Menu
Configuration reference
Grafana Enterprise Traces can be configured using a YAML file - specified using the -config.file flag - or CLI flags. In case you combine both, CLI flags take precedence over the YAML config file.
The current configuration of any GET component can be seen by visiting the /config HTTP path.
Passwords are filtered out of this endpoint.
To specify which configuration file to load, pass the -config.file flag at the command line. The file is written in YAML format, defined by the scheme below. Brackets indicate that a parameter is optional.
Generic placeholders
<boolean>: a boolean that can take the valuestrueorfalse<int>: any integer matching the regular expression[1-9]+[0-9]*<duration>: a duration matching the regular expression[0-9]+(ns|us|µs|ms|s|m|h|d|w|y)where y = 365 days<string>: a regular string<url>: a URL<prefix>: a CLI flag prefix based on the context (look at the parent configuration block to see which CLI flags prefix should be used)<time>: a timestamp, with available formats:2006-01-20(midnight, local timezone),2006-01-20T15:04(local timezone), and RFC 3339 formats:2006-01-20T15:04:05Z(UTC) or2006-01-20T15:04:05+07:00(explicit timezone)
Environment variables in the configuration
You can use environment variable references in the config file to set values that need to be configurable during deployment by using the -config.expand-env flag.
To do this, use:
${VAR}
Where VAR is the name of the environment variable.
Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.
To specify a default value, use:
${VAR:default_value}
Where default_value is the value to use if the environment variable is undefined.
Supported contents and default values
# target module
# CLI flag: -target
[target: <string> | default = "all"]
# Set to true to enable auth (deprecated: use multitenancy.enabled)
# CLI flag: -auth.enabled
[auth_enabled: <boolean> | default = false]
# Set to true to enable multitenancy.
# CLI flag: -multitenancy.enabled
[multitenancy_enabled: <boolean> | default = false]
# Set to true to enable search (unstable).
# CLI flag: -search.enabled
[search_enabled: <boolean> | default = false]
# String prefix for all http api endpoints.
# CLI flag: -http-api-prefix
[http_api_prefix: <string> | default = ""]
# Set to true to replace the OpenTracing tracer with the OpenTelemetry tracer
# CLI flag: -use-otel-tracer
[use_otel_tracer: <boolean> | default = false]
# The server_config block configures the HTTP and gRPC server of the launched
# services.
[server: <server_config>]
# The distributor_config block configures the distributor service.
[distributor: <distributor_config>]
# The ingester_client_config block configures how the distributor services
# connect to the ingester services.
[ingester_client: <ingester_client_config>]
# The querier_config block configures the querier service.
[querier: <querier_config>]
# The query_frontend_config block configures the query frontend service.
[query_frontend: <query_frontend_config>]
# The compactor_config block configures the compactor service.
[compactor: <compactor_config>]
# The ingester_config block configures the ingester service.
[ingester: <ingester_config>]
# The storage_config block configures how and where to store data.
[storage: <storage_config>]
# The overrides_config block configures the overrides module to set global or
# per-tenant override settings.
[overrides: <overrides_config>]
# The memberlist_config block configures how the gossip ring connects between
# distributors, ingesters and queriers.
[memberlist: <memberlist_config>]
# The admin_api_config block configures the Admin API service.
[admin_api: <admin_api_config>]
# The admin_client_config block configures how the Admin API service connects to
# the storage backend.
[admin_client: <admin_client_config>]
# The auth_config block configures the authentication type to use.
[auth: <auth_config>]
# Unique ID of this GET cluster. If undefined the name in the license is used.
# CLI flag: -cluster-name
[cluster_name: <string> | default = ""]
# The tokengen_config block configures the tokengen service.
[tokengen: <tokengen_config>]
# The federation_config block configures the cross-cluster query federation
# service.
[federation: <federation_config>]
# The gateway_config block configures the gateway service.
[gateway: <gateway_config>]
# The license_config block configures the license validation module.
[license: <license_config>]
server_config
The server_config block configures the HTTP and gRPC server of the launched services.
# http_listen_network is not exposed as CLI flag.
[http_listen_network: <string> | default = "tcp"]
# http_listen_address is not exposed as CLI flag.
[http_listen_address: <string> | default = ""]
# HTTP server listen port.
# CLI flag: -server.http-listen-port
[http_listen_port: <int> | default = 80]
# http_listen_conn_limit is not exposed as CLI flag.
[http_listen_conn_limit: <int> | default = 0]
# grpc_listen_network is not exposed as CLI flag.
[grpc_listen_network: <string> | default = "tcp"]
# grpc_listen_address is not exposed as CLI flag.
[grpc_listen_address: <string> | default = ""]
# gRPC server listen port.
# CLI flag: -server.grpc-listen-port
[grpc_listen_port: <int> | default = 9095]
# grpc_listen_conn_limit is not exposed as CLI flag.
[grpc_listen_conn_limit: <int> | default = 0]
http_tls_config:
# cert_file is not exposed as CLI flag.
[cert_file: <string> | default = ""]
# key_file is not exposed as CLI flag.
[key_file: <string> | default = ""]
# client_auth_type is not exposed as CLI flag.
[client_auth_type: <string> | default = ""]
# client_ca_file is not exposed as CLI flag.
[client_ca_file: <string> | default = ""]
grpc_tls_config:
# cert_file is not exposed as CLI flag.
[cert_file: <string> | default = ""]
# key_file is not exposed as CLI flag.
[key_file: <string> | default = ""]
# client_auth_type is not exposed as CLI flag.
[client_auth_type: <string> | default = ""]
# client_ca_file is not exposed as CLI flag.
[client_ca_file: <string> | default = ""]
# register_instrumentation is not exposed as CLI flag.
[register_instrumentation: <boolean> | default = true]
# graceful_shutdown_timeout is not exposed as CLI flag.
[graceful_shutdown_timeout: <duration> | default = 30s]
# http_server_read_timeout is not exposed as CLI flag.
[http_server_read_timeout: <duration> | default = 30s]
# http_server_write_timeout is not exposed as CLI flag.
[http_server_write_timeout: <duration> | default = 30s]
# http_server_idle_timeout is not exposed as CLI flag.
[http_server_idle_timeout: <duration> | default = 2m]
# grpc_server_max_recv_msg_size is not exposed as CLI flag.
[grpc_server_max_recv_msg_size: <int> | default = 4194304]
# grpc_server_max_send_msg_size is not exposed as CLI flag.
[grpc_server_max_send_msg_size: <int> | default = 4194304]
# grpc_server_max_concurrent_streams is not exposed as CLI flag.
[grpc_server_max_concurrent_streams: <int> | default = 100]
# grpc_server_max_connection_idle is not exposed as CLI flag.
[grpc_server_max_connection_idle: <duration> | default = 2562047h47m16.854775807s]
# grpc_server_max_connection_age is not exposed as CLI flag.
[grpc_server_max_connection_age: <duration> | default = 2562047h47m16.854775807s]
# grpc_server_max_connection_age_grace is not exposed as CLI flag.
[grpc_server_max_connection_age_grace: <duration> | default = 2562047h47m16.854775807s]
# grpc_server_keepalive_time is not exposed as CLI flag.
[grpc_server_keepalive_time: <duration> | default = 2h]
# grpc_server_keepalive_timeout is not exposed as CLI flag.
[grpc_server_keepalive_timeout: <duration> | default = 20s]
# grpc_server_min_time_between_pings is not exposed as CLI flag.
[grpc_server_min_time_between_pings: <duration> | default = 10s]
# grpc_server_ping_without_stream_allowed is not exposed as CLI flag.
[grpc_server_ping_without_stream_allowed: <boolean> | default = true]
# log_format is not exposed as CLI flag.
[log_format: <string> | default = "logfmt"]
# Only log messages with the given severity or above. Valid levels: [debug,
# info, warn, error]
# CLI flag: -log.level
[log_level: <string> | default = "info"]
# log_source_ips_enabled is not exposed as CLI flag.
[log_source_ips_enabled: <boolean> | default = false]
# log_source_ips_header is not exposed as CLI flag.
[log_source_ips_header: <string> | default = ""]
# log_source_ips_regex is not exposed as CLI flag.
[log_source_ips_regex: <string> | default = ""]
# http_path_prefix is not exposed as CLI flag.
[http_path_prefix: <string> | default = ""]
distributor_config
The distributor_config block configures the distributor service.
ring:
kvstore:
# store is not exposed as CLI flag.
[store: <string> | default = "memberlist"]
# prefix is not exposed as CLI flag.
[prefix: <string> | default = "collectors/"]
consul:
# host is not exposed as CLI flag.
[host: <string> | default = "localhost:8500"]
# acl_token is not exposed as CLI flag.
[acl_token: <string> | default = ""]
# http_client_timeout is not exposed as CLI flag.
[http_client_timeout: <duration> | default = 20s]
# consistent_reads is not exposed as CLI flag.
[consistent_reads: <boolean> | default = false]
# watch_rate_limit is not exposed as CLI flag.
[watch_rate_limit: <float> | default = 1]
# watch_burst_size is not exposed as CLI flag.
[watch_burst_size: <int> | default = 1]
etcd:
# endpoints is not exposed as CLI flag.
[endpoints: <list of string> | default = []]
# dial_timeout is not exposed as CLI flag.
[dial_timeout: <duration> | default = 10s]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 10]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
# username is not exposed as CLI flag.
[username: <string> | default = ""]
# password is not exposed as CLI flag.
[password: <string> | default = ""]
multi:
# primary is not exposed as CLI flag.
[primary: <string> | default = ""]
# secondary is not exposed as CLI flag.
[secondary: <string> | default = ""]
# mirror_enabled is not exposed as CLI flag.
[mirror_enabled: <boolean> | default = false]
# mirror_timeout is not exposed as CLI flag.
[mirror_timeout: <duration> | default = 2s]
# heartbeat_period is not exposed as CLI flag.
[heartbeat_period: <duration> | default = 5s]
# heartbeat_timeout is not exposed as CLI flag.
[heartbeat_timeout: <duration> | default = 5m]
# instance_interface_names is not exposed as CLI flag.
[instance_interface_names: <list of string> | default = [eth0 en0]]
# receivers is not exposed as CLI flag.
[receivers: <map of string to interface {}> | default = map[]]
# override_ring_key is not exposed as CLI flag.
[override_ring_key: <string> | default = "distributor"]
# Enable to log every received trace id to help debug ingestion.
# CLI flag: -distributor.log-received-traces
[log_received_traces: <boolean> | default = false]
# extend_writes is not exposed as CLI flag.
[extend_writes: <boolean> | default = true]
# search_tags_deny_list is not exposed as CLI flag.
[search_tags_deny_list: <list of string> | default = []]
query_frontend_config
The query_frontend_config block configures the query frontend service.
# log_queries_longer_than is not exposed as CLI flag.
[log_queries_longer_than: <duration> | default = 0s]
# max_body_size is not exposed as CLI flag.
[max_body_size: <int> | default = 0]
# query_stats_enabled is not exposed as CLI flag.
[query_stats_enabled: <boolean> | default = false]
# max_outstanding_per_tenant is not exposed as CLI flag.
[max_outstanding_per_tenant: <int> | default = 100]
# querier_forget_delay is not exposed as CLI flag.
[querier_forget_delay: <duration> | default = 0s]
# scheduler_address is not exposed as CLI flag.
[scheduler_address: <string> | default = ""]
# scheduler_dns_lookup_period is not exposed as CLI flag.
[scheduler_dns_lookup_period: <duration> | default = 0s]
# scheduler_worker_concurrency is not exposed as CLI flag.
[scheduler_worker_concurrency: <int> | default = 0]
grpc_client_config:
# max_recv_msg_size is not exposed as CLI flag.
[max_recv_msg_size: <int> | default = 0]
# max_send_msg_size is not exposed as CLI flag.
[max_send_msg_size: <int> | default = 0]
# grpc_compression is not exposed as CLI flag.
[grpc_compression: <string> | default = ""]
# rate_limit is not exposed as CLI flag.
[rate_limit: <float> | default = 0]
# rate_limit_burst is not exposed as CLI flag.
[rate_limit_burst: <int> | default = 0]
# backoff_on_ratelimits is not exposed as CLI flag.
[backoff_on_ratelimits: <boolean> | default = false]
backoff_config:
# min_period is not exposed as CLI flag.
[min_period: <duration> | default = 0s]
# max_period is not exposed as CLI flag.
[max_period: <duration> | default = 0s]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 0]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
# instance_interface_names is not exposed as CLI flag.
[instance_interface_names: <list of string> | default = []]
# downstream_url is not exposed as CLI flag.
[downstream_url: <string> | default = ""]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 2]
# query_shards is not exposed as CLI flag.
[query_shards: <int> | default = 20]
# tolerate_failed_blocks is not exposed as CLI flag.
[tolerate_failed_blocks: <int> | default = 0]
querier_config
The querier_config block configures the querier service.
# query_timeout is not exposed as CLI flag.
[query_timeout: <duration> | default = 10s]
# search_query_timeout is not exposed as CLI flag.
[search_query_timeout: <duration> | default = 30s]
# search_default_result_limit is not exposed as CLI flag.
[search_default_result_limit: <int> | default = 20]
# search_max_result_limit is not exposed as CLI flag.
[search_max_result_limit: <int> | default = 0]
# extra_query_delay is not exposed as CLI flag.
[extra_query_delay: <duration> | default = 0s]
# max_concurrent_queries is not exposed as CLI flag.
[max_concurrent_queries: <int> | default = 5]
frontend_worker:
# Address of query frontend service, in host:port format.
# CLI flag: -querier.frontend-address
[frontend_address: <string> | default = ""]
# scheduler_address is not exposed as CLI flag.
[scheduler_address: <string> | default = ""]
# dns_lookup_duration is not exposed as CLI flag.
[dns_lookup_duration: <duration> | default = 10s]
# parallelism is not exposed as CLI flag.
[parallelism: <int> | default = 2]
# match_max_concurrent is not exposed as CLI flag.
[match_max_concurrent: <boolean> | default = true]
# id is not exposed as CLI flag.
[id: <string> | default = ""]
grpc_client_config:
# max_recv_msg_size is not exposed as CLI flag.
[max_recv_msg_size: <int> | default = 104857600]
# max_send_msg_size is not exposed as CLI flag.
[max_send_msg_size: <int> | default = 16777216]
# grpc_compression is not exposed as CLI flag.
[grpc_compression: <string> | default = "gzip"]
# rate_limit is not exposed as CLI flag.
[rate_limit: <float> | default = 0]
# rate_limit_burst is not exposed as CLI flag.
[rate_limit_burst: <int> | default = 0]
# backoff_on_ratelimits is not exposed as CLI flag.
[backoff_on_ratelimits: <boolean> | default = false]
backoff_config:
# min_period is not exposed as CLI flag.
[min_period: <duration> | default = 100ms]
# max_period is not exposed as CLI flag.
[max_period: <duration> | default = 1s]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 5]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
ingester_client_config
The ingester_client_config block configures how the distributor services connect to the ingester services.
pool_config:
# checkinterval is not exposed as CLI flag.
[checkinterval: <duration> | default = 15s]
# healthcheckenabled is not exposed as CLI flag.
[healthcheckenabled: <boolean> | default = true]
# healthchecktimeout is not exposed as CLI flag.
[healthchecktimeout: <duration> | default = 1s]
# remote_timeout is not exposed as CLI flag.
[remote_timeout: <duration> | default = 5s]
grpc_client_config:
# max_recv_msg_size is not exposed as CLI flag.
[max_recv_msg_size: <int> | default = 104857600]
# max_send_msg_size is not exposed as CLI flag.
[max_send_msg_size: <int> | default = 16777216]
# grpc_compression is not exposed as CLI flag.
[grpc_compression: <string> | default = "snappy"]
# rate_limit is not exposed as CLI flag.
[rate_limit: <float> | default = 0]
# rate_limit_burst is not exposed as CLI flag.
[rate_limit_burst: <int> | default = 0]
# backoff_on_ratelimits is not exposed as CLI flag.
[backoff_on_ratelimits: <boolean> | default = false]
backoff_config:
# min_period is not exposed as CLI flag.
[min_period: <duration> | default = 100ms]
# max_period is not exposed as CLI flag.
[max_period: <duration> | default = 10s]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 10]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
ingester_config
The ingester_config block configures the ingester service.
lifecycler:
ring:
kvstore:
# store is not exposed as CLI flag.
[store: <string> | default = "memberlist"]
# prefix is not exposed as CLI flag.
[prefix: <string> | default = "collectors/"]
consul:
# host is not exposed as CLI flag.
[host: <string> | default = "localhost:8500"]
# acl_token is not exposed as CLI flag.
[acl_token: <string> | default = ""]
# http_client_timeout is not exposed as CLI flag.
[http_client_timeout: <duration> | default = 20s]
# consistent_reads is not exposed as CLI flag.
[consistent_reads: <boolean> | default = false]
# watch_rate_limit is not exposed as CLI flag.
[watch_rate_limit: <float> | default = 1]
# watch_burst_size is not exposed as CLI flag.
[watch_burst_size: <int> | default = 1]
etcd:
# endpoints is not exposed as CLI flag.
[endpoints: <list of string> | default = []]
# dial_timeout is not exposed as CLI flag.
[dial_timeout: <duration> | default = 10s]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 10]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
# username is not exposed as CLI flag.
[username: <string> | default = ""]
# password is not exposed as CLI flag.
[password: <string> | default = ""]
multi:
# primary is not exposed as CLI flag.
[primary: <string> | default = ""]
# secondary is not exposed as CLI flag.
[secondary: <string> | default = ""]
# mirror_enabled is not exposed as CLI flag.
[mirror_enabled: <boolean> | default = false]
# mirror_timeout is not exposed as CLI flag.
[mirror_timeout: <duration> | default = 2s]
# heartbeat_timeout is not exposed as CLI flag.
[heartbeat_timeout: <duration> | default = 5m]
# replication_factor is not exposed as CLI flag.
[replication_factor: <int> | default = 1]
# zone_awareness_enabled is not exposed as CLI flag.
[zone_awareness_enabled: <boolean> | default = false]
# num_tokens is not exposed as CLI flag.
[num_tokens: <int> | default = 128]
# heartbeat_period is not exposed as CLI flag.
[heartbeat_period: <duration> | default = 5s]
# observe_period is not exposed as CLI flag.
[observe_period: <duration> | default = 0s]
# join_after is not exposed as CLI flag.
[join_after: <duration> | default = 0s]
# min_ready_duration is not exposed as CLI flag.
[min_ready_duration: <duration> | default = 1m]
# interface_names is not exposed as CLI flag.
[interface_names: <list of string> | default = [eth0 en0]]
# final_sleep is not exposed as CLI flag.
[final_sleep: <duration> | default = 30s]
# tokens_file_path is not exposed as CLI flag.
[tokens_file_path: <string> | default = ""]
# availability_zone is not exposed as CLI flag.
[availability_zone: <string> | default = ""]
# unregister_on_shutdown is not exposed as CLI flag.
[unregister_on_shutdown: <boolean> | default = true]
# concurrent_flushes is not exposed as CLI flag.
[concurrent_flushes: <int> | default = 16]
# flush_check_period is not exposed as CLI flag.
[flush_check_period: <duration> | default = 10s]
# flush_op_timeout is not exposed as CLI flag.
[flush_op_timeout: <duration> | default = 5m]
# Duration after which to consider a trace complete if no spans have been
# received
# CLI flag: -ingester.trace-idle-period
[trace_idle_period: <duration> | default = 10s]
# Maximum duration which the head block can be appended to before cutting it.
# CLI flag: -ingester.max-block-duration
[max_block_duration: <duration> | default = 1h]
# Maximum size of the head block before cutting it.
# CLI flag: -ingester.max-block-bytes
[max_block_bytes: <int> | default = 1073741824]
# Duration to keep blocks in the ingester after they have been flushed.
# CLI flag: -ingester.complete-block-timeout
[complete_block_timeout: <duration> | default = 15m]
# override_ring_key is not exposed as CLI flag.
[override_ring_key: <string> | default = "ring"]
compactor_config
The compactor_config block configures the compactor service.
ring:
kvstore:
# store is not exposed as CLI flag.
[store: <string> | default = ""]
# prefix is not exposed as CLI flag.
[prefix: <string> | default = "collectors/"]
consul:
# host is not exposed as CLI flag.
[host: <string> | default = "localhost:8500"]
# acl_token is not exposed as CLI flag.
[acl_token: <string> | default = ""]
# http_client_timeout is not exposed as CLI flag.
[http_client_timeout: <duration> | default = 20s]
# consistent_reads is not exposed as CLI flag.
[consistent_reads: <boolean> | default = false]
# watch_rate_limit is not exposed as CLI flag.
[watch_rate_limit: <float> | default = 1]
# watch_burst_size is not exposed as CLI flag.
[watch_burst_size: <int> | default = 1]
etcd:
# endpoints is not exposed as CLI flag.
[endpoints: <list of string> | default = []]
# dial_timeout is not exposed as CLI flag.
[dial_timeout: <duration> | default = 10s]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 10]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
# username is not exposed as CLI flag.
[username: <string> | default = ""]
# password is not exposed as CLI flag.
[password: <string> | default = ""]
multi:
# primary is not exposed as CLI flag.
[primary: <string> | default = ""]
# secondary is not exposed as CLI flag.
[secondary: <string> | default = ""]
# mirror_enabled is not exposed as CLI flag.
[mirror_enabled: <boolean> | default = false]
# mirror_timeout is not exposed as CLI flag.
[mirror_timeout: <duration> | default = 2s]
# heartbeat_period is not exposed as CLI flag.
[heartbeat_period: <duration> | default = 5s]
# heartbeat_timeout is not exposed as CLI flag.
[heartbeat_timeout: <duration> | default = 1m]
# wait_stability_min_duration is not exposed as CLI flag.
[wait_stability_min_duration: <duration> | default = 1m]
# wait_stability_max_duration is not exposed as CLI flag.
[wait_stability_max_duration: <duration> | default = 5m]
# instance_interface_names is not exposed as CLI flag.
[instance_interface_names: <list of string> | default = [eth0 en0]]
# wait_active_instance_timeout is not exposed as CLI flag.
[wait_active_instance_timeout: <duration> | default = 10m]
compaction:
# chunk_size_bytes is not exposed as CLI flag.
[chunk_size_bytes: <int> | default = 5242880]
# flush_size_bytes is not exposed as CLI flag.
[flush_size_bytes: <int> | default = 31457280]
# Maximum time window across which to compact blocks.
# CLI flag: -compactor.compaction.compaction-window
[compaction_window: <duration> | default = 1h]
# Maximum number of traces in a compacted block.
# CLI flag: -compactor.compaction.max-objects-per-block
[max_compaction_objects: <int> | default = 6000000]
# Maximum size of a compacted block.
# CLI flag: -compactor.compaction.max-block-bytes
[max_block_bytes: <int> | default = 107374182400]
# Duration to keep blocks/traces.
# CLI flag: -compactor.compaction.block-retention
[block_retention: <duration> | default = 336h]
# compacted_block_retention is not exposed as CLI flag.
[compacted_block_retention: <duration> | default = 1h]
# retention_concurrency is not exposed as CLI flag.
[retention_concurrency: <int> | default = 10]
# iterator_buffer_size is not exposed as CLI flag.
[iterator_buffer_size: <int> | default = 1000]
# override_ring_key is not exposed as CLI flag.
[override_ring_key: <string> | default = "compactor"]
storage_config
The storage_config block configures how and where to store data.
trace:
pool:
# max_workers is not exposed as CLI flag.
[max_workers: <int> | default = 0]
# queue_depth is not exposed as CLI flag.
[queue_depth: <int> | default = 0]
wal:
# path is not exposed as CLI flag.
[path: <string> | default = ""]
# completedfilepath is not exposed as CLI flag.
[completedfilepath: <string> | default = ""]
# blocksfilepath is not exposed as CLI flag.
[blocksfilepath: <string> | default = ""]
# encoding is not exposed as CLI flag.
[encoding: <int> | default = none]
# search_encoding is not exposed as CLI flag.
[search_encoding: <int> | default = none]
block:
# index_downsample_bytes is not exposed as CLI flag.
[index_downsample_bytes: <int> | default = 0]
# index_page_size_bytes is not exposed as CLI flag.
[index_page_size_bytes: <int> | default = 0]
# bloom_filter_false_positive is not exposed as CLI flag.
[bloom_filter_false_positive: <float> | default = 0]
# bloom_filter_shard_size_bytes is not exposed as CLI flag.
[bloom_filter_shard_size_bytes: <int> | default = 0]
# encoding is not exposed as CLI flag.
[encoding: <int> | default = none]
# search_encoding is not exposed as CLI flag.
[search_encoding: <int> | default = none]
# search_page_size_bytes is not exposed as CLI flag.
[search_page_size_bytes: <int> | default = 0]
# Period at which to run the maintenance cycle.
# CLI flag: -storage.trace.blocklist_poll
[blocklist_poll: <duration> | default = 5m]
# blocklist_poll_concurrency is not exposed as CLI flag.
[blocklist_poll_concurrency: <int> | default = 50]
# blocklist_poll_fallback is not exposed as CLI flag.
[blocklist_poll_fallback: <boolean> | default = true]
# blocklist_poll_tenant_index_builders is not exposed as CLI flag.
[blocklist_poll_tenant_index_builders: <int> | default = 2]
# blocklist_poll_stale_tenant_index is not exposed as CLI flag.
[blocklist_poll_stale_tenant_index: <duration> | default = 0s]
# Trace backend (s3, azure, gcs, local)
# CLI flag: -storage.trace.backend
[backend: <string> | default = ""]
local:
# path is not exposed as CLI flag.
[path: <string> | default = ""]
gcs:
# bucket_name is not exposed as CLI flag.
[bucket_name: <string> | default = ""]
# chunk_buffer_size is not exposed as CLI flag.
[chunk_buffer_size: <int> | default = 0]
# endpoint is not exposed as CLI flag.
[endpoint: <string> | default = ""]
# insecure is not exposed as CLI flag.
[insecure: <boolean> | default = false]
# hedge_requests_at is not exposed as CLI flag.
[hedge_requests_at: <duration> | default = 0s]
s3:
# bucket is not exposed as CLI flag.
[bucket: <string> | default = ""]
# endpoint is not exposed as CLI flag.
[endpoint: <string> | default = ""]
# region is not exposed as CLI flag.
[region: <string> | default = ""]
# access_key is not exposed as CLI flag.
[access_key: <string> | default = ""]
# secret_key is not exposed as CLI flag.
[secret_key: <string> | default = ""]
# insecure is not exposed as CLI flag.
[insecure: <boolean> | default = false]
# part_size is not exposed as CLI flag.
[part_size: <int> | default = 0]
# hedge_requests_at is not exposed as CLI flag.
[hedge_requests_at: <duration> | default = 0s]
# signature_v2 is not exposed as CLI flag.
[signature_v2: <boolean> | default = false]
# forcepathstyle is not exposed as CLI flag.
[forcepathstyle: <boolean> | default = false]
azure:
# storage-account-name is not exposed as CLI flag.
[storage-account-name: <string> | default = ""]
# storage-account-key is not exposed as CLI flag.
[storage-account-key: <string> | default = ""]
# container-name is not exposed as CLI flag.
[container-name: <string> | default = ""]
# endpoint-suffix is not exposed as CLI flag.
[endpoint-suffix: <string> | default = ""]
# max-buffers is not exposed as CLI flag.
[max-buffers: <int> | default = 0]
# buffer-size is not exposed as CLI flag.
[buffer-size: <int> | default = 0]
# hedge-requests-at is not exposed as CLI flag.
[hedge-requests-at: <duration> | default = 0s]
# cache is not exposed as CLI flag.
[cache: <string> | default = ""]
# cache_min_compaction_level is not exposed as CLI flag.
[cache_min_compaction_level: <int> | default = 0]
# cache_max_block_age is not exposed as CLI flag.
[cache_max_block_age: <duration> | default = 0s]
background_cache:
# writeback_goroutines is not exposed as CLI flag.
[writeback_goroutines: <int> | default = 0]
# writeback_buffer is not exposed as CLI flag.
[writeback_buffer: <int> | default = 0]
memcached:
# host is not exposed as CLI flag.
[host: <string> | default = ""]
# service is not exposed as CLI flag.
[service: <string> | default = ""]
# addresses is not exposed as CLI flag.
[addresses: <string> | default = ""]
# timeout is not exposed as CLI flag.
[timeout: <duration> | default = 0s]
# max_idle_conns is not exposed as CLI flag.
[max_idle_conns: <int> | default = 0]
# max_item_size is not exposed as CLI flag.
[max_item_size: <int> | default = 0]
# update_interval is not exposed as CLI flag.
[update_interval: <duration> | default = 0s]
# consistent_hash is not exposed as CLI flag.
[consistent_hash: <boolean> | default = false]
# circuit_breaker_consecutive_failures is not exposed as CLI flag.
[circuit_breaker_consecutive_failures: <int> | default = 0]
# circuit_breaker_timeout is not exposed as CLI flag.
[circuit_breaker_timeout: <duration> | default = 0s]
# circuit_breaker_interval is not exposed as CLI flag.
[circuit_breaker_interval: <duration> | default = 0s]
# ttl is not exposed as CLI flag.
[ttl: <duration> | default = 0s]
redis:
# endpoint is not exposed as CLI flag.
[endpoint: <string> | default = ""]
# master_name is not exposed as CLI flag.
[master_name: <string> | default = ""]
# timeout is not exposed as CLI flag.
[timeout: <duration> | default = 0s]
# expiration is not exposed as CLI flag.
[expiration: <duration> | default = 0s]
# db is not exposed as CLI flag.
[db: <int> | default = 0]
# pool_size is not exposed as CLI flag.
[pool_size: <int> | default = 0]
# password is not exposed as CLI flag.
[password: <string> | default = ""]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
# idle_timeout is not exposed as CLI flag.
[idle_timeout: <duration> | default = 0s]
# max_connection_age is not exposed as CLI flag.
[max_connection_age: <duration> | default = 0s]
# ttl is not exposed as CLI flag.
[ttl: <duration> | default = 0s]
overrides_config
The overrides_config block configures the overrides module to set global or per-tenant override settings.
# ingestion_rate_strategy is not exposed as CLI flag.
[ingestion_rate_strategy: <string> | default = "local"]
# ingestion_rate_limit_bytes is not exposed as CLI flag.
[ingestion_rate_limit_bytes: <int> | default = 15000000]
# ingestion_burst_size_bytes is not exposed as CLI flag.
[ingestion_burst_size_bytes: <int> | default = 20000000]
# search_tags_allow_list is not exposed as CLI flag.
[search_tags_allow_list: <map of string to struct {}> | default = map[]]
# max_traces_per_user is not exposed as CLI flag.
[max_traces_per_user: <int> | default = 10000]
# max_global_traces_per_user is not exposed as CLI flag.
[max_global_traces_per_user: <int> | default = 0]
# max_bytes_per_trace is not exposed as CLI flag.
[max_bytes_per_trace: <int> | default = 50000]
# max_search_bytes_per_trace is not exposed as CLI flag.
[max_search_bytes_per_trace: <int> | default = 0]
# block_retention is not exposed as CLI flag.
[block_retention: <duration> | default = 0s]
# per_tenant_override_config is not exposed as CLI flag.
[per_tenant_override_config: <string> | default = ""]
# per_tenant_override_period is not exposed as CLI flag.
[per_tenant_override_period: <duration> | default = 10s]
memberlist_config
The memberlist_config block configures how the gossip ring connects between distributors, ingesters and queriers.
# node_name is not exposed as CLI flag.
[node_name: <string> | default = ""]
# randomize_node_name is not exposed as CLI flag.
[randomize_node_name: <boolean> | default = true]
# stream_timeout is not exposed as CLI flag.
[stream_timeout: <duration> | default = 10s]
# retransmit_factor is not exposed as CLI flag.
[retransmit_factor: <int> | default = 2]
# pull_push_interval is not exposed as CLI flag.
[pull_push_interval: <duration> | default = 30s]
# gossip_interval is not exposed as CLI flag.
[gossip_interval: <duration> | default = 1s]
# gossip_nodes is not exposed as CLI flag.
[gossip_nodes: <int> | default = 2]
# gossip_to_dead_nodes_time is not exposed as CLI flag.
[gossip_to_dead_nodes_time: <duration> | default = 30s]
# dead_node_reclaim_time is not exposed as CLI flag.
[dead_node_reclaim_time: <duration> | default = 0s]
# compression_enabled is not exposed as CLI flag.
[compression_enabled: <boolean> | default = false]
# advertise_addr is not exposed as CLI flag.
[advertise_addr: <string> | default = ""]
# advertise_port is not exposed as CLI flag.
[advertise_port: <int> | default = 7946]
# Host port to connect to memberlist cluster.
# CLI flag: -memberlist.host-port
[join_members: <list of string> | default = []]
# min_join_backoff is not exposed as CLI flag.
[min_join_backoff: <duration> | default = 1s]
# max_join_backoff is not exposed as CLI flag.
[max_join_backoff: <duration> | default = 1m]
# max_join_retries is not exposed as CLI flag.
[max_join_retries: <int> | default = 10]
# abort_if_cluster_join_fails is not exposed as CLI flag.
[abort_if_cluster_join_fails: <boolean> | default = true]
# rejoin_interval is not exposed as CLI flag.
[rejoin_interval: <duration> | default = 0s]
# left_ingesters_timeout is not exposed as CLI flag.
[left_ingesters_timeout: <duration> | default = 5m]
# leave_timeout is not exposed as CLI flag.
[leave_timeout: <duration> | default = 5s]
# message_history_buffer_bytes is not exposed as CLI flag.
[message_history_buffer_bytes: <int> | default = 0]
# bind_addr is not exposed as CLI flag.
[bind_addr: <list of string> | default = []]
# Port for memberlist to communicate on
# CLI flag: -memberlist.bind-port
[bind_port: <int> | default = 7946]
# packet_dial_timeout is not exposed as CLI flag.
[packet_dial_timeout: <duration> | default = 5s]
# packet_write_timeout is not exposed as CLI flag.
[packet_write_timeout: <duration> | default = 5s]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
admin_api_config
The admin_api_config block configures the Admin API service.
# Designated header to parse when searching for the grafana user ID of the user
# accessing the API.
# CLI flag: -admin.api.user-header-name
[user_header_name: <string> | default = "X-WEBAUTH-USER"]
leader_election:
# This flag enables leader election for the admin api.
# CLI flag: -admin-api.leader-election.enabled
[enabled: <boolean> | default = true]
ring:
kvstore:
# Backend storage to use for the ring. Supported values are: consul, etcd,
# inmemory, memberlist, multi.
# CLI flag: -admin-api.leader-election.ring.store
[store: <string> | default = "consul"]
# The prefix for the keys in the store. Should end with a /.
# CLI flag: -admin-api.leader-election.ring.prefix
[prefix: <string> | default = "leader-election/"]
consul:
# Hostname and port of Consul.
# CLI flag: -admin-api.leader-election.ring.consul.hostname
[host: <string> | default = "localhost:8500"]
# ACL Token used to interact with Consul.
# CLI flag: -admin-api.leader-election.ring.consul.acl-token
[acl_token: <string> | default = ""]
# HTTP timeout when talking to Consul
# CLI flag: -admin-api.leader-election.ring.consul.client-timeout
[http_client_timeout: <duration> | default = 20s]
# Enable consistent reads to Consul.
# CLI flag: -admin-api.leader-election.ring.consul.consistent-reads
[consistent_reads: <boolean> | default = false]
# Rate limit when watching key or prefix in Consul, in requests per
# second. 0 disables the rate limit.
# CLI flag: -admin-api.leader-election.ring.consul.watch-rate-limit
[watch_rate_limit: <float> | default = 1]
# Burst size used in rate limit. Values less than 1 are treated as 1.
# CLI flag: -admin-api.leader-election.ring.consul.watch-burst-size
[watch_burst_size: <int> | default = 1]
etcd:
# The etcd endpoints to connect to.
# CLI flag: -admin-api.leader-election.ring.etcd.endpoints
[endpoints: <list of string> | default = []]
# The dial timeout for the etcd connection.
# CLI flag: -admin-api.leader-election.ring.etcd.dial-timeout
[dial_timeout: <duration> | default = 10s]
# The maximum number of retries to do for failed ops.
# CLI flag: -admin-api.leader-election.ring.etcd.max-retries
[max_retries: <int> | default = 10]
# Enable TLS.
# CLI flag: -admin-api.leader-election.ring.etcd.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for
# authenticating with the server. Also requires the key path to be
# configured.
# CLI flag: -admin-api.leader-election.ring.etcd.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the
# client certificate to be configured.
# CLI flag: -admin-api.leader-election.ring.etcd.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate
# against. If not set, the host's root CA certificates are used.
# CLI flag: -admin-api.leader-election.ring.etcd.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -admin-api.leader-election.ring.etcd.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -admin-api.leader-election.ring.etcd.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Etcd username.
# CLI flag: -admin-api.leader-election.ring.etcd.username
[username: <string> | default = ""]
# Etcd password.
# CLI flag: -admin-api.leader-election.ring.etcd.password
[password: <string> | default = ""]
multi:
# Primary backend storage used by multi-client.
# CLI flag: -admin-api.leader-election.ring.multi.primary
[primary: <string> | default = ""]
# Secondary backend storage used by multi-client.
# CLI flag: -admin-api.leader-election.ring.multi.secondary
[secondary: <string> | default = ""]
# Mirror writes to secondary store.
# CLI flag: -admin-api.leader-election.ring.multi.mirror-enabled
[mirror_enabled: <boolean> | default = false]
# Timeout for storing value to secondary store.
# CLI flag: -admin-api.leader-election.ring.multi.mirror-timeout
[mirror_timeout: <duration> | default = 2s]
# Period at which to heartbeat to the ring.
# CLI flag: -admin-api.leader-election.ring.heartbeat-period
[heartbeat_period: <duration> | default = 15s]
# The heartbeat timeout after which admin-api instances are considered
# unhealthy within the ring.
# CLI flag: -admin-api.leader-election.ring.heartbeat-timeout
[heartbeat_timeout: <duration> | default = 1m]
# Period to wait after generating tokens to resolve collisions. Required
# when using a gossip ring KV store.
# CLI flag: -admin-api.leader-election.ring.tokens-observe-period
[tokens_observe_period: <duration> | default = 1m]
# Name of network interface to read address from.
# CLI flag: -admin-api.leader-election.ring.instance-interface-names
[instance_interface_names: <list of string> | default = [eth0 en0]]
client_config:
# gRPC client max receive message size (bytes).
# CLI flag: -admin-api.leader-election.client.grpc-max-recv-msg-size
[max_recv_msg_size: <int> | default = 104857600]
# gRPC client max send message size (bytes).
# CLI flag: -admin-api.leader-election.client.grpc-max-send-msg-size
[max_send_msg_size: <int> | default = 16777216]
# Use compression when sending messages. Supported values are: 'gzip',
# 'snappy' and '' (disable compression)
# CLI flag: -admin-api.leader-election.client.grpc-compression
[grpc_compression: <string> | default = ""]
# Rate limit for gRPC client; 0 means disabled.
# CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit
[rate_limit: <float> | default = 0]
# Rate limit burst for gRPC client.
# CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit-burst
[rate_limit_burst: <int> | default = 0]
# Enable backoff and retry when we hit ratelimits.
# CLI flag: -admin-api.leader-election.client.backoff-on-ratelimits
[backoff_on_ratelimits: <boolean> | default = false]
backoff_config:
# Minimum delay when backing off.
# CLI flag: -admin-api.leader-election.client.backoff-min-period
[min_period: <duration> | default = 100ms]
# Maximum delay when backing off.
# CLI flag: -admin-api.leader-election.client.backoff-max-period
[max_period: <duration> | default = 10s]
# Number of times to backoff and retry before failing.
# CLI flag: -admin-api.leader-election.client.backoff-retries
[max_retries: <int> | default = 10]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -admin-api.leader-election.client.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -admin-api.leader-election.client.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -admin-api.leader-election.client.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -admin-api.leader-election.client.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -admin-api.leader-election.client.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -admin-api.leader-election.client.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
limits:
# Should API based per-instance limits be used.
# CLI flag: -admin-api.limits.enabled
[enabled: <boolean> | default = true]
# Period with which to refresh per-instance limits.
# CLI flag: -admin-api.limits.refresh-period
[refresh_period: <duration> | default = 1m]
admin_client_config
The admin_client_config block configures how the Admin API service connects to the storage backend.
storage:
# Set a backend to use, (gcs, s3)
# CLI flag: -admin.client.backend-type
[type: <string> | default = ""]
# Enable caching on the versioned client
# CLI flag: -admin.client.cache.enabled
[enable_cache: <boolean> | default = true]
s3:
# The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
# https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
# S3-compatible service in hostname:port format.
# CLI flag: -admin.client.s3.endpoint
[endpoint: <string> | default = ""]
# S3 region. If unset, the client will issue a S3 GetBucketLocation API call
# to autodetect it.
# CLI flag: -admin.client.s3.region
[region: <string> | default = ""]
# S3 bucket name
# CLI flag: -admin.client.s3.bucket-name
[bucket_name: <string> | default = ""]
# S3 secret access key
# CLI flag: -admin.client.s3.secret-access-key
[secret_access_key: <string> | default = ""]
# S3 access key ID
# CLI flag: -admin.client.s3.access-key-id
[access_key_id: <string> | default = ""]
# If enabled, use http:// for the S3 endpoint instead of https://. This
# could be useful in local dev/test environments while using an
# S3-compatible backend storage, like Minio.
# CLI flag: -admin.client.s3.insecure
[insecure: <boolean> | default = false]
# The signature version to use for authenticating against S3. Supported
# values are: v4, v2.
# CLI flag: -admin.client.s3.signature-version
[signature_version: <string> | default = "v4"]
sse:
# Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
# CLI flag: -admin.client.s3.sse.type
[type: <string> | default = ""]
# KMS Key ID used to encrypt objects in S3
# CLI flag: -admin.client.s3.sse.kms-key-id
[kms_key_id: <string> | default = ""]
# KMS Encryption Context used for object encryption. It expects JSON
# formatted string.
# CLI flag: -admin.client.s3.sse.kms-encryption-context
[kms_encryption_context: <string> | default = ""]
http:
# The time an idle connection will remain idle before closing.
# CLI flag: -admin.client.s3.http.idle-conn-timeout
[idle_conn_timeout: <duration> | default = 1m30s]
# The amount of time the client will wait for a servers response headers.
# CLI flag: -admin.client.s3.http.response-header-timeout
[response_header_timeout: <duration> | default = 2m]
# If the client connects to S3 via HTTPS and this option is enabled, the
# client will accept any certificate and hostname.
# CLI flag: -admin.client.s3.http.insecure-skip-verify
[insecure_skip_verify: <boolean> | default = false]
# Maximum time to wait for a TLS handshake. 0 means no limit.
# CLI flag: -admin.client.s3.tls-handshake-timeout
[tls_handshake_timeout: <duration> | default = 10s]
# The time to wait for a server's first response headers after fully
# writing the request headers if the request has an Expect header. 0 to
# send the request body immediately.
# CLI flag: -admin.client.s3.expect-continue-timeout
[expect_continue_timeout: <duration> | default = 1s]
# Maximum number of idle (keep-alive) connections across all hosts. 0
# means no limit.
# CLI flag: -admin.client.s3.max-idle-connections
[max_idle_connections: <int> | default = 100]
# Maximum number of idle (keep-alive) connections to keep per-host. If 0,
# a built-in default value is used.
# CLI flag: -admin.client.s3.max-idle-connections-per-host
[max_idle_connections_per_host: <int> | default = 100]
# Maximum number of connections per host. 0 means no limit.
# CLI flag: -admin.client.s3.max-connections-per-host
[max_connections_per_host: <int> | default = 0]
# Path to header map file containing name/value combos.
# CLI flag: -admin.client.s3.header-map.file-path
[header_map_file_path: <string> | default = ""]
# Interval at which to repoll the headers file, if set <= 0 polling is
# disabled.
# CLI flag: -admin.client.s3.header-map.poll-interval
[header_map_poll_interval: <duration> | default = 1m]
gcs:
# GCS bucket name
# CLI flag: -admin.client.gcs.bucket-name
[bucket_name: <string> | default = ""]
# JSON representing either a Google Developers Console
# client_credentials.json file or a Google Developers service account key
# file. If empty, fallback to Google default logic.
# CLI flag: -admin.client.gcs.service-account
[service_account: <string> | default = ""]
azure:
# Azure storage account name
# CLI flag: -admin.client.azure.account-name
[account_name: <string> | default = ""]
# Azure storage account key
# CLI flag: -admin.client.azure.account-key
[account_key: <string> | default = ""]
# Azure storage container name
# CLI flag: -admin.client.azure.container-name
[container_name: <string> | default = ""]
# Azure storage endpoint suffix without schema. The account name will be
# prefixed to this value to create the FQDN
# CLI flag: -admin.client.azure.endpoint-suffix
[endpoint_suffix: <string> | default = ""]
# Number of retries for recoverable errors
# CLI flag: -admin.client.azure.max-retries
[max_retries: <int> | default = 20]
# If set to true, the built-in __admin__ access policy will not be active.
# CLI flag: -admin.client.disable-default-admin-policy
[disable_default_admin_policy: <boolean> | default = false]
auth_config
The auth_config block configures the authentication type to use.
# method for authenticating incoming HTTP requests, (trust, enterprise).
# CLI flag: -auth.type
[type: <string> | default = "trust"]
# requires admin level auth for the /metrics endpoint.
# CLI flag: -auth.required-for-metrics
[required_for_metrics: <boolean> | default = false]
override:
# Override admin token. If set, this string will always be accepted as a token
# with admin level scope.
# CLI flag: -auth.override.token
[token: <string> | default = ""]
# If set, this file will be read at startup and the string from that file will
# be used as a admin scoped token.
# CLI flag: -auth.override.token-file
[token_file: <string> | default = ""]
admin:
# how long auth responses should be cached
# CLI flag: -auth.cache.ttl
[cache_ttl: <duration> | default = 10m]
oidc:
# JWT token issuer URL (example "https://accounts.google.com")
# CLI flag: -auth.admin.oidc.issuer-url
[issuer_url: <string> | default = ""]
# claim in the JWT token containing the access policy
# CLI flag: -auth.admin.oidc.access-policy-claim
[access_policy_claim: <string> | default = ""]
# regex to extract the access policy from the JWT token. The first submatch
# of the provided regex expression will be used.
# CLI flag: -auth.admin.oidc.access-policy-regex
[access_policy_regex: <string> | default = ""]
# optional audience to check in JWT token
# CLI flag: -auth.admin.oidc.audience
[audience: <string> | default = ""]
# name of the access policy to use when the token doesn't contain an access
# policy
# CLI flag: -auth.admin.oidc.default-access-policy
[default_access_policy: <string> | default = ""]
# enable ADFS compatibility
# CLI flag: -auth.admin.oidc.adfs-compatibility
[adfs_compatibility: <boolean> | default = false]
federation_config
The federation_config block configures the cross-cluster query federation service.
proxy_targets:
# Name contains the name of the proxy target, it will be used for the
# __cluster__ label.
[name: <string> | default = ""]
# URL is the URL to the GET API endpoints.
[url: <string> | default = ""]
# Those optional Basic Auth parameters allow to override the client provided
# credentials.
basic_auth:
# Basic Auth username
[username: <string> | default = ""]
# Basic Auth password
[password: <string> | default = ""]
# Maximum number of concurrent requests to federation targets.
# CLI flag: -federation.max-concurrency
[max_concurrency: <int> | default = 20]
# Timeout for hedging requests to federation targets.
# CLI flag: -federation.hedge-requests-at
[hedge_requests_at: <duration> | default = 0s]
# Timeout for requests to federation targets.
# CLI flag: -federation.read-timeout
[read_timeout: <duration> | default = 5s]
gateway_config
The gateway_config block configures the gateway service.
proxy:
default:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.default.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.default.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.default.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.default.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.default.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.default.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.default.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.default.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.default.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.default.read-timeout
[read_timeout: <duration> | default = 2m]
admin_api:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.admin-api.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.admin-api.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.admin-api.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.admin-api.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.admin-api.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.admin-api.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.admin-api.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.admin-api.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.admin-api.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.admin-api.read-timeout
[read_timeout: <duration> | default = 2m]
compactor:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.compactor.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.compactor.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.compactor.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.compactor.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.compactor.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.compactor.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.compactor.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.compactor.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.compactor.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.compactor.read-timeout
[read_timeout: <duration> | default = 2m]
distributor:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.distributor.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.distributor.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.distributor.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.distributor.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.distributor.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.distributor.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.distributor.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.distributor.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.distributor.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.distributor.read-timeout
[read_timeout: <duration> | default = 2m]
ingester:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.ingester.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.ingester.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.ingester.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.ingester.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.ingester.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.ingester.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.ingester.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.ingester.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.ingester.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.ingester.read-timeout
[read_timeout: <duration> | default = 2m]
querier:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.querier.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.querier.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.querier.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.querier.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.querier.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.querier.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.querier.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.querier.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.querier.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.querier.read-timeout
[read_timeout: <duration> | default = 2m]
query_frontend:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.query-frontend.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.query-frontend.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.query-frontend.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.query-frontend.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.query-frontend.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.query-frontend.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.query-frontend.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.query-frontend.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.query-frontend.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.query-frontend.read-timeout
[read_timeout: <duration> | default = 2m]
license_config
The license_config block configures the license validation module.
# Filepath to license jwt file.
# CLI flag: -license.path
[path: <string> | default = "./license.jwt"]
# Interval to check for new or existing licenses.
# CLI flag: -license.sync-interval
[sync_interval: <duration> | default = 1h]
tokengen_config
The tokengen_config block configures the tokengen service.
# The name of the access policy to generate a token for. It defaults to the
# built-in admin policy.
# CLI flag: -tokengen.access-policy
[access_policy: <string> | default = "__admin__"]
# If set, the generated token will be printed to a file at the provided path
# instead of stdout.
# CLI flag: -tokengen.token-file
[token_file: <string> | default = ""]
