # The etcd_config configures the etcd client.
    # The CLI flags prefix for this block config is: compactor.ring
    [etcd: <etcd_config>]

    multi:
      # Primary backend storage used by multi-client.
      # CLI flag: -compactor.ring.multi.primary
      [primary: <string> | default = ""]

      # Secondary backend storage used by multi-client.
      # CLI flag: -compactor.ring.multi.secondary
      [secondary: <string> | default = ""]

      # Mirror writes to secondary store.
      # CLI flag: -compactor.ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # Timeout for storing value to secondary store.
      # CLI flag: -compactor.ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -compactor.ring.heartbeat-period
  [heartbeat_period: <duration> | default = 5s]

  # The heartbeat timeout after which compactors are considered unhealthy within
  # the ring. 0 = never (timeout disabled).
  # CLI flag: -compactor.ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # Minimum time to wait for ring stability at startup. 0 to disable.
  # CLI flag: -compactor.ring.wait-stability-min-duration
  [wait_stability_min_duration: <duration> | default = 1m]

  # Maximum time to wait for ring stability at startup. If the compactor ring
  # keeps changing after this period of time, the compactor will start anyway.
  # CLI flag: -compactor.ring.wait-stability-max-duration
  [wait_stability_max_duration: <duration> | default = 5m]

  # Name of network interface to read address from.
  # CLI flag: -compactor.ring.instance-interface-names
  [instance_interface_names: <list of string> | default = [eth0 en0]]

  # Timeout for waiting on compactor to become ACTIVE in the ring.
  # CLI flag: -compactor.ring.wait-active-instance-timeout
  [wait_active_instance_timeout: <duration> | default = 10m]

# The compaction strategy to use. Supported values are: default,
# split-and-merge.
# CLI flag: -compactor.compaction-strategy
[compaction_strategy: <string> | default = "default"]

# The sorting to use when deciding which compacton jobs should run first for a
# given tenant. Changing this setting is not supported by the default compaction
# strategy. Supported values are: default, split-and-merge.
# CLI flag: -compactor.compaction-jobs-order
[compaction_jobs_order: <string> | default = "smallest-range-oldest-blocks-first"]

# The sharding strategy to use. Supported values are: default, time-sharding.
# CLI flag: -compactor.sharding-strategy
[sharding_strategy: <string> | default = "default"]
```

### store\_gateway\_config

The `store_gateway_config` configures the store-gateway service used by the blocks storage.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Shard blocks across multiple store gateway instances. This option needs be set
# both on the store-gateway and querier when running in microservices mode.
# CLI flag: -store-gateway.sharding-enabled
[sharding_enabled: <boolean> | default = false]

# The hash ring configuration. This option is required only if blocks sharding
# is enabled.
sharding_ring:
  # The key-value store used to share the hash ring across multiple instances.
  # This option needs be set both on the store-gateway and querier when running
  # in microservices mode.
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -store-gateway.sharding-ring.store
    [store: <string> | default = "consul"]

    # The prefix for the keys in the store. Should end with a /.
    # CLI flag: -store-gateway.sharding-ring.prefix
    [prefix: <string> | default = "collectors/"]

    # The consul_config configures the consul client.
    # The CLI flags prefix for this block config is: store-gateway.sharding-ring
    [consul: <consul_config>]

    # The etcd_config configures the etcd client.
    # The CLI flags prefix for this block config is: store-gateway.sharding-ring
    [etcd: <etcd_config>]

    multi:
      # Primary backend storage used by multi-client.
      # CLI flag: -store-gateway.sharding-ring.multi.primary
      [primary: <string> | default = ""]

      # Secondary backend storage used by multi-client.
      # CLI flag: -store-gateway.sharding-ring.multi.secondary
      [secondary: <string> | default = ""]

      # Mirror writes to secondary store.
      # CLI flag: -store-gateway.sharding-ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # Timeout for storing value to secondary store.
      # CLI flag: -store-gateway.sharding-ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -store-gateway.sharding-ring.heartbeat-period
  [heartbeat_period: <duration> | default = 15s]

  # The heartbeat timeout after which store gateways are considered unhealthy
  # within the ring. 0 = never (timeout disabled). This option needs be set both
  # on the store-gateway and querier when running in microservices mode.
  # CLI flag: -store-gateway.sharding-ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # The replication factor to use when sharding blocks. This option needs be set
  # both on the store-gateway and querier when running in microservices mode.
  # CLI flag: -store-gateway.sharding-ring.replication-factor
  [replication_factor: <int> | default = 3]

  # File path where tokens are stored. If empty, tokens are not stored at
  # shutdown and restored at startup.
  # CLI flag: -store-gateway.sharding-ring.tokens-file-path
  [tokens_file_path: <string> | default = ""]

  # True to enable zone-awareness and replicate blocks across different
  # availability zones.
  # CLI flag: -store-gateway.sharding-ring.zone-awareness-enabled
  [zone_awareness_enabled: <boolean> | default = false]

  # Minimum time to wait for ring stability at startup. 0 to disable.
  # CLI flag: -store-gateway.sharding-ring.wait-stability-min-duration
  [wait_stability_min_duration: <duration> | default = 1m]

  # Maximum time to wait for ring stability at startup. If the store-gateway
  # ring keeps changing after this period of time, the store-gateway will start
  # anyway.
  # CLI flag: -store-gateway.sharding-ring.wait-stability-max-duration
  [wait_stability_max_duration: <duration> | default = 5m]

  # Name of network interface to read address from.
  # CLI flag: -store-gateway.sharding-ring.instance-interface-names
  [instance_interface_names: <list of string> | default = [eth0 en0]]

  # The availability zone where this instance is running. Required if
  # zone-awareness is enabled.
  # CLI flag: -store-gateway.sharding-ring.instance-availability-zone
  [instance_availability_zone: <string> | default = ""]

# The sharding strategy to use. Supported values are: default, shuffle-sharding.
# CLI flag: -store-gateway.sharding-strategy
[sharding_strategy: <string> | default = "default"]
```

### purger\_config

The `purger_config` configures the purger which takes care of delete requests.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Enable purger to allow deletion of series. Be aware that Delete series feature
# is still experimental
# CLI flag: -purger.enable
[enable: <boolean> | default = false]

# Number of workers executing delete plans in parallel
# CLI flag: -purger.num-workers
[num_workers: <int> | default = 2]

# Name of the object store to use for storing delete plans
# CLI flag: -purger.object-store-type
[object_store_type: <string> | default = ""]

# Allow cancellation of delete request until duration after they are created.
# Data would be deleted only after delete requests have been older than this
# duration. Ideally this should be set to at least 24h.
# CLI flag: -purger.delete-request-cancel-period
[delete_request_cancel_period: <duration> | default = 24h]
```

### s3\_sse\_config

The `s3_sse_config` configures the S3 server-side encryption. The supported CLI flags `<prefix>` used to reference this config block are:

- *no prefix*
- `admin.client`
- `alertmanager-storage`
- `alertmanager.storage`
- `blocks-storage`
- `graphite.querier.schemas`
- `ruler-storage`
- `ruler.storage`

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
# CLI flag: -<prefix>.s3.sse.type
[type: <string> | default = ""]

# KMS Key ID used to encrypt objects in S3
# CLI flag: -<prefix>.s3.sse.kms-key-id
[kms_key_id: <string> | default = ""]

# KMS Encryption Context used for object encryption. It expects JSON formatted
# string.
# CLI flag: -<prefix>.s3.sse.kms-encryption-context
[kms_encryption_context: <string> | default = ""]
```

### table\_manager\_config

The `table_manager_config` configures the GEM table-manager.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# If true, disable all changes to DB capacity
# CLI flag: -table-manager.throughput-updates-disabled
[throughput_updates_disabled: <boolean> | default = false]

# If true, enables retention deletes of DB tables
# CLI flag: -table-manager.retention-deletes-enabled
[retention_deletes_enabled: <boolean> | default = false]

# Tables older than this retention period are deleted. Must be either 0
# (disabled) or a multiple of 24h. When enabled, be aware this setting is
# destructive to data!
# CLI flag: -table-manager.retention-period
[retention_period: <duration> | default = 0s]

# How frequently to poll backend to learn our capacity.
# CLI flag: -table-manager.poll-interval
[poll_interval: <duration> | default = 2m]

# Periodic tables grace period (duration which table will be created/deleted
# before/after it's needed).
# CLI flag: -table-manager.periodic-table.grace-period
[creation_grace_period: <duration> | default = 10m]

index_tables_provisioning:
  # Enables on demand throughput provisioning for the storage provider (if
  # supported). Applies only to tables which are not autoscaled. Supported by
  # DynamoDB
  # CLI flag: -table-manager.index-table.enable-ondemand-throughput-mode
  [enable_ondemand_throughput_mode: <boolean> | default = false]

  # Table default write throughput. Supported by DynamoDB
  # CLI flag: -table-manager.index-table.write-throughput
  [provisioned_write_throughput: <int> | default = 1000]

  # Table default read throughput. Supported by DynamoDB
  # CLI flag: -table-manager.index-table.read-throughput
  [provisioned_read_throughput: <int> | default = 300]

  write_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.index-table.write-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.index-table.write-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.index-table.write-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.index-table.write-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.index-table.write-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.index-table.write-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.index-table.write-throughput.scale.target-value
    [target: <float> | default = 80]

  read_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.index-table.read-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.index-table.read-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.index-table.read-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.index-table.read-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.index-table.read-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.index-table.read-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.index-table.read-throughput.scale.target-value
    [target: <float> | default = 80]

  # Enables on demand throughput provisioning for the storage provider (if
  # supported). Applies only to tables which are not autoscaled. Supported by
  # DynamoDB
  # CLI flag: -table-manager.index-table.inactive-enable-ondemand-throughput-mode
  [enable_inactive_throughput_on_demand_mode: <boolean> | default = false]

  # Table write throughput for inactive tables. Supported by DynamoDB
  # CLI flag: -table-manager.index-table.inactive-write-throughput
  [inactive_write_throughput: <int> | default = 1]

  # Table read throughput for inactive tables. Supported by DynamoDB
  # CLI flag: -table-manager.index-table.inactive-read-throughput
  [inactive_read_throughput: <int> | default = 300]

  inactive_write_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.index-table.inactive-write-throughput.scale.target-value
    [target: <float> | default = 80]

  inactive_read_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.index-table.inactive-read-throughput.scale.target-value
    [target: <float> | default = 80]

  # Number of last inactive tables to enable write autoscale.
  # CLI flag: -table-manager.index-table.inactive-write-throughput.scale-last-n
  [inactive_write_scale_lastn: <int> | default = 4]

  # Number of last inactive tables to enable read autoscale.
  # CLI flag: -table-manager.index-table.inactive-read-throughput.scale-last-n
  [inactive_read_scale_lastn: <int> | default = 4]

chunk_tables_provisioning:
  # Enables on demand throughput provisioning for the storage provider (if
  # supported). Applies only to tables which are not autoscaled. Supported by
  # DynamoDB
  # CLI flag: -table-manager.chunk-table.enable-ondemand-throughput-mode
  [enable_ondemand_throughput_mode: <boolean> | default = false]

  # Table default write throughput. Supported by DynamoDB
  # CLI flag: -table-manager.chunk-table.write-throughput
  [provisioned_write_throughput: <int> | default = 1000]

  # Table default read throughput. Supported by DynamoDB
  # CLI flag: -table-manager.chunk-table.read-throughput
  [provisioned_read_throughput: <int> | default = 300]

  write_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.chunk-table.write-throughput.scale.target-value
    [target: <float> | default = 80]

  read_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.chunk-table.read-throughput.scale.target-value
    [target: <float> | default = 80]

  # Enables on demand throughput provisioning for the storage provider (if
  # supported). Applies only to tables which are not autoscaled. Supported by
  # DynamoDB
  # CLI flag: -table-manager.chunk-table.inactive-enable-ondemand-throughput-mode
  [enable_inactive_throughput_on_demand_mode: <boolean> | default = false]

  # Table write throughput for inactive tables. Supported by DynamoDB
  # CLI flag: -table-manager.chunk-table.inactive-write-throughput
  [inactive_write_throughput: <int> | default = 1]

  # Table read throughput for inactive tables. Supported by DynamoDB
  # CLI flag: -table-manager.chunk-table.inactive-read-throughput
  [inactive_read_throughput: <int> | default = 300]

  inactive_write_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale.target-value
    [target: <float> | default = 80]

  inactive_read_scale:
    # Should we enable autoscale for the table.
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.enabled
    [enabled: <boolean> | default = false]

    # AWS AutoScaling role ARN
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.role-arn
    [role_arn: <string> | default = ""]

    # DynamoDB minimum provision capacity.
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.min-capacity
    [min_capacity: <int> | default = 3000]

    # DynamoDB maximum provision capacity.
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.max-capacity
    [max_capacity: <int> | default = 6000]

    # DynamoDB minimum seconds between each autoscale up.
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.out-cooldown
    [out_cooldown: <int> | default = 1800]

    # DynamoDB minimum seconds between each autoscale down.
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.in-cooldown
    [in_cooldown: <int> | default = 1800]

    # DynamoDB target ratio of consumed capacity to provisioned capacity.
    # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale.target-value
    [target: <float> | default = 80]

  # Number of last inactive tables to enable write autoscale.
  # CLI flag: -table-manager.chunk-table.inactive-write-throughput.scale-last-n
  [inactive_write_scale_lastn: <int> | default = 4]

  # Number of last inactive tables to enable read autoscale.
  # CLI flag: -table-manager.chunk-table.inactive-read-throughput.scale-last-n
  [inactive_read_scale_lastn: <int> | default = 4]
```

### storage\_config

The `storage_config` configures where GEM stores the data (chunks storage engine).

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# The storage engine to use: chunks (deprecated) or blocks.
# CLI flag: -store.engine
[engine: <string> | default = "chunks"]

aws:
  dynamodb:
    # DynamoDB endpoint URL with escaped Key and Secret encoded. If only region
    # is specified as a host, proper endpoint will be deduced. Use
    # inmemory:///<table-name> to use a mock in-memory implementation.
    # CLI flag: -dynamodb.url
    [dynamodb_url: <url> | default = ]

    # DynamoDB table management requests per second limit.
    # CLI flag: -dynamodb.api-limit
    [api_limit: <float> | default = 2]

    # DynamoDB rate cap to back off when throttled.
    # CLI flag: -dynamodb.throttle-limit
    [throttle_limit: <float> | default = 10]

    metrics:
      # Use metrics-based autoscaling, via this query URL
      # CLI flag: -metrics.url
      [url: <string> | default = ""]

      # Queue length above which we will scale up capacity
      # CLI flag: -metrics.target-queue-length
      [target_queue_length: <int> | default = 100000]

      # Scale up capacity by this multiple
      # CLI flag: -metrics.scale-up-factor
      [scale_up_factor: <float> | default = 1.3]

      # Ignore throttling below this level (rate per second)
      # CLI flag: -metrics.ignore-throttle-below
      [ignore_throttle_below: <float> | default = 1]

      # query to fetch ingester queue length
      # CLI flag: -metrics.queue-length-query
      [queue_length_query: <string> | default = "sum(avg_over_time(cortex_ingester_flush_queue_length{job=\"cortex/ingester\"}[2m]))"]

      # query to fetch throttle rates per table
      # CLI flag: -metrics.write-throttle-query
      [write_throttle_query: <string> | default = "sum(rate(cortex_dynamo_throttled_total{operation=\"DynamoDB.BatchWriteItem\"}[1m])) by (table) > 0"]

      # query to fetch write capacity usage per table
      # CLI flag: -metrics.usage-query
      [write_usage_query: <string> | default = "sum(rate(cortex_dynamo_consumed_capacity_total{operation=\"DynamoDB.BatchWriteItem\"}[15m])) by (table) > 0"]

      # query to fetch read capacity usage per table
      # CLI flag: -metrics.read-usage-query
      [read_usage_query: <string> | default = "sum(rate(cortex_dynamo_consumed_capacity_total{operation=\"DynamoDB.QueryPages\"}[1h])) by (table) > 0"]

      # query to fetch read errors per table
      # CLI flag: -metrics.read-error-query
      [read_error_query: <string> | default = "sum(increase(cortex_dynamo_failures_total{operation=\"DynamoDB.QueryPages\",error=\"ProvisionedThroughputExceededException\"}[1m])) by (table) > 0"]

    # Number of chunks to group together to parallelize fetches (zero to
    # disable)
    # CLI flag: -dynamodb.chunk-gang-size
    [chunk_gang_size: <int> | default = 10]

    # Max number of chunk-get operations to start in parallel
    # CLI flag: -dynamodb.chunk.get-max-parallelism
    [chunk_get_max_parallelism: <int> | default = 32]

    backoff_config:
      # Minimum backoff time
      # CLI flag: -dynamodb.min-backoff
      [min_period: <duration> | default = 100ms]

      # Maximum backoff time
      # CLI flag: -dynamodb.max-backoff
      [max_period: <duration> | default = 50s]

      # Maximum number of times to retry an operation
      # CLI flag: -dynamodb.max-retries
      [max_retries: <int> | default = 20]

  # S3 endpoint URL with escaped Key and Secret encoded. If only region is
  # specified as a host, proper endpoint will be deduced. Use
  # inmemory:///<bucket-name> to use a mock in-memory implementation.
  # CLI flag: -s3.url
  [s3: <url> | default = ]

  # Set this to `true` to force the request to use path-style addressing.
  # CLI flag: -s3.force-path-style
  [s3forcepathstyle: <boolean> | default = false]

  # Comma separated list of bucket names to evenly distribute chunks over.
  # Overrides any buckets specified in s3.url flag
  # CLI flag: -s3.buckets
  [bucketnames: <string> | default = ""]

  # S3 Endpoint to connect to.
  # CLI flag: -s3.endpoint
  [endpoint: <string> | default = ""]

  # AWS region to use.
  # CLI flag: -s3.region
  [region: <string> | default = ""]

  # AWS Access Key ID
  # CLI flag: -s3.access-key-id
  [access_key_id: <string> | default = ""]

  # AWS Secret Access Key
  # CLI flag: -s3.secret-access-key
  [secret_access_key: <string> | default = ""]

  # Disable https on s3 connection.
  # CLI flag: -s3.insecure
  [insecure: <boolean> | default = false]

  # Enable AWS Server Side Encryption [Deprecated: Use .sse instead. if
  # s3.sse-encryption is enabled, it assumes .sse.type SSE-S3]
  # CLI flag: -s3.sse-encryption
  [sse_encryption: <boolean> | default = false]

  http_config:
    # The maximum amount of time an idle connection will be held open.
    # CLI flag: -s3.http.idle-conn-timeout
    [idle_conn_timeout: <duration> | default = 1m30s]

    # If non-zero, specifies the amount of time to wait for a server's response
    # headers after fully writing the request.
    # CLI flag: -s3.http.response-header-timeout
    [response_header_timeout: <duration> | default = 0s]

    # Set to false to skip verifying the certificate chain and hostname.
    # CLI flag: -s3.http.insecure-skip-verify
    [insecure_skip_verify: <boolean> | default = false]

  # The signature version to use for authenticating against S3. Supported values
  # are: v4, v2.
  # CLI flag: -s3.signature-version
  [signature_version: <string> | default = "v4"]

  # The s3_sse_config configures the S3 server-side encryption.
  [sse: <s3_sse_config>]

azure:
  # Azure Cloud environment. Supported values are: AzureGlobal, AzureChinaCloud,
  # AzureGermanCloud, AzureUSGovernment.
  # CLI flag: -azure.environment
  [environment: <string> | default = "AzureGlobal"]

  # Name of the blob container used to store chunks. This container must be
  # created prior to execution.
  # CLI flag: -azure.container-name
  [container_name: <string> | default = "cortex"]

  # The Microsoft Azure account name to be used
  # CLI flag: -azure.account-name
  [account_name: <string> | default = ""]

  # The Microsoft Azure account key to use.
  # CLI flag: -azure.account-key
  [account_key: <string> | default = ""]

  # Preallocated buffer size for downloads.
  # CLI flag: -azure.download-buffer-size
  [download_buffer_size: <int> | default = 512000]

  # Preallocated buffer size for uploads.
  # CLI flag: -azure.upload-buffer-size
  [upload_buffer_size: <int> | default = 256000]

  # Number of buffers used to used to upload a chunk.
  # CLI flag: -azure.download-buffer-count
  [upload_buffer_count: <int> | default = 1]

  # Timeout for requests made against azure blob storage.
  # CLI flag: -azure.request-timeout
  [request_timeout: <duration> | default = 30s]

  # Number of retries for a request which times out.
  # CLI flag: -azure.max-retries
  [max_retries: <int> | default = 5]

  # Minimum time to wait before retrying a request.
  # CLI flag: -azure.min-retry-delay
  [min_retry_delay: <duration> | default = 10ms]

  # Maximum time to wait before retrying a request.
  # CLI flag: -azure.max-retry-delay
  [max_retry_delay: <duration> | default = 500ms]

bigtable:
  # Bigtable project ID.
  # CLI flag: -bigtable.project
  [project: <string> | default = ""]

  # Bigtable instance ID. Please refer to
  # https://cloud.google.com/docs/authentication/production for more information
  # about how to configure authentication.
  # CLI flag: -bigtable.instance
  [instance: <string> | default = ""]

  grpc_client_config:
    # gRPC client max receive message size (bytes).
    # CLI flag: -bigtable.grpc-max-recv-msg-size
    [max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -bigtable.grpc-max-send-msg-size
    [max_send_msg_size: <int> | default = 16777216]

    # Use compression when sending messages. Supported values are: 'gzip',
    # 'snappy' and '' (disable compression)
    # CLI flag: -bigtable.grpc-compression
    [grpc_compression: <string> | default = ""]

    # Rate limit for gRPC client; 0 means disabled.
    # CLI flag: -bigtable.grpc-client-rate-limit
    [rate_limit: <float> | default = 0]

    # Rate limit burst for gRPC client.
    # CLI flag: -bigtable.grpc-client-rate-limit-burst
    [rate_limit_burst: <int> | default = 0]

    # Enable backoff and retry when we hit ratelimits.
    # CLI flag: -bigtable.backoff-on-ratelimits
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # Minimum delay when backing off.
      # CLI flag: -bigtable.backoff-min-period
      [min_period: <duration> | default = 100ms]

      # Maximum delay when backing off.
      # CLI flag: -bigtable.backoff-max-period
      [max_period: <duration> | default = 10s]

      # Number of times to backoff and retry before failing.
      # CLI flag: -bigtable.backoff-retries
      [max_retries: <int> | default = 10]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -bigtable.tls-enabled
    [tls_enabled: <boolean> | default = true]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -bigtable.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -bigtable.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -bigtable.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -bigtable.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -bigtable.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

  # If enabled, once a tables info is fetched, it is cached.
  # CLI flag: -bigtable.table-cache.enabled
  [table_cache_enabled: <boolean> | default = true]

  # Duration to cache tables before checking again.
  # CLI flag: -bigtable.table-cache.expiration
  [table_cache_expiration: <duration> | default = 30m]

gcs:
  # Name of GCS bucket. Please refer to
  # https://cloud.google.com/docs/authentication/production for more information
  # about how to configure authentication.
  # CLI flag: -gcs.bucketname
  [bucket_name: <string> | default = ""]

  # The size of the buffer that GCS client for each PUT request. 0 to disable
  # buffering.
  # CLI flag: -gcs.chunk-buffer-size
  [chunk_buffer_size: <int> | default = 0]

  # The duration after which the requests to GCS should be timed out.
  # CLI flag: -gcs.request-timeout
  [request_timeout: <duration> | default = 0s]

  # Enabled OpenCensus (OC) instrumentation for all requests.
  # CLI flag: -gcs.enable-opencensus
  [enable_opencensus: <boolean> | default = true]

cassandra:
  # Comma-separated hostnames or IPs of Cassandra instances.
  # CLI flag: -cassandra.addresses
  [addresses: <string> | default = ""]

  # Port that Cassandra is running on
  # CLI flag: -cassandra.port
  [port: <int> | default = 9042]

  # Keyspace to use in Cassandra.
  # CLI flag: -cassandra.keyspace
  [keyspace: <string> | default = ""]

  # Consistency level for Cassandra.
  # CLI flag: -cassandra.consistency
  [consistency: <string> | default = "QUORUM"]

  # Replication factor to use in Cassandra.
  # CLI flag: -cassandra.replication-factor
  [replication_factor: <int> | default = 3]

  # Instruct the cassandra driver to not attempt to get host info from the
  # system.peers table.
  # CLI flag: -cassandra.disable-initial-host-lookup
  [disable_initial_host_lookup: <boolean> | default = false]

  # Use SSL when connecting to cassandra instances.
  # CLI flag: -cassandra.ssl
  [SSL: <boolean> | default = false]

  # Require SSL certificate validation.
  # CLI flag: -cassandra.host-verification
  [host_verification: <boolean> | default = true]

  # Policy for selecting Cassandra host. Supported values are: round-robin,
  # token-aware.
  # CLI flag: -cassandra.host-selection-policy
  [host_selection_policy: <string> | default = "round-robin"]

  # Path to certificate file to verify the peer.
  # CLI flag: -cassandra.ca-path
  [CA_path: <string> | default = ""]

  # Path to certificate file used by TLS.
  # CLI flag: -cassandra.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to private key file used by TLS.
  # CLI flag: -cassandra.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Enable password authentication when connecting to cassandra.
  # CLI flag: -cassandra.auth
  [auth: <boolean> | default = false]

  # Username to use when connecting to cassandra.
  # CLI flag: -cassandra.username
  [username: <string> | default = ""]

  # Password to use when connecting to cassandra.
  # CLI flag: -cassandra.password
  [password: <string> | default = ""]

  # File containing password to use when connecting to cassandra.
  # CLI flag: -cassandra.password-file
  [password_file: <string> | default = ""]

  # If set, when authenticating with cassandra a custom authenticator will be
  # expected during the handshake. This flag can be set multiple times.
  # CLI flag: -cassandra.custom-authenticator
  [custom_authenticators: <list of string> | default = []]

  # Timeout when connecting to cassandra.
  # CLI flag: -cassandra.timeout
  [timeout: <duration> | default = 2s]

  # Initial connection timeout, used during initial dial to server.
  # CLI flag: -cassandra.connect-timeout
  [connect_timeout: <duration> | default = 5s]

  # Interval to retry connecting to cassandra nodes marked as DOWN.
  # CLI flag: -cassandra.reconnent-interval
  [reconnect_interval: <duration> | default = 1s]

  # Number of retries to perform on a request. Set to 0 to disable retries.
  # CLI flag: -cassandra.max-retries
  [max_retries: <int> | default = 0]

  # Maximum time to wait before retrying a failed request.
  # CLI flag: -cassandra.retry-max-backoff
  [retry_max_backoff: <duration> | default = 10s]

  # Minimum time to wait before retrying a failed request.
  # CLI flag: -cassandra.retry-min-backoff
  [retry_min_backoff: <duration> | default = 100ms]

  # Limit number of concurrent queries to Cassandra. Set to 0 to disable the
  # limit.
  # CLI flag: -cassandra.query-concurrency
  [query_concurrency: <int> | default = 0]

  # Number of TCP connections per host.
  # CLI flag: -cassandra.num-connections
  [num_connections: <int> | default = 2]

  # Convict hosts of being down on failure.
  # CLI flag: -cassandra.convict-hosts-on-failure
  [convict_hosts_on_failure: <boolean> | default = true]

  # Table options used to create index or chunk tables. This value is used as
  # plain text in the table `WITH` like this, "CREATE TABLE
  # <generated_by_cortex> (...) WITH <cassandra.table-options>". For details,
  # see https://cortexmetrics.io/docs/production/cassandra. By default it will
  # use the default table options of your Cassandra cluster.
  # CLI flag: -cassandra.table-options
  [table_options: <string> | default = ""]

boltdb:
  # Location of BoltDB index files.
  # CLI flag: -boltdb.dir
  [directory: <string> | default = ""]

filesystem:
  # Directory to store chunks in.
  # CLI flag: -local.chunk-directory
  [directory: <string> | default = ""]

swift:
  # OpenStack Swift authentication API version. 0 to autodetect.
  # CLI flag: -swift.auth-version
  [auth_version: <int> | default = 0]

  # OpenStack Swift authentication URL
  # CLI flag: -swift.auth-url
  [auth_url: <string> | default = ""]

  # OpenStack Swift username.
  # CLI flag: -swift.username
  [username: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -swift.user-domain-name
  [user_domain_name: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -swift.user-domain-id
  [user_domain_id: <string> | default = ""]

  # OpenStack Swift user ID.
  # CLI flag: -swift.user-id
  [user_id: <string> | default = ""]

  # OpenStack Swift API key.
  # CLI flag: -swift.password
  [password: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -swift.domain-id
  [domain_id: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -swift.domain-name
  [domain_name: <string> | default = ""]

  # OpenStack Swift project ID (v2,v3 auth only).
  # CLI flag: -swift.project-id
  [project_id: <string> | default = ""]

  # OpenStack Swift project name (v2,v3 auth only).
  # CLI flag: -swift.project-name
  [project_name: <string> | default = ""]

  # ID of the OpenStack Swift project's domain (v3 auth only), only needed if it
  # differs the from user domain.
  # CLI flag: -swift.project-domain-id
  [project_domain_id: <string> | default = ""]

  # Name of the OpenStack Swift project's domain (v3 auth only), only needed if
  # it differs from the user domain.
  # CLI flag: -swift.project-domain-name
  [project_domain_name: <string> | default = ""]

  # OpenStack Swift Region to use (v2,v3 auth only).
  # CLI flag: -swift.region-name
  [region_name: <string> | default = ""]

  # Name of the OpenStack Swift container to put chunks in.
  # CLI flag: -swift.container-name
  [container_name: <string> | default = ""]

  # Max retries on requests error.
  # CLI flag: -swift.max-retries
  [max_retries: <int> | default = 3]

  # Time after which a connection attempt is aborted.
  # CLI flag: -swift.connect-timeout
  [connect_timeout: <duration> | default = 10s]

  # Time after which an idle request is aborted. The timeout watchdog is reset
  # each time some data is received, so the timeout triggers after X time no
  # data is received on a request.
  # CLI flag: -swift.request-timeout
  [request_timeout: <duration> | default = 5s]

# Cache validity for active index entries. Should be no higher than
# -ingester.max-chunk-idle.
# CLI flag: -store.index-cache-validity
[index_cache_validity: <duration> | default = 5m]

index_queries_cache_config:
  # Cache config for index entry reading. Enable in-memory cache.
  # CLI flag: -store.index-cache-read.cache.enable-fifocache
  [enable_fifocache: <boolean> | default = false]

  # Cache config for index entry reading. The default validity of entries for
  # caches unless overridden.
  # CLI flag: -store.index-cache-read.default-validity
  [default_validity: <duration> | default = 0s]

  background:
    # Cache config for index entry reading. At what concurrency to write back to
    # cache.
    # CLI flag: -store.index-cache-read.background.write-back-concurrency
    [writeback_goroutines: <int> | default = 10]

    # Cache config for index entry reading. How many key batches to buffer for
    # background write-back.
    # CLI flag: -store.index-cache-read.background.write-back-buffer
    [writeback_buffer: <int> | default = 10000]

  memcached:
    # Cache config for index entry reading. How long keys stay in the memcache.
    # CLI flag: -store.index-cache-read.memcached.expiration
    [expiration: <duration> | default = 0s]

    # Cache config for index entry reading. How many keys to fetch in each
    # batch.
    # CLI flag: -store.index-cache-read.memcached.batchsize
    [batch_size: <int> | default = 1024]

    # Cache config for index entry reading. Maximum active requests to memcache.
    # CLI flag: -store.index-cache-read.memcached.parallelism
    [parallelism: <int> | default = 100]

  memcached_client:
    # Cache config for index entry reading. Hostname for memcached service to
    # use. If empty and if addresses is unset, no memcached will be used.
    # CLI flag: -store.index-cache-read.memcached.hostname
    [host: <string> | default = ""]

    # Cache config for index entry reading. SRV service used to discover
    # memcache servers.
    # CLI flag: -store.index-cache-read.memcached.service
    [service: <string> | default = "memcached"]

    # Cache config for index entry reading. EXPERIMENTAL: Comma separated
    # addresses list in DNS Service Discovery format:
    # https://cortexmetrics.io/docs/configuration/arguments/#dns-service-discovery
    # CLI flag: -store.index-cache-read.memcached.addresses
    [addresses: <string> | default = ""]

    # Cache config for index entry reading. Maximum time to wait before giving
    # up on memcached requests.
    # CLI flag: -store.index-cache-read.memcached.timeout
    [timeout: <duration> | default = 100ms]

    # Cache config for index entry reading. Maximum number of idle connections
    # in pool.
    # CLI flag: -store.index-cache-read.memcached.max-idle-conns
    [max_idle_conns: <int> | default = 16]

    # Cache config for index entry reading. The maximum size of an item stored
    # in memcached. Bigger items are not stored. If set to 0, no maximum size is
    # enforced.
    # CLI flag: -store.index-cache-read.memcached.max-item-size
    [max_item_size: <int> | default = 0]

    # Cache config for index entry reading. Period with which to poll DNS for
    # memcache servers.
    # CLI flag: -store.index-cache-read.memcached.update-interval
    [update_interval: <duration> | default = 1m]

    # Cache config for index entry reading. Use consistent hashing to distribute
    # to memcache servers.
    # CLI flag: -store.index-cache-read.memcached.consistent-hash
    [consistent_hash: <boolean> | default = true]

    # Cache config for index entry reading. Trip circuit-breaker after this
    # number of consecutive dial failures (if zero then circuit-breaker is
    # disabled).
    # CLI flag: -store.index-cache-read.memcached.circuit-breaker-consecutive-failures
    [circuit_breaker_consecutive_failures: <int> | default = 10]

    # Cache config for index entry reading. Duration circuit-breaker remains
    # open after tripping (if zero then 60 seconds is used).
    # CLI flag: -store.index-cache-read.memcached.circuit-breaker-timeout
    [circuit_breaker_timeout: <duration> | default = 10s]

    # Cache config for index entry reading. Reset circuit-breaker counts after
    # this long (if zero then never reset).
    # CLI flag: -store.index-cache-read.memcached.circuit-breaker-interval
    [circuit_breaker_interval: <duration> | default = 10s]

  redis:
    # Cache config for index entry reading. Redis Server endpoint to use for
    # caching. A comma-separated list of endpoints for Redis Cluster or Redis
    # Sentinel. If empty, no redis will be used.
    # CLI flag: -store.index-cache-read.redis.endpoint
    [endpoint: <string> | default = ""]

    # Cache config for index entry reading. Redis Sentinel master name. An empty
    # string for Redis Server or Redis Cluster.
    # CLI flag: -store.index-cache-read.redis.master-name
    [master_name: <string> | default = ""]

    # Cache config for index entry reading. Maximum time to wait before giving
    # up on redis requests.
    # CLI flag: -store.index-cache-read.redis.timeout
    [timeout: <duration> | default = 500ms]

    # Cache config for index entry reading. How long keys stay in the redis.
    # CLI flag: -store.index-cache-read.redis.expiration
    [expiration: <duration> | default = 0s]

    # Cache config for index entry reading. Database index.
    # CLI flag: -store.index-cache-read.redis.db
    [db: <int> | default = 0]

    # Cache config for index entry reading. Maximum number of connections in the
    # pool.
    # CLI flag: -store.index-cache-read.redis.pool-size
    [pool_size: <int> | default = 0]

    # Cache config for index entry reading. Password to use when connecting to
    # redis.
    # CLI flag: -store.index-cache-read.redis.password
    [password: <string> | default = ""]

    # Cache config for index entry reading. Enable connecting to redis with TLS.
    # CLI flag: -store.index-cache-read.redis.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Cache config for index entry reading. Skip validating server certificate.
    # CLI flag: -store.index-cache-read.redis.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Cache config for index entry reading. Close connections after remaining
    # idle for this duration. If the value is zero, then idle connections are
    # not closed.
    # CLI flag: -store.index-cache-read.redis.idle-timeout
    [idle_timeout: <duration> | default = 0s]

    # Cache config for index entry reading. Close connections older than this
    # duration. If the value is zero, then the pool does not close connections
    # based on age.
    # CLI flag: -store.index-cache-read.redis.max-connection-age
    [max_connection_age: <duration> | default = 0s]

  fifocache:
    # Cache config for index entry reading. Maximum memory size of the cache in
    # bytes. A unit suffix (KB, MB, GB) may be applied.
    # CLI flag: -store.index-cache-read.fifocache.max-size-bytes
    [max_size_bytes: <string> | default = ""]

    # Cache config for index entry reading. Maximum number of entries in the
    # cache.
    # CLI flag: -store.index-cache-read.fifocache.max-size-items
    [max_size_items: <int> | default = 0]

    # Cache config for index entry reading. The expiry duration for the cache.
    # CLI flag: -store.index-cache-read.fifocache.duration
    [validity: <duration> | default = 0s]

    # Deprecated (use max-size-items or max-size-bytes instead): Cache config
    # for index entry reading. The number of entries to cache.
    # CLI flag: -store.index-cache-read.fifocache.size
    [size: <int> | default = 0]

delete_store:
  # Store for keeping delete request
  # CLI flag: -deletes.store
  [store: <string> | default = ""]

  # Name of the table which stores delete requests
  # CLI flag: -deletes.requests-table-name
  [requests_table_name: <string> | default = "delete_requests"]

  table_provisioning:
    # Enables on demand throughput provisioning for the storage provider (if
    # supported). Applies only to tables which are not autoscaled. Supported by
    # DynamoDB
    # CLI flag: -deletes.table.enable-ondemand-throughput-mode
    [enable_ondemand_throughput_mode: <boolean> | default = false]

    # Table default write throughput. Supported by DynamoDB
    # CLI flag: -deletes.table.write-throughput
    [provisioned_write_throughput: <int> | default = 1]

    # Table default read throughput. Supported by DynamoDB
    # CLI flag: -deletes.table.read-throughput
    [provisioned_read_throughput: <int> | default = 300]

    write_scale:
      # Should we enable autoscale for the table.
      # CLI flag: -deletes.table.write-throughput.scale.enabled
      [enabled: <boolean> | default = false]

      # AWS AutoScaling role ARN
      # CLI flag: -deletes.table.write-throughput.scale.role-arn
      [role_arn: <string> | default = ""]

      # DynamoDB minimum provision capacity.
      # CLI flag: -deletes.table.write-throughput.scale.min-capacity
      [min_capacity: <int> | default = 3000]

      # DynamoDB maximum provision capacity.
      # CLI flag: -deletes.table.write-throughput.scale.max-capacity
      [max_capacity: <int> | default = 6000]

      # DynamoDB minimum seconds between each autoscale up.
      # CLI flag: -deletes.table.write-throughput.scale.out-cooldown
      [out_cooldown: <int> | default = 1800]

      # DynamoDB minimum seconds between each autoscale down.
      # CLI flag: -deletes.table.write-throughput.scale.in-cooldown
      [in_cooldown: <int> | default = 1800]

      # DynamoDB target ratio of consumed capacity to provisioned capacity.
      # CLI flag: -deletes.table.write-throughput.scale.target-value
      [target: <float> | default = 80]

    read_scale:
      # Should we enable autoscale for the table.
      # CLI flag: -deletes.table.read-throughput.scale.enabled
      [enabled: <boolean> | default = false]

      # AWS AutoScaling role ARN
      # CLI flag: -deletes.table.read-throughput.scale.role-arn
      [role_arn: <string> | default = ""]

      # DynamoDB minimum provision capacity.
      # CLI flag: -deletes.table.read-throughput.scale.min-capacity
      [min_capacity: <int> | default = 3000]

      # DynamoDB maximum provision capacity.
      # CLI flag: -deletes.table.read-throughput.scale.max-capacity
      [max_capacity: <int> | default = 6000]

      # DynamoDB minimum seconds between each autoscale up.
      # CLI flag: -deletes.table.read-throughput.scale.out-cooldown
      [out_cooldown: <int> | default = 1800]

      # DynamoDB minimum seconds between each autoscale down.
      # CLI flag: -deletes.table.read-throughput.scale.in-cooldown
      [in_cooldown: <int> | default = 1800]

      # DynamoDB target ratio of consumed capacity to provisioned capacity.
      # CLI flag: -deletes.table.read-throughput.scale.target-value
      [target: <float> | default = 80]

    # Tag (of the form key=value) to be added to the tables. Supported by
    # DynamoDB
    # CLI flag: -deletes.table.tags
    [tags: <map of string to string> | default = ]

grpc_store:
  # Hostname or IP of the gRPC store instance.
  # CLI flag: -grpc-store.server-address
  [server_address: <string> | default = ""]
```

### flusher\_config

The `flusher_config` configures the WAL flusher target, used to manually run one-time flushes when scaling down ingesters.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Directory to read WAL from (chunks storage engine only).
# CLI flag: -flusher.wal-dir
[wal_dir: <string> | default = "wal"]

# Number of concurrent goroutines flushing to storage (chunks storage engine
# only).
# CLI flag: -flusher.concurrent-flushes
[concurrent_flushes: <int> | default = 50]

# Timeout for individual flush operations (chunks storage engine only).
# CLI flag: -flusher.flush-op-timeout
[flush_op_timeout: <duration> | default = 2m]

# Stop after flush has finished. If false, process will keep running, doing
# nothing.
# CLI flag: -flusher.exit-after-flush
[exit_after_flush: <boolean> | default = true]
```

### chunk\_store\_config

The `chunk_store_config` configures how GEM stores the data (chunks storage engine).

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
chunk_cache_config:
  # Cache config for chunks. Enable in-memory cache.
  # CLI flag: -store.chunks-cache.cache.enable-fifocache
  [enable_fifocache: <boolean> | default = false]

  # Cache config for chunks. The default validity of entries for caches unless
  # overridden.
  # CLI flag: -store.chunks-cache.default-validity
  [default_validity: <duration> | default = 0s]

  background:
    # Cache config for chunks. At what concurrency to write back to cache.
    # CLI flag: -store.chunks-cache.background.write-back-concurrency
    [writeback_goroutines: <int> | default = 10]

    # Cache config for chunks. How many key batches to buffer for background
    # write-back.
    # CLI flag: -store.chunks-cache.background.write-back-buffer
    [writeback_buffer: <int> | default = 10000]

  memcached:
    # Cache config for chunks. How long keys stay in the memcache.
    # CLI flag: -store.chunks-cache.memcached.expiration
    [expiration: <duration> | default = 0s]

    # Cache config for chunks. How many keys to fetch in each batch.
    # CLI flag: -store.chunks-cache.memcached.batchsize
    [batch_size: <int> | default = 1024]

    # Cache config for chunks. Maximum active requests to memcache.
    # CLI flag: -store.chunks-cache.memcached.parallelism
    [parallelism: <int> | default = 100]

  memcached_client:
    # Cache config for chunks. Hostname for memcached service to use. If empty
    # and if addresses is unset, no memcached will be used.
    # CLI flag: -store.chunks-cache.memcached.hostname
    [host: <string> | default = ""]

    # Cache config for chunks. SRV service used to discover memcache servers.
    # CLI flag: -store.chunks-cache.memcached.service
    [service: <string> | default = "memcached"]

    # Cache config for chunks. EXPERIMENTAL: Comma separated addresses list in
    # DNS Service Discovery format:
    # https://cortexmetrics.io/docs/configuration/arguments/#dns-service-discovery
    # CLI flag: -store.chunks-cache.memcached.addresses
    [addresses: <string> | default = ""]

    # Cache config for chunks. Maximum time to wait before giving up on
    # memcached requests.
    # CLI flag: -store.chunks-cache.memcached.timeout
    [timeout: <duration> | default = 100ms]

    # Cache config for chunks. Maximum number of idle connections in pool.
    # CLI flag: -store.chunks-cache.memcached.max-idle-conns
    [max_idle_conns: <int> | default = 16]

    # Cache config for chunks. The maximum size of an item stored in memcached.
    # Bigger items are not stored. If set to 0, no maximum size is enforced.
    # CLI flag: -store.chunks-cache.memcached.max-item-size
    [max_item_size: <int> | default = 0]

    # Cache config for chunks. Period with which to poll DNS for memcache
    # servers.
    # CLI flag: -store.chunks-cache.memcached.update-interval
    [update_interval: <duration> | default = 1m]

    # Cache config for chunks. Use consistent hashing to distribute to memcache
    # servers.
    # CLI flag: -store.chunks-cache.memcached.consistent-hash
    [consistent_hash: <boolean> | default = true]

    # Cache config for chunks. Trip circuit-breaker after this number of
    # consecutive dial failures (if zero then circuit-breaker is disabled).
    # CLI flag: -store.chunks-cache.memcached.circuit-breaker-consecutive-failures
    [circuit_breaker_consecutive_failures: <int> | default = 10]

    # Cache config for chunks. Duration circuit-breaker remains open after
    # tripping (if zero then 60 seconds is used).
    # CLI flag: -store.chunks-cache.memcached.circuit-breaker-timeout
    [circuit_breaker_timeout: <duration> | default = 10s]

    # Cache config for chunks. Reset circuit-breaker counts after this long (if
    # zero then never reset).
    # CLI flag: -store.chunks-cache.memcached.circuit-breaker-interval
    [circuit_breaker_interval: <duration> | default = 10s]

  redis:
    # Cache config for chunks. Redis Server endpoint to use for caching. A
    # comma-separated list of endpoints for Redis Cluster or Redis Sentinel. If
    # empty, no redis will be used.
    # CLI flag: -store.chunks-cache.redis.endpoint
    [endpoint: <string> | default = ""]

    # Cache config for chunks. Redis Sentinel master name. An empty string for
    # Redis Server or Redis Cluster.
    # CLI flag: -store.chunks-cache.redis.master-name
    [master_name: <string> | default = ""]

    # Cache config for chunks. Maximum time to wait before giving up on redis
    # requests.
    # CLI flag: -store.chunks-cache.redis.timeout
    [timeout: <duration> | default = 500ms]

    # Cache config for chunks. How long keys stay in the redis.
    # CLI flag: -store.chunks-cache.redis.expiration
    [expiration: <duration> | default = 0s]

    # Cache config for chunks. Database index.
    # CLI flag: -store.chunks-cache.redis.db
    [db: <int> | default = 0]

    # Cache config for chunks. Maximum number of connections in the pool.
    # CLI flag: -store.chunks-cache.redis.pool-size
    [pool_size: <int> | default = 0]

    # Cache config for chunks. Password to use when connecting to redis.
    # CLI flag: -store.chunks-cache.redis.password
    [password: <string> | default = ""]

    # Cache config for chunks. Enable connecting to redis with TLS.
    # CLI flag: -store.chunks-cache.redis.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Cache config for chunks. Skip validating server certificate.
    # CLI flag: -store.chunks-cache.redis.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Cache config for chunks. Close connections after remaining idle for this
    # duration. If the value is zero, then idle connections are not closed.
    # CLI flag: -store.chunks-cache.redis.idle-timeout
    [idle_timeout: <duration> | default = 0s]

    # Cache config for chunks. Close connections older than this duration. If
    # the value is zero, then the pool does not close connections based on age.
    # CLI flag: -store.chunks-cache.redis.max-connection-age
    [max_connection_age: <duration> | default = 0s]

  fifocache:
    # Cache config for chunks. Maximum memory size of the cache in bytes. A unit
    # suffix (KB, MB, GB) may be applied.
    # CLI flag: -store.chunks-cache.fifocache.max-size-bytes
    [max_size_bytes: <string> | default = ""]

    # Cache config for chunks. Maximum number of entries in the cache.
    # CLI flag: -store.chunks-cache.fifocache.max-size-items
    [max_size_items: <int> | default = 0]

    # Cache config for chunks. The expiry duration for the cache.
    # CLI flag: -store.chunks-cache.fifocache.duration
    [validity: <duration> | default = 0s]

    # Deprecated (use max-size-items or max-size-bytes instead): Cache config
    # for chunks. The number of entries to cache.
    # CLI flag: -store.chunks-cache.fifocache.size
    [size: <int> | default = 0]

write_dedupe_cache_config:
  # Cache config for index entry writing. Enable in-memory cache.
  # CLI flag: -store.index-cache-write.cache.enable-fifocache
  [enable_fifocache: <boolean> | default = false]

  # Cache config for index entry writing. The default validity of entries for
  # caches unless overridden.
  # CLI flag: -store.index-cache-write.default-validity
  [default_validity: <duration> | default = 0s]

  background:
    # Cache config for index entry writing. At what concurrency to write back to
    # cache.
    # CLI flag: -store.index-cache-write.background.write-back-concurrency
    [writeback_goroutines: <int> | default = 10]

    # Cache config for index entry writing. How many key batches to buffer for
    # background write-back.
    # CLI flag: -store.index-cache-write.background.write-back-buffer
    [writeback_buffer: <int> | default = 10000]

  memcached:
    # Cache config for index entry writing. How long keys stay in the memcache.
    # CLI flag: -store.index-cache-write.memcached.expiration
    [expiration: <duration> | default = 0s]

    # Cache config for index entry writing. How many keys to fetch in each
    # batch.
    # CLI flag: -store.index-cache-write.memcached.batchsize
    [batch_size: <int> | default = 1024]

    # Cache config for index entry writing. Maximum active requests to memcache.
    # CLI flag: -store.index-cache-write.memcached.parallelism
    [parallelism: <int> | default = 100]

  memcached_client:
    # Cache config for index entry writing. Hostname for memcached service to
    # use. If empty and if addresses is unset, no memcached will be used.
    # CLI flag: -store.index-cache-write.memcached.hostname
    [host: <string> | default = ""]

    # Cache config for index entry writing. SRV service used to discover
    # memcache servers.
    # CLI flag: -store.index-cache-write.memcached.service
    [service: <string> | default = "memcached"]

    # Cache config for index entry writing. EXPERIMENTAL: Comma separated
    # addresses list in DNS Service Discovery format:
    # https://cortexmetrics.io/docs/configuration/arguments/#dns-service-discovery
    # CLI flag: -store.index-cache-write.memcached.addresses
    [addresses: <string> | default = ""]

    # Cache config for index entry writing. Maximum time to wait before giving
    # up on memcached requests.
    # CLI flag: -store.index-cache-write.memcached.timeout
    [timeout: <duration> | default = 100ms]

    # Cache config for index entry writing. Maximum number of idle connections
    # in pool.
    # CLI flag: -store.index-cache-write.memcached.max-idle-conns
    [max_idle_conns: <int> | default = 16]

    # Cache config for index entry writing. The maximum size of an item stored
    # in memcached. Bigger items are not stored. If set to 0, no maximum size is
    # enforced.
    # CLI flag: -store.index-cache-write.memcached.max-item-size
    [max_item_size: <int> | default = 0]

    # Cache config for index entry writing. Period with which to poll DNS for
    # memcache servers.
    # CLI flag: -store.index-cache-write.memcached.update-interval
    [update_interval: <duration> | default = 1m]

    # Cache config for index entry writing. Use consistent hashing to distribute
    # to memcache servers.
    # CLI flag: -store.index-cache-write.memcached.consistent-hash
    [consistent_hash: <boolean> | default = true]

    # Cache config for index entry writing. Trip circuit-breaker after this
    # number of consecutive dial failures (if zero then circuit-breaker is
    # disabled).
    # CLI flag: -store.index-cache-write.memcached.circuit-breaker-consecutive-failures
    [circuit_breaker_consecutive_failures: <int> | default = 10]

    # Cache config for index entry writing. Duration circuit-breaker remains
    # open after tripping (if zero then 60 seconds is used).
    # CLI flag: -store.index-cache-write.memcached.circuit-breaker-timeout
    [circuit_breaker_timeout: <duration> | default = 10s]

    # Cache config for index entry writing. Reset circuit-breaker counts after
    # this long (if zero then never reset).
    # CLI flag: -store.index-cache-write.memcached.circuit-breaker-interval
    [circuit_breaker_interval: <duration> | default = 10s]

  redis:
    # Cache config for index entry writing. Redis Server endpoint to use for
    # caching. A comma-separated list of endpoints for Redis Cluster or Redis
    # Sentinel. If empty, no redis will be used.
    # CLI flag: -store.index-cache-write.redis.endpoint
    [endpoint: <string> | default = ""]

    # Cache config for index entry writing. Redis Sentinel master name. An empty
    # string for Redis Server or Redis Cluster.
    # CLI flag: -store.index-cache-write.redis.master-name
    [master_name: <string> | default = ""]

    # Cache config for index entry writing. Maximum time to wait before giving
    # up on redis requests.
    # CLI flag: -store.index-cache-write.redis.timeout
    [timeout: <duration> | default = 500ms]

    # Cache config for index entry writing. How long keys stay in the redis.
    # CLI flag: -store.index-cache-write.redis.expiration
    [expiration: <duration> | default = 0s]

    # Cache config for index entry writing. Database index.
    # CLI flag: -store.index-cache-write.redis.db
    [db: <int> | default = 0]

    # Cache config for index entry writing. Maximum number of connections in the
    # pool.
    # CLI flag: -store.index-cache-write.redis.pool-size
    [pool_size: <int> | default = 0]

    # Cache config for index entry writing. Password to use when connecting to
    # redis.
    # CLI flag: -store.index-cache-write.redis.password
    [password: <string> | default = ""]

    # Cache config for index entry writing. Enable connecting to redis with TLS.
    # CLI flag: -store.index-cache-write.redis.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Cache config for index entry writing. Skip validating server certificate.
    # CLI flag: -store.index-cache-write.redis.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Cache config for index entry writing. Close connections after remaining
    # idle for this duration. If the value is zero, then idle connections are
    # not closed.
    # CLI flag: -store.index-cache-write.redis.idle-timeout
    [idle_timeout: <duration> | default = 0s]

    # Cache config for index entry writing. Close connections older than this
    # duration. If the value is zero, then the pool does not close connections
    # based on age.
    # CLI flag: -store.index-cache-write.redis.max-connection-age
    [max_connection_age: <duration> | default = 0s]

  fifocache:
    # Cache config for index entry writing. Maximum memory size of the cache in
    # bytes. A unit suffix (KB, MB, GB) may be applied.
    # CLI flag: -store.index-cache-write.fifocache.max-size-bytes
    [max_size_bytes: <string> | default = ""]

    # Cache config for index entry writing. Maximum number of entries in the
    # cache.
    # CLI flag: -store.index-cache-write.fifocache.max-size-items
    [max_size_items: <int> | default = 0]

    # Cache config for index entry writing. The expiry duration for the cache.
    # CLI flag: -store.index-cache-write.fifocache.duration
    [validity: <duration> | default = 0s]

    # Deprecated (use max-size-items or max-size-bytes instead): Cache config
    # for index entry writing. The number of entries to cache.
    # CLI flag: -store.index-cache-write.fifocache.size
    [size: <int> | default = 0]

# Cache index entries older than this period. 0 to disable.
# CLI flag: -store.cache-lookups-older-than
[cache_lookups_older_than: <duration> | default = 0s]
```