ConfigurationReference

Configuration reference

Grafana Enterprise Traces can be configured using a YAML file - specified using the -config.file flag - or CLI flags. In case you combine both, CLI flags take precedence over the YAML config file.

The current configuration of any GET component can be seen by visiting the /config HTTP path. Passwords are filtered out of this endpoint.

To specify which configuration file to load, pass the -config.file flag at the command line. The file is written in YAML format, defined by the scheme below. Brackets indicate that a parameter is optional.

Generic placeholders

  • <boolean>: a boolean that can take the values true or false
  • <int>: any integer matching the regular expression [1-9]+[0-9]*
  • <duration>: a duration matching the regular expression [0-9]+(ns|us|µs|ms|s|m|h|d|w|y) where y = 365 days
  • <string>: a regular string
  • <url>: a URL
  • <prefix>: a CLI flag prefix based on the context (look at the parent configuration block to see which CLI flags prefix should be used)
  • <time>: a timestamp, with available formats: 2006-01-20 (midnight, local timezone), 2006-01-20T15:04 (local timezone), and RFC 3339 formats: 2006-01-20T15:04:05Z (UTC) or 2006-01-20T15:04:05+07:00 (explicit timezone)

Environment variables in the configuration

You can use environment variable references in the config file to set values that need to be configurable during deployment by using the -config.expand-env flag. To do this, use:

${VAR}

Where VAR is the name of the environment variable.

Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.

To specify a default value, use:

${VAR:default_value}

Where default_value is the value to use if the environment variable is undefined.

Supported contents and default values

# target module
# CLI flag: -target
[target: <string> | default = "all"]

# Set to true to enable auth (deprecated: use multitenancy.enabled)
# CLI flag: -auth.enabled
[auth_enabled: <boolean> | default = false]

# Set to true to enable multitenancy.
# CLI flag: -multitenancy.enabled
[multitenancy_enabled: <boolean> | default = false]

# Set to true to enable search (unstable).
# CLI flag: -search.enabled
[search_enabled: <boolean> | default = false]

# String prefix for all http api endpoints.
# CLI flag: -http-api-prefix
[http_api_prefix: <string> | default = ""]

# Set to true to replace the OpenTracing tracer with the OpenTelemetry tracer
# CLI flag: -use-otel-tracer
[use_otel_tracer: <boolean> | default = false]

# The server_config block configures the HTTP and gRPC server of the launched
# services.
[server: <server_config>]

# The distributor_config block configures the distributor service.
[distributor: <distributor_config>]

# The ingester_client_config block configures how the distributor services
# connect to the ingester services.
[ingester_client: <ingester_client_config>]

# The querier_config block configures the querier service.
[querier: <querier_config>]

# The query_frontend_config block configures the query frontend service.
[query_frontend: <query_frontend_config>]

# The compactor_config block configures the compactor service.
[compactor: <compactor_config>]

# The ingester_config block configures the ingester service.
[ingester: <ingester_config>]

# The storage_config block configures how and where to store data.
[storage: <storage_config>]

# The overrides_config block configures the overrides module to set global or
# per-tenant override settings.
[overrides: <overrides_config>]

# The memberlist_config block configures how the gossip ring connects between
# distributors, ingesters and queriers.
[memberlist: <memberlist_config>]

# The admin_api_config block configures the Admin API service.
[admin_api: <admin_api_config>]

# The admin_client_config block configures how the Admin API service connects to
# the storage backend.
[admin_client: <admin_client_config>]

# The auth_config block configures the authentication type to use.
[auth: <auth_config>]

# Unique ID of this GET cluster. If undefined the name in the license is used.
# CLI flag: -cluster-name
[cluster_name: <string> | default = ""]

# The tokengen_config block configures the tokengen service.
[tokengen: <tokengen_config>]

# The federation_config block configures the cross-cluster query federation
# service.
[federation: <federation_config>]

# The gateway_config block configures the gateway service.
[gateway: <gateway_config>]

# The license_config block configures the license validation module.
[license: <license_config>]

server_config

The server_config block configures the HTTP and gRPC server of the launched services.

# http_listen_network is not exposed as CLI flag.
[http_listen_network: <string> | default = "tcp"]

# http_listen_address is not exposed as CLI flag.
[http_listen_address: <string> | default = ""]

# HTTP server listen port.
# CLI flag: -server.http-listen-port
[http_listen_port: <int> | default = 80]

# http_listen_conn_limit is not exposed as CLI flag.
[http_listen_conn_limit: <int> | default = 0]

# grpc_listen_network is not exposed as CLI flag.
[grpc_listen_network: <string> | default = "tcp"]

# grpc_listen_address is not exposed as CLI flag.
[grpc_listen_address: <string> | default = ""]

# gRPC server listen port.
# CLI flag: -server.grpc-listen-port
[grpc_listen_port: <int> | default = 9095]

# grpc_listen_conn_limit is not exposed as CLI flag.
[grpc_listen_conn_limit: <int> | default = 0]

http_tls_config:
  # cert_file is not exposed as CLI flag.
  [cert_file: <string> | default = ""]

  # key_file is not exposed as CLI flag.
  [key_file: <string> | default = ""]

  # client_auth_type is not exposed as CLI flag.
  [client_auth_type: <string> | default = ""]

  # client_ca_file is not exposed as CLI flag.
  [client_ca_file: <string> | default = ""]

grpc_tls_config:
  # cert_file is not exposed as CLI flag.
  [cert_file: <string> | default = ""]

  # key_file is not exposed as CLI flag.
  [key_file: <string> | default = ""]

  # client_auth_type is not exposed as CLI flag.
  [client_auth_type: <string> | default = ""]

  # client_ca_file is not exposed as CLI flag.
  [client_ca_file: <string> | default = ""]

# register_instrumentation is not exposed as CLI flag.
[register_instrumentation: <boolean> | default = true]

# graceful_shutdown_timeout is not exposed as CLI flag.
[graceful_shutdown_timeout: <duration> | default = 30s]

# http_server_read_timeout is not exposed as CLI flag.
[http_server_read_timeout: <duration> | default = 30s]

# http_server_write_timeout is not exposed as CLI flag.
[http_server_write_timeout: <duration> | default = 30s]

# http_server_idle_timeout is not exposed as CLI flag.
[http_server_idle_timeout: <duration> | default = 2m]

# grpc_server_max_recv_msg_size is not exposed as CLI flag.
[grpc_server_max_recv_msg_size: <int> | default = 4194304]

# grpc_server_max_send_msg_size is not exposed as CLI flag.
[grpc_server_max_send_msg_size: <int> | default = 4194304]

# grpc_server_max_concurrent_streams is not exposed as CLI flag.
[grpc_server_max_concurrent_streams: <int> | default = 100]

# grpc_server_max_connection_idle is not exposed as CLI flag.
[grpc_server_max_connection_idle: <duration> | default = 2562047h47m16.854775807s]

# grpc_server_max_connection_age is not exposed as CLI flag.
[grpc_server_max_connection_age: <duration> | default = 2562047h47m16.854775807s]

# grpc_server_max_connection_age_grace is not exposed as CLI flag.
[grpc_server_max_connection_age_grace: <duration> | default = 2562047h47m16.854775807s]

# grpc_server_keepalive_time is not exposed as CLI flag.
[grpc_server_keepalive_time: <duration> | default = 2h]

# grpc_server_keepalive_timeout is not exposed as CLI flag.
[grpc_server_keepalive_timeout: <duration> | default = 20s]

# grpc_server_min_time_between_pings is not exposed as CLI flag.
[grpc_server_min_time_between_pings: <duration> | default = 10s]

# grpc_server_ping_without_stream_allowed is not exposed as CLI flag.
[grpc_server_ping_without_stream_allowed: <boolean> | default = true]

# log_format is not exposed as CLI flag.
[log_format: <string> | default = "logfmt"]

# Only log messages with the given severity or above. Valid levels: [debug,
# info, warn, error]
# CLI flag: -log.level
[log_level: <string> | default = "info"]

# log_source_ips_enabled is not exposed as CLI flag.
[log_source_ips_enabled: <boolean> | default = false]

# log_source_ips_header is not exposed as CLI flag.
[log_source_ips_header: <string> | default = ""]

# log_source_ips_regex is not exposed as CLI flag.
[log_source_ips_regex: <string> | default = ""]

# http_path_prefix is not exposed as CLI flag.
[http_path_prefix: <string> | default = ""]

distributor_config

The distributor_config block configures the distributor service.

ring:
  kvstore:
    # store is not exposed as CLI flag.
    [store: <string> | default = "memberlist"]

    # prefix is not exposed as CLI flag.
    [prefix: <string> | default = "collectors/"]

    consul:
      # host is not exposed as CLI flag.
      [host: <string> | default = "localhost:8500"]

      # acl_token is not exposed as CLI flag.
      [acl_token: <string> | default = ""]

      # http_client_timeout is not exposed as CLI flag.
      [http_client_timeout: <duration> | default = 20s]

      # consistent_reads is not exposed as CLI flag.
      [consistent_reads: <boolean> | default = false]

      # watch_rate_limit is not exposed as CLI flag.
      [watch_rate_limit: <float> | default = 1]

      # watch_burst_size is not exposed as CLI flag.
      [watch_burst_size: <int> | default = 1]

    etcd:
      # endpoints is not exposed as CLI flag.
      [endpoints: <list of string> | default = []]

      # dial_timeout is not exposed as CLI flag.
      [dial_timeout: <duration> | default = 10s]

      # max_retries is not exposed as CLI flag.
      [max_retries: <int> | default = 10]

      # tls_enabled is not exposed as CLI flag.
      [tls_enabled: <boolean> | default = false]

      # tls_cert_path is not exposed as CLI flag.
      [tls_cert_path: <string> | default = ""]

      # tls_key_path is not exposed as CLI flag.
      [tls_key_path: <string> | default = ""]

      # tls_ca_path is not exposed as CLI flag.
      [tls_ca_path: <string> | default = ""]

      # tls_server_name is not exposed as CLI flag.
      [tls_server_name: <string> | default = ""]

      # tls_insecure_skip_verify is not exposed as CLI flag.
      [tls_insecure_skip_verify: <boolean> | default = false]

      # username is not exposed as CLI flag.
      [username: <string> | default = ""]

      # password is not exposed as CLI flag.
      [password: <string> | default = ""]

    multi:
      # primary is not exposed as CLI flag.
      [primary: <string> | default = ""]

      # secondary is not exposed as CLI flag.
      [secondary: <string> | default = ""]

      # mirror_enabled is not exposed as CLI flag.
      [mirror_enabled: <boolean> | default = false]

      # mirror_timeout is not exposed as CLI flag.
      [mirror_timeout: <duration> | default = 2s]

  # heartbeat_period is not exposed as CLI flag.
  [heartbeat_period: <duration> | default = 5s]

  # heartbeat_timeout is not exposed as CLI flag.
  [heartbeat_timeout: <duration> | default = 5m]

  # instance_interface_names is not exposed as CLI flag.
  [instance_interface_names: <list of string> | default = [eth0 en0]]

# receivers is not exposed as CLI flag.
[receivers: <map of string to interface {}> | default = map[]]

# override_ring_key is not exposed as CLI flag.
[override_ring_key: <string> | default = "distributor"]

# Enable to log every received trace id to help debug ingestion.
# CLI flag: -distributor.log-received-traces
[log_received_traces: <boolean> | default = false]

# extend_writes is not exposed as CLI flag.
[extend_writes: <boolean> | default = true]

# search_tags_deny_list is not exposed as CLI flag.
[search_tags_deny_list: <list of string> | default = []]

query_frontend_config

The query_frontend_config block configures the query frontend service.

# log_queries_longer_than is not exposed as CLI flag.
[log_queries_longer_than: <duration> | default = 0s]

# max_body_size is not exposed as CLI flag.
[max_body_size: <int> | default = 0]

# query_stats_enabled is not exposed as CLI flag.
[query_stats_enabled: <boolean> | default = false]

# max_outstanding_per_tenant is not exposed as CLI flag.
[max_outstanding_per_tenant: <int> | default = 100]

# querier_forget_delay is not exposed as CLI flag.
[querier_forget_delay: <duration> | default = 0s]

# scheduler_address is not exposed as CLI flag.
[scheduler_address: <string> | default = ""]

# scheduler_dns_lookup_period is not exposed as CLI flag.
[scheduler_dns_lookup_period: <duration> | default = 0s]

# scheduler_worker_concurrency is not exposed as CLI flag.
[scheduler_worker_concurrency: <int> | default = 0]

grpc_client_config:
  # max_recv_msg_size is not exposed as CLI flag.
  [max_recv_msg_size: <int> | default = 0]

  # max_send_msg_size is not exposed as CLI flag.
  [max_send_msg_size: <int> | default = 0]

  # grpc_compression is not exposed as CLI flag.
  [grpc_compression: <string> | default = ""]

  # rate_limit is not exposed as CLI flag.
  [rate_limit: <float> | default = 0]

  # rate_limit_burst is not exposed as CLI flag.
  [rate_limit_burst: <int> | default = 0]

  # backoff_on_ratelimits is not exposed as CLI flag.
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # min_period is not exposed as CLI flag.
    [min_period: <duration> | default = 0s]

    # max_period is not exposed as CLI flag.
    [max_period: <duration> | default = 0s]

    # max_retries is not exposed as CLI flag.
    [max_retries: <int> | default = 0]

  # tls_enabled is not exposed as CLI flag.
  [tls_enabled: <boolean> | default = false]

  # tls_cert_path is not exposed as CLI flag.
  [tls_cert_path: <string> | default = ""]

  # tls_key_path is not exposed as CLI flag.
  [tls_key_path: <string> | default = ""]

  # tls_ca_path is not exposed as CLI flag.
  [tls_ca_path: <string> | default = ""]

  # tls_server_name is not exposed as CLI flag.
  [tls_server_name: <string> | default = ""]

  # tls_insecure_skip_verify is not exposed as CLI flag.
  [tls_insecure_skip_verify: <boolean> | default = false]

# instance_interface_names is not exposed as CLI flag.
[instance_interface_names: <list of string> | default = []]

# downstream_url is not exposed as CLI flag.
[downstream_url: <string> | default = ""]

# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 2]

# query_shards is not exposed as CLI flag.
[query_shards: <int> | default = 20]

# tolerate_failed_blocks is not exposed as CLI flag.
[tolerate_failed_blocks: <int> | default = 0]

querier_config

The querier_config block configures the querier service.

# query_timeout is not exposed as CLI flag.
[query_timeout: <duration> | default = 10s]

# search_query_timeout is not exposed as CLI flag.
[search_query_timeout: <duration> | default = 30s]

# search_default_result_limit is not exposed as CLI flag.
[search_default_result_limit: <int> | default = 20]

# search_max_result_limit is not exposed as CLI flag.
[search_max_result_limit: <int> | default = 0]

# extra_query_delay is not exposed as CLI flag.
[extra_query_delay: <duration> | default = 0s]

# max_concurrent_queries is not exposed as CLI flag.
[max_concurrent_queries: <int> | default = 5]

frontend_worker:
  # Address of query frontend service, in host:port format.
  # CLI flag: -querier.frontend-address
  [frontend_address: <string> | default = ""]

  # scheduler_address is not exposed as CLI flag.
  [scheduler_address: <string> | default = ""]

  # dns_lookup_duration is not exposed as CLI flag.
  [dns_lookup_duration: <duration> | default = 10s]

  # parallelism is not exposed as CLI flag.
  [parallelism: <int> | default = 2]

  # match_max_concurrent is not exposed as CLI flag.
  [match_max_concurrent: <boolean> | default = true]

  # id is not exposed as CLI flag.
  [id: <string> | default = ""]

  grpc_client_config:
    # max_recv_msg_size is not exposed as CLI flag.
    [max_recv_msg_size: <int> | default = 104857600]

    # max_send_msg_size is not exposed as CLI flag.
    [max_send_msg_size: <int> | default = 16777216]

    # grpc_compression is not exposed as CLI flag.
    [grpc_compression: <string> | default = "gzip"]

    # rate_limit is not exposed as CLI flag.
    [rate_limit: <float> | default = 0]

    # rate_limit_burst is not exposed as CLI flag.
    [rate_limit_burst: <int> | default = 0]

    # backoff_on_ratelimits is not exposed as CLI flag.
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # min_period is not exposed as CLI flag.
      [min_period: <duration> | default = 100ms]

      # max_period is not exposed as CLI flag.
      [max_period: <duration> | default = 1s]

      # max_retries is not exposed as CLI flag.
      [max_retries: <int> | default = 5]

    # tls_enabled is not exposed as CLI flag.
    [tls_enabled: <boolean> | default = false]

    # tls_cert_path is not exposed as CLI flag.
    [tls_cert_path: <string> | default = ""]

    # tls_key_path is not exposed as CLI flag.
    [tls_key_path: <string> | default = ""]

    # tls_ca_path is not exposed as CLI flag.
    [tls_ca_path: <string> | default = ""]

    # tls_server_name is not exposed as CLI flag.
    [tls_server_name: <string> | default = ""]

    # tls_insecure_skip_verify is not exposed as CLI flag.
    [tls_insecure_skip_verify: <boolean> | default = false]

ingester_client_config

The ingester_client_config block configures how the distributor services connect to the ingester services.

pool_config:
  # checkinterval is not exposed as CLI flag.
  [checkinterval: <duration> | default = 15s]

  # healthcheckenabled is not exposed as CLI flag.
  [healthcheckenabled: <boolean> | default = true]

  # healthchecktimeout is not exposed as CLI flag.
  [healthchecktimeout: <duration> | default = 1s]

# remote_timeout is not exposed as CLI flag.
[remote_timeout: <duration> | default = 5s]

grpc_client_config:
  # max_recv_msg_size is not exposed as CLI flag.
  [max_recv_msg_size: <int> | default = 104857600]

  # max_send_msg_size is not exposed as CLI flag.
  [max_send_msg_size: <int> | default = 16777216]

  # grpc_compression is not exposed as CLI flag.
  [grpc_compression: <string> | default = "snappy"]

  # rate_limit is not exposed as CLI flag.
  [rate_limit: <float> | default = 0]

  # rate_limit_burst is not exposed as CLI flag.
  [rate_limit_burst: <int> | default = 0]

  # backoff_on_ratelimits is not exposed as CLI flag.
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # min_period is not exposed as CLI flag.
    [min_period: <duration> | default = 100ms]

    # max_period is not exposed as CLI flag.
    [max_period: <duration> | default = 10s]

    # max_retries is not exposed as CLI flag.
    [max_retries: <int> | default = 10]

  # tls_enabled is not exposed as CLI flag.
  [tls_enabled: <boolean> | default = false]

  # tls_cert_path is not exposed as CLI flag.
  [tls_cert_path: <string> | default = ""]

  # tls_key_path is not exposed as CLI flag.
  [tls_key_path: <string> | default = ""]

  # tls_ca_path is not exposed as CLI flag.
  [tls_ca_path: <string> | default = ""]

  # tls_server_name is not exposed as CLI flag.
  [tls_server_name: <string> | default = ""]

  # tls_insecure_skip_verify is not exposed as CLI flag.
  [tls_insecure_skip_verify: <boolean> | default = false]

ingester_config

The ingester_config block configures the ingester service.

lifecycler:
  ring:
    kvstore:
      # store is not exposed as CLI flag.
      [store: <string> | default = "memberlist"]

      # prefix is not exposed as CLI flag.
      [prefix: <string> | default = "collectors/"]

      consul:
        # host is not exposed as CLI flag.
        [host: <string> | default = "localhost:8500"]

        # acl_token is not exposed as CLI flag.
        [acl_token: <string> | default = ""]

        # http_client_timeout is not exposed as CLI flag.
        [http_client_timeout: <duration> | default = 20s]

        # consistent_reads is not exposed as CLI flag.
        [consistent_reads: <boolean> | default = false]

        # watch_rate_limit is not exposed as CLI flag.
        [watch_rate_limit: <float> | default = 1]

        # watch_burst_size is not exposed as CLI flag.
        [watch_burst_size: <int> | default = 1]

      etcd:
        # endpoints is not exposed as CLI flag.
        [endpoints: <list of string> | default = []]

        # dial_timeout is not exposed as CLI flag.
        [dial_timeout: <duration> | default = 10s]

        # max_retries is not exposed as CLI flag.
        [max_retries: <int> | default = 10]

        # tls_enabled is not exposed as CLI flag.
        [tls_enabled: <boolean> | default = false]

        # tls_cert_path is not exposed as CLI flag.
        [tls_cert_path: <string> | default = ""]

        # tls_key_path is not exposed as CLI flag.
        [tls_key_path: <string> | default = ""]

        # tls_ca_path is not exposed as CLI flag.
        [tls_ca_path: <string> | default = ""]

        # tls_server_name is not exposed as CLI flag.
        [tls_server_name: <string> | default = ""]

        # tls_insecure_skip_verify is not exposed as CLI flag.
        [tls_insecure_skip_verify: <boolean> | default = false]

        # username is not exposed as CLI flag.
        [username: <string> | default = ""]

        # password is not exposed as CLI flag.
        [password: <string> | default = ""]

      multi:
        # primary is not exposed as CLI flag.
        [primary: <string> | default = ""]

        # secondary is not exposed as CLI flag.
        [secondary: <string> | default = ""]

        # mirror_enabled is not exposed as CLI flag.
        [mirror_enabled: <boolean> | default = false]

        # mirror_timeout is not exposed as CLI flag.
        [mirror_timeout: <duration> | default = 2s]

    # heartbeat_timeout is not exposed as CLI flag.
    [heartbeat_timeout: <duration> | default = 5m]

    # replication_factor is not exposed as CLI flag.
    [replication_factor: <int> | default = 1]

    # zone_awareness_enabled is not exposed as CLI flag.
    [zone_awareness_enabled: <boolean> | default = false]

  # num_tokens is not exposed as CLI flag.
  [num_tokens: <int> | default = 128]

  # heartbeat_period is not exposed as CLI flag.
  [heartbeat_period: <duration> | default = 5s]

  # observe_period is not exposed as CLI flag.
  [observe_period: <duration> | default = 0s]

  # join_after is not exposed as CLI flag.
  [join_after: <duration> | default = 0s]

  # min_ready_duration is not exposed as CLI flag.
  [min_ready_duration: <duration> | default = 1m]

  # interface_names is not exposed as CLI flag.
  [interface_names: <list of string> | default = [eth0 en0]]

  # final_sleep is not exposed as CLI flag.
  [final_sleep: <duration> | default = 30s]

  # tokens_file_path is not exposed as CLI flag.
  [tokens_file_path: <string> | default = ""]

  # availability_zone is not exposed as CLI flag.
  [availability_zone: <string> | default = ""]

  # unregister_on_shutdown is not exposed as CLI flag.
  [unregister_on_shutdown: <boolean> | default = true]

# concurrent_flushes is not exposed as CLI flag.
[concurrent_flushes: <int> | default = 16]

# flush_check_period is not exposed as CLI flag.
[flush_check_period: <duration> | default = 10s]

# flush_op_timeout is not exposed as CLI flag.
[flush_op_timeout: <duration> | default = 5m]

# Duration after which to consider a trace complete if no spans have been
# received
# CLI flag: -ingester.trace-idle-period
[trace_idle_period: <duration> | default = 10s]

# Maximum duration which the head block can be appended to before cutting it.
# CLI flag: -ingester.max-block-duration
[max_block_duration: <duration> | default = 1h]

# Maximum size of the head block before cutting it.
# CLI flag: -ingester.max-block-bytes
[max_block_bytes: <int> | default = 1073741824]

# Duration to keep blocks in the ingester after they have been flushed.
# CLI flag: -ingester.complete-block-timeout
[complete_block_timeout: <duration> | default = 15m]

# override_ring_key is not exposed as CLI flag.
[override_ring_key: <string> | default = "ring"]

compactor_config

The compactor_config block configures the compactor service.

ring:
  kvstore:
    # store is not exposed as CLI flag.
    [store: <string> | default = ""]

    # prefix is not exposed as CLI flag.
    [prefix: <string> | default = "collectors/"]

    consul:
      # host is not exposed as CLI flag.
      [host: <string> | default = "localhost:8500"]

      # acl_token is not exposed as CLI flag.
      [acl_token: <string> | default = ""]

      # http_client_timeout is not exposed as CLI flag.
      [http_client_timeout: <duration> | default = 20s]

      # consistent_reads is not exposed as CLI flag.
      [consistent_reads: <boolean> | default = false]

      # watch_rate_limit is not exposed as CLI flag.
      [watch_rate_limit: <float> | default = 1]

      # watch_burst_size is not exposed as CLI flag.
      [watch_burst_size: <int> | default = 1]

    etcd:
      # endpoints is not exposed as CLI flag.
      [endpoints: <list of string> | default = []]

      # dial_timeout is not exposed as CLI flag.
      [dial_timeout: <duration> | default = 10s]

      # max_retries is not exposed as CLI flag.
      [max_retries: <int> | default = 10]

      # tls_enabled is not exposed as CLI flag.
      [tls_enabled: <boolean> | default = false]

      # tls_cert_path is not exposed as CLI flag.
      [tls_cert_path: <string> | default = ""]

      # tls_key_path is not exposed as CLI flag.
      [tls_key_path: <string> | default = ""]

      # tls_ca_path is not exposed as CLI flag.
      [tls_ca_path: <string> | default = ""]

      # tls_server_name is not exposed as CLI flag.
      [tls_server_name: <string> | default = ""]

      # tls_insecure_skip_verify is not exposed as CLI flag.
      [tls_insecure_skip_verify: <boolean> | default = false]

      # username is not exposed as CLI flag.
      [username: <string> | default = ""]

      # password is not exposed as CLI flag.
      [password: <string> | default = ""]

    multi:
      # primary is not exposed as CLI flag.
      [primary: <string> | default = ""]

      # secondary is not exposed as CLI flag.
      [secondary: <string> | default = ""]

      # mirror_enabled is not exposed as CLI flag.
      [mirror_enabled: <boolean> | default = false]

      # mirror_timeout is not exposed as CLI flag.
      [mirror_timeout: <duration> | default = 2s]

  # heartbeat_period is not exposed as CLI flag.
  [heartbeat_period: <duration> | default = 5s]

  # heartbeat_timeout is not exposed as CLI flag.
  [heartbeat_timeout: <duration> | default = 1m]

  # wait_stability_min_duration is not exposed as CLI flag.
  [wait_stability_min_duration: <duration> | default = 1m]

  # wait_stability_max_duration is not exposed as CLI flag.
  [wait_stability_max_duration: <duration> | default = 5m]

  # instance_interface_names is not exposed as CLI flag.
  [instance_interface_names: <list of string> | default = [eth0 en0]]

  # wait_active_instance_timeout is not exposed as CLI flag.
  [wait_active_instance_timeout: <duration> | default = 10m]

compaction:
  # chunk_size_bytes is not exposed as CLI flag.
  [chunk_size_bytes: <int> | default = 5242880]

  # flush_size_bytes is not exposed as CLI flag.
  [flush_size_bytes: <int> | default = 31457280]

  # Maximum time window across which to compact blocks.
  # CLI flag: -compactor.compaction.compaction-window
  [compaction_window: <duration> | default = 1h]

  # Maximum number of traces in a compacted block.
  # CLI flag: -compactor.compaction.max-objects-per-block
  [max_compaction_objects: <int> | default = 6000000]

  # Maximum size of a compacted block.
  # CLI flag: -compactor.compaction.max-block-bytes
  [max_block_bytes: <int> | default = 107374182400]

  # Duration to keep blocks/traces.
  # CLI flag: -compactor.compaction.block-retention
  [block_retention: <duration> | default = 336h]

  # compacted_block_retention is not exposed as CLI flag.
  [compacted_block_retention: <duration> | default = 1h]

  # retention_concurrency is not exposed as CLI flag.
  [retention_concurrency: <int> | default = 10]

  # iterator_buffer_size is not exposed as CLI flag.
  [iterator_buffer_size: <int> | default = 1000]

# override_ring_key is not exposed as CLI flag.
[override_ring_key: <string> | default = "compactor"]

storage_config

The storage_config block configures how and where to store data.

trace:
  pool:
    # max_workers is not exposed as CLI flag.
    [max_workers: <int> | default = 0]

    # queue_depth is not exposed as CLI flag.
    [queue_depth: <int> | default = 0]

  wal:
    # path is not exposed as CLI flag.
    [path: <string> | default = ""]

    # completedfilepath is not exposed as CLI flag.
    [completedfilepath: <string> | default = ""]

    # blocksfilepath is not exposed as CLI flag.
    [blocksfilepath: <string> | default = ""]

    # encoding is not exposed as CLI flag.
    [encoding: <int> | default = none]

    # search_encoding is not exposed as CLI flag.
    [search_encoding: <int> | default = none]

  block:
    # index_downsample_bytes is not exposed as CLI flag.
    [index_downsample_bytes: <int> | default = 0]

    # index_page_size_bytes is not exposed as CLI flag.
    [index_page_size_bytes: <int> | default = 0]

    # bloom_filter_false_positive is not exposed as CLI flag.
    [bloom_filter_false_positive: <float> | default = 0]

    # bloom_filter_shard_size_bytes is not exposed as CLI flag.
    [bloom_filter_shard_size_bytes: <int> | default = 0]

    # encoding is not exposed as CLI flag.
    [encoding: <int> | default = none]

    # search_encoding is not exposed as CLI flag.
    [search_encoding: <int> | default = none]

    # search_page_size_bytes is not exposed as CLI flag.
    [search_page_size_bytes: <int> | default = 0]

  # Period at which to run the maintenance cycle.
  # CLI flag: -storage.trace.blocklist_poll
  [blocklist_poll: <duration> | default = 5m]

  # blocklist_poll_concurrency is not exposed as CLI flag.
  [blocklist_poll_concurrency: <int> | default = 50]

  # blocklist_poll_fallback is not exposed as CLI flag.
  [blocklist_poll_fallback: <boolean> | default = true]

  # blocklist_poll_tenant_index_builders is not exposed as CLI flag.
  [blocklist_poll_tenant_index_builders: <int> | default = 2]

  # blocklist_poll_stale_tenant_index is not exposed as CLI flag.
  [blocklist_poll_stale_tenant_index: <duration> | default = 0s]

  # Trace backend (s3, azure, gcs, local)
  # CLI flag: -storage.trace.backend
  [backend: <string> | default = ""]

  local:
    # path is not exposed as CLI flag.
    [path: <string> | default = ""]

  gcs:
    # bucket_name is not exposed as CLI flag.
    [bucket_name: <string> | default = ""]

    # chunk_buffer_size is not exposed as CLI flag.
    [chunk_buffer_size: <int> | default = 0]

    # endpoint is not exposed as CLI flag.
    [endpoint: <string> | default = ""]

    # insecure is not exposed as CLI flag.
    [insecure: <boolean> | default = false]

    # hedge_requests_at is not exposed as CLI flag.
    [hedge_requests_at: <duration> | default = 0s]

  s3:
    # bucket is not exposed as CLI flag.
    [bucket: <string> | default = ""]

    # endpoint is not exposed as CLI flag.
    [endpoint: <string> | default = ""]

    # region is not exposed as CLI flag.
    [region: <string> | default = ""]

    # access_key is not exposed as CLI flag.
    [access_key: <string> | default = ""]

    # secret_key is not exposed as CLI flag.
    [secret_key: <string> | default = ""]

    # insecure is not exposed as CLI flag.
    [insecure: <boolean> | default = false]

    # part_size is not exposed as CLI flag.
    [part_size: <int> | default = 0]

    # hedge_requests_at is not exposed as CLI flag.
    [hedge_requests_at: <duration> | default = 0s]

    # signature_v2 is not exposed as CLI flag.
    [signature_v2: <boolean> | default = false]

    # forcepathstyle is not exposed as CLI flag.
    [forcepathstyle: <boolean> | default = false]

  azure:
    # storage-account-name is not exposed as CLI flag.
    [storage-account-name: <string> | default = ""]

    # storage-account-key is not exposed as CLI flag.
    [storage-account-key: <string> | default = ""]

    # container-name is not exposed as CLI flag.
    [container-name: <string> | default = ""]

    # endpoint-suffix is not exposed as CLI flag.
    [endpoint-suffix: <string> | default = ""]

    # max-buffers is not exposed as CLI flag.
    [max-buffers: <int> | default = 0]

    # buffer-size is not exposed as CLI flag.
    [buffer-size: <int> | default = 0]

    # hedge-requests-at is not exposed as CLI flag.
    [hedge-requests-at: <duration> | default = 0s]

  # cache is not exposed as CLI flag.
  [cache: <string> | default = ""]

  # cache_min_compaction_level is not exposed as CLI flag.
  [cache_min_compaction_level: <int> | default = 0]

  # cache_max_block_age is not exposed as CLI flag.
  [cache_max_block_age: <duration> | default = 0s]

  background_cache:
    # writeback_goroutines is not exposed as CLI flag.
    [writeback_goroutines: <int> | default = 0]

    # writeback_buffer is not exposed as CLI flag.
    [writeback_buffer: <int> | default = 0]

  memcached:
    # host is not exposed as CLI flag.
    [host: <string> | default = ""]

    # service is not exposed as CLI flag.
    [service: <string> | default = ""]

    # addresses is not exposed as CLI flag.
    [addresses: <string> | default = ""]

    # timeout is not exposed as CLI flag.
    [timeout: <duration> | default = 0s]

    # max_idle_conns is not exposed as CLI flag.
    [max_idle_conns: <int> | default = 0]

    # max_item_size is not exposed as CLI flag.
    [max_item_size: <int> | default = 0]

    # update_interval is not exposed as CLI flag.
    [update_interval: <duration> | default = 0s]

    # consistent_hash is not exposed as CLI flag.
    [consistent_hash: <boolean> | default = false]

    # circuit_breaker_consecutive_failures is not exposed as CLI flag.
    [circuit_breaker_consecutive_failures: <int> | default = 0]

    # circuit_breaker_timeout is not exposed as CLI flag.
    [circuit_breaker_timeout: <duration> | default = 0s]

    # circuit_breaker_interval is not exposed as CLI flag.
    [circuit_breaker_interval: <duration> | default = 0s]

    # ttl is not exposed as CLI flag.
    [ttl: <duration> | default = 0s]

  redis:
    # endpoint is not exposed as CLI flag.
    [endpoint: <string> | default = ""]

    # master_name is not exposed as CLI flag.
    [master_name: <string> | default = ""]

    # timeout is not exposed as CLI flag.
    [timeout: <duration> | default = 0s]

    # expiration is not exposed as CLI flag.
    [expiration: <duration> | default = 0s]

    # db is not exposed as CLI flag.
    [db: <int> | default = 0]

    # pool_size is not exposed as CLI flag.
    [pool_size: <int> | default = 0]

    # password is not exposed as CLI flag.
    [password: <string> | default = ""]

    # tls_enabled is not exposed as CLI flag.
    [tls_enabled: <boolean> | default = false]

    # tls_insecure_skip_verify is not exposed as CLI flag.
    [tls_insecure_skip_verify: <boolean> | default = false]

    # idle_timeout is not exposed as CLI flag.
    [idle_timeout: <duration> | default = 0s]

    # max_connection_age is not exposed as CLI flag.
    [max_connection_age: <duration> | default = 0s]

    # ttl is not exposed as CLI flag.
    [ttl: <duration> | default = 0s]

overrides_config

The overrides_config block configures the overrides module to set global or per-tenant override settings.

# ingestion_rate_strategy is not exposed as CLI flag.
[ingestion_rate_strategy: <string> | default = "local"]

# ingestion_rate_limit_bytes is not exposed as CLI flag.
[ingestion_rate_limit_bytes: <int> | default = 15000000]

# ingestion_burst_size_bytes is not exposed as CLI flag.
[ingestion_burst_size_bytes: <int> | default = 20000000]

# search_tags_allow_list is not exposed as CLI flag.
[search_tags_allow_list: <map of string to struct {}> | default = map[]]

# max_traces_per_user is not exposed as CLI flag.
[max_traces_per_user: <int> | default = 10000]

# max_global_traces_per_user is not exposed as CLI flag.
[max_global_traces_per_user: <int> | default = 0]

# max_bytes_per_trace is not exposed as CLI flag.
[max_bytes_per_trace: <int> | default = 50000]

# max_search_bytes_per_trace is not exposed as CLI flag.
[max_search_bytes_per_trace: <int> | default = 0]

# block_retention is not exposed as CLI flag.
[block_retention: <duration> | default = 0s]

# per_tenant_override_config is not exposed as CLI flag.
[per_tenant_override_config: <string> | default = ""]

# per_tenant_override_period is not exposed as CLI flag.
[per_tenant_override_period: <duration> | default = 10s]

memberlist_config

The memberlist_config block configures how the gossip ring connects between distributors, ingesters and queriers.

# node_name is not exposed as CLI flag.
[node_name: <string> | default = ""]

# randomize_node_name is not exposed as CLI flag.
[randomize_node_name: <boolean> | default = true]

# stream_timeout is not exposed as CLI flag.
[stream_timeout: <duration> | default = 10s]

# retransmit_factor is not exposed as CLI flag.
[retransmit_factor: <int> | default = 2]

# pull_push_interval is not exposed as CLI flag.
[pull_push_interval: <duration> | default = 30s]

# gossip_interval is not exposed as CLI flag.
[gossip_interval: <duration> | default = 1s]

# gossip_nodes is not exposed as CLI flag.
[gossip_nodes: <int> | default = 2]

# gossip_to_dead_nodes_time is not exposed as CLI flag.
[gossip_to_dead_nodes_time: <duration> | default = 30s]

# dead_node_reclaim_time is not exposed as CLI flag.
[dead_node_reclaim_time: <duration> | default = 0s]

# compression_enabled is not exposed as CLI flag.
[compression_enabled: <boolean> | default = false]

# advertise_addr is not exposed as CLI flag.
[advertise_addr: <string> | default = ""]

# advertise_port is not exposed as CLI flag.
[advertise_port: <int> | default = 7946]

# Host port to connect to memberlist cluster.
# CLI flag: -memberlist.host-port
[join_members: <list of string> | default = []]

# min_join_backoff is not exposed as CLI flag.
[min_join_backoff: <duration> | default = 1s]

# max_join_backoff is not exposed as CLI flag.
[max_join_backoff: <duration> | default = 1m]

# max_join_retries is not exposed as CLI flag.
[max_join_retries: <int> | default = 10]

# abort_if_cluster_join_fails is not exposed as CLI flag.
[abort_if_cluster_join_fails: <boolean> | default = true]

# rejoin_interval is not exposed as CLI flag.
[rejoin_interval: <duration> | default = 0s]

# left_ingesters_timeout is not exposed as CLI flag.
[left_ingesters_timeout: <duration> | default = 5m]

# leave_timeout is not exposed as CLI flag.
[leave_timeout: <duration> | default = 5s]

# message_history_buffer_bytes is not exposed as CLI flag.
[message_history_buffer_bytes: <int> | default = 0]

# bind_addr is not exposed as CLI flag.
[bind_addr: <list of string> | default = []]

# Port for memberlist to communicate on
# CLI flag: -memberlist.bind-port
[bind_port: <int> | default = 7946]

# packet_dial_timeout is not exposed as CLI flag.
[packet_dial_timeout: <duration> | default = 5s]

# packet_write_timeout is not exposed as CLI flag.
[packet_write_timeout: <duration> | default = 5s]

# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]

# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]

# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]

# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]

# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]

# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]

admin_api_config

The admin_api_config block configures the Admin API service.

# Designated header to parse when searching for the grafana user ID of the user
# accessing the API.
# CLI flag: -admin.api.user-header-name
[user_header_name: <string> | default = "X-WEBAUTH-USER"]

leader_election:
  # This flag enables leader election for the admin api.
  # CLI flag: -admin-api.leader-election.enabled
  [enabled: <boolean> | default = false]

  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -admin-api.leader-election.ring.store
      [store: <string> | default = "consul"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -admin-api.leader-election.ring.prefix
      [prefix: <string> | default = "leader-election/"]

      consul:
        # Hostname and port of Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.hostname
        [host: <string> | default = "localhost:8500"]

        # ACL Token used to interact with Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.acl-token
        [acl_token: <string> | default = ""]

        # HTTP timeout when talking to Consul
        # CLI flag: -admin-api.leader-election.ring.consul.client-timeout
        [http_client_timeout: <duration> | default = 20s]

        # Enable consistent reads to Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.consistent-reads
        [consistent_reads: <boolean> | default = false]

        # Rate limit when watching key or prefix in Consul, in requests per
        # second. 0 disables the rate limit.
        # CLI flag: -admin-api.leader-election.ring.consul.watch-rate-limit
        [watch_rate_limit: <float> | default = 1]

        # Burst size used in rate limit. Values less than 1 are treated as 1.
        # CLI flag: -admin-api.leader-election.ring.consul.watch-burst-size
        [watch_burst_size: <int> | default = 1]

      etcd:
        # The etcd endpoints to connect to.
        # CLI flag: -admin-api.leader-election.ring.etcd.endpoints
        [endpoints: <list of string> | default = []]

        # The dial timeout for the etcd connection.
        # CLI flag: -admin-api.leader-election.ring.etcd.dial-timeout
        [dial_timeout: <duration> | default = 10s]

        # The maximum number of retries to do for failed ops.
        # CLI flag: -admin-api.leader-election.ring.etcd.max-retries
        [max_retries: <int> | default = 10]

        # Enable TLS.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-enabled
        [tls_enabled: <boolean> | default = false]

        # Path to the client certificate file, which will be used for
        # authenticating with the server. Also requires the key path to be
        # configured.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # Path to the key file for the client certificate. Also requires the
        # client certificate to be configured.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-key-path
        [tls_key_path: <string> | default = ""]

        # Path to the CA certificates file to validate server certificate
        # against. If not set, the host's root CA certificates are used.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # Override the expected name on the server certificate.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-server-name
        [tls_server_name: <string> | default = ""]

        # Skip validating server certificate.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-insecure-skip-verify
        [tls_insecure_skip_verify: <boolean> | default = false]

        # Etcd username.
        # CLI flag: -admin-api.leader-election.ring.etcd.username
        [username: <string> | default = ""]

        # Etcd password.
        # CLI flag: -admin-api.leader-election.ring.etcd.password
        [password: <string> | default = ""]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # Period at which to heartbeat to the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-period
    [heartbeat_period: <duration> | default = 15s]

    # The heartbeat timeout after which admin-api instances are considered
    # unhealthy within the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # Period to wait after generating tokens to resolve collisions. Required
    # when using a gossip ring KV store.
    # CLI flag: -admin-api.leader-election.ring.tokens-observe-period
    [tokens_observe_period: <duration> | default = 1m]

    # Name of network interface to read address from.
    # CLI flag: -admin-api.leader-election.ring.instance-interface-names
    [instance_interface_names: <list of string> | default = [eth0 en0]]

  client_config:
    # gRPC client max receive message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-recv-msg-size
    [max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-send-msg-size
    [max_send_msg_size: <int> | default = 16777216]

    # Use compression when sending messages. Supported values are: 'gzip',
    # 'snappy' and '' (disable compression)
    # CLI flag: -admin-api.leader-election.client.grpc-compression
    [grpc_compression: <string> | default = ""]

    # Rate limit for gRPC client; 0 means disabled.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit
    [rate_limit: <float> | default = 0]

    # Rate limit burst for gRPC client.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit-burst
    [rate_limit_burst: <int> | default = 0]

    # Enable backoff and retry when we hit ratelimits.
    # CLI flag: -admin-api.leader-election.client.backoff-on-ratelimits
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # Minimum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-min-period
      [min_period: <duration> | default = 100ms]

      # Maximum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-max-period
      [max_period: <duration> | default = 10s]

      # Number of times to backoff and retry before failing.
      # CLI flag: -admin-api.leader-election.client.backoff-retries
      [max_retries: <int> | default = 10]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -admin-api.leader-election.client.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -admin-api.leader-election.client.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

limits:
  # Should API based per-instance limits be used.
  # CLI flag: -admin-api.limits.enabled
  [enabled: <boolean> | default = true]

  # Period with which to refresh per-instance limits.
  # CLI flag: -admin-api.limits.refresh-period
  [refresh_period: <duration> | default = 1m]

admin_client_config

The admin_client_config block configures how the Admin API service connects to the storage backend.

storage:
  # Set a backend to use, (gcs, s3)
  # CLI flag: -admin.client.backend-type
  [type: <string> | default = ""]

  # Enable caching on the versioned client
  # CLI flag: -admin.client.cache.enabled
  [enable_cache: <boolean> | default = true]

  s3:
    # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
    # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
    # S3-compatible service in hostname:port format.
    # CLI flag: -admin.client.s3.endpoint
    [endpoint: <string> | default = ""]

    # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
    # to autodetect it.
    # CLI flag: -admin.client.s3.region
    [region: <string> | default = ""]

    # S3 bucket name
    # CLI flag: -admin.client.s3.bucket-name
    [bucket_name: <string> | default = ""]

    # S3 secret access key
    # CLI flag: -admin.client.s3.secret-access-key
    [secret_access_key: <string> | default = ""]

    # S3 access key ID
    # CLI flag: -admin.client.s3.access-key-id
    [access_key_id: <string> | default = ""]

    # If enabled, use http:// for the S3 endpoint instead of https://. This
    # could be useful in local dev/test environments while using an
    # S3-compatible backend storage, like Minio.
    # CLI flag: -admin.client.s3.insecure
    [insecure: <boolean> | default = false]

    # The signature version to use for authenticating against S3. Supported
    # values are: v4, v2.
    # CLI flag: -admin.client.s3.signature-version
    [signature_version: <string> | default = "v4"]

    sse:
      # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
      # CLI flag: -admin.client.s3.sse.type
      [type: <string> | default = ""]

      # KMS Key ID used to encrypt objects in S3
      # CLI flag: -admin.client.s3.sse.kms-key-id
      [kms_key_id: <string> | default = ""]

      # KMS Encryption Context used for object encryption. It expects JSON
      # formatted string.
      # CLI flag: -admin.client.s3.sse.kms-encryption-context
      [kms_encryption_context: <string> | default = ""]

    http:
      # The time an idle connection will remain idle before closing.
      # CLI flag: -admin.client.s3.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # The amount of time the client will wait for a servers response headers.
      # CLI flag: -admin.client.s3.http.response-header-timeout
      [response_header_timeout: <duration> | default = 2m]

      # If the client connects to S3 via HTTPS and this option is enabled, the
      # client will accept any certificate and hostname.
      # CLI flag: -admin.client.s3.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

      # Maximum time to wait for a TLS handshake. 0 means no limit.
      # CLI flag: -admin.client.s3.tls-handshake-timeout
      [tls_handshake_timeout: <duration> | default = 10s]

      # The time to wait for a server's first response headers after fully
      # writing the request headers if the request has an Expect header. 0 to
      # send the request body immediately.
      # CLI flag: -admin.client.s3.expect-continue-timeout
      [expect_continue_timeout: <duration> | default = 1s]

      # Maximum number of idle (keep-alive) connections across all hosts. 0
      # means no limit.
      # CLI flag: -admin.client.s3.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # Maximum number of idle (keep-alive) connections to keep per-host. If 0,
      # a built-in default value is used.
      # CLI flag: -admin.client.s3.max-idle-connections-per-host
      [max_idle_connections_per_host: <int> | default = 100]

      # Maximum number of connections per host. 0 means no limit.
      # CLI flag: -admin.client.s3.max-connections-per-host
      [max_connections_per_host: <int> | default = 0]

    # Path to header map file containing name/value combos.
    # CLI flag: -admin.client.s3.header-map.file-path
    [header_map_file_path: <string> | default = ""]

    # Interval at which to repoll the headers file, if set <= 0 polling is
    # disabled.
    # CLI flag: -admin.client.s3.header-map.poll-interval
    [header_map_poll_interval: <duration> | default = 1m]

  gcs:
    # GCS bucket name
    # CLI flag: -admin.client.gcs.bucket-name
    [bucket_name: <string> | default = ""]

    # JSON representing either a Google Developers Console
    # client_credentials.json file or a Google Developers service account key
    # file. If empty, fallback to Google default logic.
    # CLI flag: -admin.client.gcs.service-account
    [service_account: <string> | default = ""]

# If set to true, the built-in __admin__ access policy will not be active.
# CLI flag: -admin.client.disable-default-admin-policy
[disable_default_admin_policy: <boolean> | default = false]

auth_config

The auth_config block configures the authentication type to use.

# method for authenticating incoming HTTP requests, (trust, enterprise).
# CLI flag: -auth.type
[type: <string> | default = "trust"]

# requires admin level auth for the /metrics endpoint.
# CLI flag: -auth.required-for-metrics
[required_for_metrics: <boolean> | default = false]

override:
  # Override admin token. If set, this string will always be accepted as a token
  # with admin level scope.
  # CLI flag: -auth.override.token
  [token: <string> | default = ""]

  # If set, this file will be read at startup and the string from that file will
  # be used as a admin scoped token.
  # CLI flag: -auth.override.token-file
  [token_file: <string> | default = ""]

admin:
  # how long auth responses should be cached
  # CLI flag: -auth.cache.ttl
  [cache_ttl: <duration> | default = 10m]

  oidc:
    # JWT token issuer URL (example "https://accounts.google.com")
    # CLI flag: -auth.admin.oidc.issuer-url
    [issuer_url: <string> | default = ""]

    # claim in the JWT token containing the access policy
    # CLI flag: -auth.admin.oidc.access-policy-claim
    [access_policy_claim: <string> | default = ""]

    # regex to extract the access policy from the JWT token. The first submatch
    # of the provided regex expression will be used.
    # CLI flag: -auth.admin.oidc.access-policy-regex
    [access_policy_regex: <string> | default = ""]

    # optional audience to check in JWT token
    # CLI flag: -auth.admin.oidc.audience
    [audience: <string> | default = ""]

    # name of the access policy to use when the token doesn't contain an access
    # policy
    # CLI flag: -auth.admin.oidc.default-access-policy
    [default_access_policy: <string> | default = ""]

    # enable ADFS compatibility
    # CLI flag: -auth.admin.oidc.adfs-compatibility
    [adfs_compatibility: <boolean> | default = false]

federation_config

The federation_config block configures the cross-cluster query federation service.

proxy_targets:
  # Name contains the name of the proxy target, it will be used for the
  # __cluster__ label.
  [name: <string> | default = ""]

  # URL is the URL to the GET API endpoints.
  [url: <string> | default = ""]

  # Those optional Basic Auth parameters allow to override the client provided
  # credentials.
  basic_auth:
    # Basic Auth username
    [username: <string> | default = ""]

    # Basic Auth password
    [password: <string> | default = ""]

# Maximum number of concurrent requests to federation targets.
# CLI flag: -federation.max-concurrency
[max_concurrency: <int> | default = 20]

# Timeout for hedging requests to federation targets.
# CLI flag: -federation.hedge-requests-at
[hedge_requests_at: <duration> | default = 0s]

# Timeout for requests to federation targets.
# CLI flag: -federation.read-timeout
[read_timeout: <duration> | default = 5s]

gateway_config

The gateway_config block configures the gateway service.

proxy:
  default:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.default.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.default.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.default.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.default.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.default.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.default.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.default.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.default.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.default.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.default.read-timeout
    [read_timeout: <duration> | default = 2m]

  admin_api:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.admin-api.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.admin-api.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.admin-api.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.admin-api.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.read-timeout
    [read_timeout: <duration> | default = 2m]

  compactor:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.compactor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.compactor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.compactor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.compactor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.read-timeout
    [read_timeout: <duration> | default = 2m]

  distributor:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.distributor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.distributor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.distributor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.distributor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.read-timeout
    [read_timeout: <duration> | default = 2m]

  ingester:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ingester.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ingester.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.ingester.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ingester.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.read-timeout
    [read_timeout: <duration> | default = 2m]

  querier:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.querier.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.querier.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.querier.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.querier.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.querier.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.querier.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.querier.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.querier.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.querier.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.querier.read-timeout
    [read_timeout: <duration> | default = 2m]

  query_frontend:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.query-frontend.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.query-frontend.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.query-frontend.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.query-frontend.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.read-timeout
    [read_timeout: <duration> | default = 2m]

license_config

The license_config block configures the license validation module.

# Filepath to license jwt file.
# CLI flag: -license.path
[path: <string> | default = "./license.jwt"]

# Interval to check for new or existing licenses.
# CLI flag: -license.sync-interval
[sync_interval: <duration> | default = 1h]

tokengen_config

The tokengen_config block configures the tokengen service.

# The name of the access policy to generate a token for. It defaults to the
# built-in admin policy.
# CLI flag: -tokengen.access-policy
[access_policy: <string> | default = "__admin__"]

# If set, the generated token will be printed to a file at the provided path
# instead of stdout.
# CLI flag: -tokengen.token-file
[token_file: <string> | default = ""]