Configuration reference
Grafana Enterprise Traces can be configured using a YAML file - specified using the -config.file flag - or CLI flags. In case you combine both, CLI flags take precedence over the YAML config file.
The current configuration of any GET component can be seen by visiting the /config HTTP path.
Passwords are filtered out of this endpoint.
To specify which configuration file to load, pass the -config.file flag at the command line. The file is written in YAML format, defined by the scheme below. Brackets indicate that a parameter is optional.
Generic placeholders
<boolean>: a boolean that can take the valuestrueorfalse<int>: any integer matching the regular expression[1-9]+[0-9]*<duration>: a duration matching the regular expression[0-9]+(ns|us|µs|ms|s|m|h|d|w|y)where y = 365 days<string>: a regular string<url>: a URL<prefix>: a CLI flag prefix based on the context (look at the parent configuration block to see which CLI flags prefix should be used)<time>: a timestamp, with available formats:2006-01-20(midnight, local timezone),2006-01-20T15:04(local timezone), and RFC 3339 formats:2006-01-20T15:04:05Z(UTC) or2006-01-20T15:04:05+07:00(explicit timezone)
Environment variables in the configuration
You can use environment variable references in the config file to set values that need to be configurable during deployment by using the -config.expand-env flag.
To do this, use:
${VAR}
Where VAR is the name of the environment variable.
Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.
To specify a default value, use:
${VAR:default_value}
Where default_value is the value to use if the environment variable is undefined.
Supported contents and default values
# target module
# CLI flag: -target
[target: <string> | default = "all"]
# Set to true to enable auth (deprecated: use multitenancy.enabled)
# CLI flag: -auth.enabled
[auth_enabled: <boolean> | default = false]
# Set to true to enable multitenancy.
# CLI flag: -multitenancy.enabled
[multitenancy_enabled: <boolean> | default = false]
# Set to true to enable search (unstable).
# CLI flag: -search.enabled
[search_enabled: <boolean> | default = false]
# String prefix for all http api endpoints.
# CLI flag: -http-api-prefix
[http_api_prefix: <string> | default = ""]
# Set to true to replace the OpenTracing tracer with the OpenTelemetry tracer
# CLI flag: -use-otel-tracer
[use_otel_tracer: <boolean> | default = false]
# The server_config block configures the HTTP and gRPC server of the launched
# services.
[server: <server_config>]
# The distributor_config block configures the distributor service.
[distributor: <distributor_config>]
# The ingester_client_config block configures how the distributor services
# connect to the ingester services.
[ingester_client: <ingester_client_config>]
# The querier_config block configures the querier service.
[querier: <querier_config>]
# The query_frontend_config block configures the query frontend service.
[query_frontend: <query_frontend_config>]
# The compactor_config block configures the compactor service.
[compactor: <compactor_config>]
# The ingester_config block configures the ingester service.
[ingester: <ingester_config>]
# The storage_config block configures how and where to store data.
[storage: <storage_config>]
# The overrides_config block configures the overrides module to set global or
# per-tenant override settings.
[overrides: <overrides_config>]
# The memberlist_config block configures how the gossip ring connects between
# distributors, ingesters and queriers.
[memberlist: <memberlist_config>]
# The admin_api_config block configures the Admin API service.
[admin_api: <admin_api_config>]
# The admin_client_config block configures how the Admin API service connects to
# the storage backend.
[admin_client: <admin_client_config>]
# The auth_config block configures the authentication type to use.
[auth: <auth_config>]
# Unique ID of this GET cluster. If undefined the name in the license is used.
# CLI flag: -cluster-name
[cluster_name: <string> | default = ""]
# The tokengen_config block configures the tokengen service.
[tokengen: <tokengen_config>]
# The federation_config block configures the cross-cluster query federation
# service.
[federation: <federation_config>]
# The gateway_config block configures the gateway service.
[gateway: <gateway_config>]
# The license_config block configures the license validation module.
[license: <license_config>]
server_config
The server_config block configures the HTTP and gRPC server of the launched services.
# http_listen_network is not exposed as CLI flag.
[http_listen_network: <string> | default = "tcp"]
# http_listen_address is not exposed as CLI flag.
[http_listen_address: <string> | default = ""]
# HTTP server listen port.
# CLI flag: -server.http-listen-port
[http_listen_port: <int> | default = 80]
# http_listen_conn_limit is not exposed as CLI flag.
[http_listen_conn_limit: <int> | default = 0]
# grpc_listen_network is not exposed as CLI flag.
[grpc_listen_network: <string> | default = "tcp"]
# grpc_listen_address is not exposed as CLI flag.
[grpc_listen_address: <string> | default = ""]
# gRPC server listen port.
# CLI flag: -server.grpc-listen-port
[grpc_listen_port: <int> | default = 9095]
# grpc_listen_conn_limit is not exposed as CLI flag.
[grpc_listen_conn_limit: <int> | default = 0]
http_tls_config:
# cert_file is not exposed as CLI flag.
[cert_file: <string> | default = ""]
# key_file is not exposed as CLI flag.
[key_file: <string> | default = ""]
# client_auth_type is not exposed as CLI flag.
[client_auth_type: <string> | default = ""]
# client_ca_file is not exposed as CLI flag.
[client_ca_file: <string> | default = ""]
grpc_tls_config:
# cert_file is not exposed as CLI flag.
[cert_file: <string> | default = ""]
# key_file is not exposed as CLI flag.
[key_file: <string> | default = ""]
# client_auth_type is not exposed as CLI flag.
[client_auth_type: <string> | default = ""]
# client_ca_file is not exposed as CLI flag.
[client_ca_file: <string> | default = ""]
# register_instrumentation is not exposed as CLI flag.
[register_instrumentation: <boolean> | default = true]
# graceful_shutdown_timeout is not exposed as CLI flag.
[graceful_shutdown_timeout: <duration> | default = 30s]
# http_server_read_timeout is not exposed as CLI flag.
[http_server_read_timeout: <duration> | default = 30s]
# http_server_write_timeout is not exposed as CLI flag.
[http_server_write_timeout: <duration> | default = 30s]
# http_server_idle_timeout is not exposed as CLI flag.
[http_server_idle_timeout: <duration> | default = 2m]
# grpc_server_max_recv_msg_size is not exposed as CLI flag.
[grpc_server_max_recv_msg_size: <int> | default = 4194304]
# grpc_server_max_send_msg_size is not exposed as CLI flag.
[grpc_server_max_send_msg_size: <int> | default = 4194304]
# grpc_server_max_concurrent_streams is not exposed as CLI flag.
[grpc_server_max_concurrent_streams: <int> | default = 100]
# grpc_server_max_connection_idle is not exposed as CLI flag.
[grpc_server_max_connection_idle: <duration> | default = 2562047h47m16.854775807s]
# grpc_server_max_connection_age is not exposed as CLI flag.
[grpc_server_max_connection_age: <duration> | default = 2562047h47m16.854775807s]
# grpc_server_max_connection_age_grace is not exposed as CLI flag.
[grpc_server_max_connection_age_grace: <duration> | default = 2562047h47m16.854775807s]
# grpc_server_keepalive_time is not exposed as CLI flag.
[grpc_server_keepalive_time: <duration> | default = 2h]
# grpc_server_keepalive_timeout is not exposed as CLI flag.
[grpc_server_keepalive_timeout: <duration> | default = 20s]
# grpc_server_min_time_between_pings is not exposed as CLI flag.
[grpc_server_min_time_between_pings: <duration> | default = 10s]
# grpc_server_ping_without_stream_allowed is not exposed as CLI flag.
[grpc_server_ping_without_stream_allowed: <boolean> | default = true]
# log_format is not exposed as CLI flag.
[log_format: <string> | default = "logfmt"]
# Only log messages with the given severity or above. Valid levels: [debug,
# info, warn, error]
# CLI flag: -log.level
[log_level: <string> | default = "info"]
# log_source_ips_enabled is not exposed as CLI flag.
[log_source_ips_enabled: <boolean> | default = false]
# log_source_ips_header is not exposed as CLI flag.
[log_source_ips_header: <string> | default = ""]
# log_source_ips_regex is not exposed as CLI flag.
[log_source_ips_regex: <string> | default = ""]
# http_path_prefix is not exposed as CLI flag.
[http_path_prefix: <string> | default = ""]
distributor_config
The distributor_config block configures the distributor service.
ring:
kvstore:
# store is not exposed as CLI flag.
[store: <string> | default = "memberlist"]
# prefix is not exposed as CLI flag.
[prefix: <string> | default = "collectors/"]
consul:
# host is not exposed as CLI flag.
[host: <string> | default = "localhost:8500"]
# acl_token is not exposed as CLI flag.
[acl_token: <string> | default = ""]
# http_client_timeout is not exposed as CLI flag.
[http_client_timeout: <duration> | default = 20s]
# consistent_reads is not exposed as CLI flag.
[consistent_reads: <boolean> | default = false]
# watch_rate_limit is not exposed as CLI flag.
[watch_rate_limit: <float> | default = 1]
# watch_burst_size is not exposed as CLI flag.
[watch_burst_size: <int> | default = 1]
etcd:
# endpoints is not exposed as CLI flag.
[endpoints: <list of string> | default = []]
# dial_timeout is not exposed as CLI flag.
[dial_timeout: <duration> | default = 10s]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 10]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
# username is not exposed as CLI flag.
[username: <string> | default = ""]
# password is not exposed as CLI flag.
[password: <string> | default = ""]
multi:
# primary is not exposed as CLI flag.
[primary: <string> | default = ""]
# secondary is not exposed as CLI flag.
[secondary: <string> | default = ""]
# mirror_enabled is not exposed as CLI flag.
[mirror_enabled: <boolean> | default = false]
# mirror_timeout is not exposed as CLI flag.
[mirror_timeout: <duration> | default = 2s]
# heartbeat_period is not exposed as CLI flag.
[heartbeat_period: <duration> | default = 5s]
# heartbeat_timeout is not exposed as CLI flag.
[heartbeat_timeout: <duration> | default = 5m]
# instance_interface_names is not exposed as CLI flag.
[instance_interface_names: <list of string> | default = [eth0 en0]]
# receivers is not exposed as CLI flag.
[receivers: <map of string to interface {}> | default = map[]]
# override_ring_key is not exposed as CLI flag.
[override_ring_key: <string> | default = "distributor"]
# Enable to log every received trace id to help debug ingestion.
# CLI flag: -distributor.log-received-traces
[log_received_traces: <boolean> | default = false]
# extend_writes is not exposed as CLI flag.
[extend_writes: <boolean> | default = true]
# search_tags_deny_list is not exposed as CLI flag.
[search_tags_deny_list: <list of string> | default = []]
query_frontend_config
The query_frontend_config block configures the query frontend service.
# log_queries_longer_than is not exposed as CLI flag.
[log_queries_longer_than: <duration> | default = 0s]
# max_body_size is not exposed as CLI flag.
[max_body_size: <int> | default = 0]
# query_stats_enabled is not exposed as CLI flag.
[query_stats_enabled: <boolean> | default = false]
# max_outstanding_per_tenant is not exposed as CLI flag.
[max_outstanding_per_tenant: <int> | default = 100]
# querier_forget_delay is not exposed as CLI flag.
[querier_forget_delay: <duration> | default = 0s]
# scheduler_address is not exposed as CLI flag.
[scheduler_address: <string> | default = ""]
# scheduler_dns_lookup_period is not exposed as CLI flag.
[scheduler_dns_lookup_period: <duration> | default = 0s]
# scheduler_worker_concurrency is not exposed as CLI flag.
[scheduler_worker_concurrency: <int> | default = 0]
grpc_client_config:
# max_recv_msg_size is not exposed as CLI flag.
[max_recv_msg_size: <int> | default = 0]
# max_send_msg_size is not exposed as CLI flag.
[max_send_msg_size: <int> | default = 0]
# grpc_compression is not exposed as CLI flag.
[grpc_compression: <string> | default = ""]
# rate_limit is not exposed as CLI flag.
[rate_limit: <float> | default = 0]
# rate_limit_burst is not exposed as CLI flag.
[rate_limit_burst: <int> | default = 0]
# backoff_on_ratelimits is not exposed as CLI flag.
[backoff_on_ratelimits: <boolean> | default = false]
backoff_config:
# min_period is not exposed as CLI flag.
[min_period: <duration> | default = 0s]
# max_period is not exposed as CLI flag.
[max_period: <duration> | default = 0s]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 0]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
# instance_interface_names is not exposed as CLI flag.
[instance_interface_names: <list of string> | default = []]
# downstream_url is not exposed as CLI flag.
[downstream_url: <string> | default = ""]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 2]
# query_shards is not exposed as CLI flag.
[query_shards: <int> | default = 20]
# tolerate_failed_blocks is not exposed as CLI flag.
[tolerate_failed_blocks: <int> | default = 0]
querier_config
The querier_config block configures the querier service.
# query_timeout is not exposed as CLI flag.
[query_timeout: <duration> | default = 10s]
# search_query_timeout is not exposed as CLI flag.
[search_query_timeout: <duration> | default = 30s]
# search_default_result_limit is not exposed as CLI flag.
[search_default_result_limit: <int> | default = 20]
# search_max_result_limit is not exposed as CLI flag.
[search_max_result_limit: <int> | default = 0]
# extra_query_delay is not exposed as CLI flag.
[extra_query_delay: <duration> | default = 0s]
# max_concurrent_queries is not exposed as CLI flag.
[max_concurrent_queries: <int> | default = 5]
frontend_worker:
# Address of query frontend service, in host:port format.
# CLI flag: -querier.frontend-address
[frontend_address: <string> | default = ""]
# scheduler_address is not exposed as CLI flag.
[scheduler_address: <string> | default = ""]
# dns_lookup_duration is not exposed as CLI flag.
[dns_lookup_duration: <duration> | default = 10s]
# parallelism is not exposed as CLI flag.
[parallelism: <int> | default = 2]
# match_max_concurrent is not exposed as CLI flag.
[match_max_concurrent: <boolean> | default = true]
# id is not exposed as CLI flag.
[id: <string> | default = ""]
grpc_client_config:
# max_recv_msg_size is not exposed as CLI flag.
[max_recv_msg_size: <int> | default = 104857600]
# max_send_msg_size is not exposed as CLI flag.
[max_send_msg_size: <int> | default = 16777216]
# grpc_compression is not exposed as CLI flag.
[grpc_compression: <string> | default = "gzip"]
# rate_limit is not exposed as CLI flag.
[rate_limit: <float> | default = 0]
# rate_limit_burst is not exposed as CLI flag.
[rate_limit_burst: <int> | default = 0]
# backoff_on_ratelimits is not exposed as CLI flag.
[backoff_on_ratelimits: <boolean> | default = false]
backoff_config:
# min_period is not exposed as CLI flag.
[min_period: <duration> | default = 100ms]
# max_period is not exposed as CLI flag.
[max_period: <duration> | default = 1s]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 5]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
ingester_client_config
The ingester_client_config block configures how the distributor services connect to the ingester services.
pool_config:
# checkinterval is not exposed as CLI flag.
[checkinterval: <duration> | default = 15s]
# healthcheckenabled is not exposed as CLI flag.
[healthcheckenabled: <boolean> | default = true]
# healthchecktimeout is not exposed as CLI flag.
[healthchecktimeout: <duration> | default = 1s]
# remote_timeout is not exposed as CLI flag.
[remote_timeout: <duration> | default = 5s]
grpc_client_config:
# max_recv_msg_size is not exposed as CLI flag.
[max_recv_msg_size: <int> | default = 104857600]
# max_send_msg_size is not exposed as CLI flag.
[max_send_msg_size: <int> | default = 16777216]
# grpc_compression is not exposed as CLI flag.
[grpc_compression: <string> | default = "snappy"]
# rate_limit is not exposed as CLI flag.
[rate_limit: <float> | default = 0]
# rate_limit_burst is not exposed as CLI flag.
[rate_limit_burst: <int> | default = 0]
# backoff_on_ratelimits is not exposed as CLI flag.
[backoff_on_ratelimits: <boolean> | default = false]
backoff_config:
# min_period is not exposed as CLI flag.
[min_period: <duration> | default = 100ms]
# max_period is not exposed as CLI flag.
[max_period: <duration> | default = 10s]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 10]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
ingester_config
The ingester_config block configures the ingester service.
lifecycler:
ring:
kvstore:
# store is not exposed as CLI flag.
[store: <string> | default = "memberlist"]
# prefix is not exposed as CLI flag.
[prefix: <string> | default = "collectors/"]
consul:
# host is not exposed as CLI flag.
[host: <string> | default = "localhost:8500"]
# acl_token is not exposed as CLI flag.
[acl_token: <string> | default = ""]
# http_client_timeout is not exposed as CLI flag.
[http_client_timeout: <duration> | default = 20s]
# consistent_reads is not exposed as CLI flag.
[consistent_reads: <boolean> | default = false]
# watch_rate_limit is not exposed as CLI flag.
[watch_rate_limit: <float> | default = 1]
# watch_burst_size is not exposed as CLI flag.
[watch_burst_size: <int> | default = 1]
etcd:
# endpoints is not exposed as CLI flag.
[endpoints: <list of string> | default = []]
# dial_timeout is not exposed as CLI flag.
[dial_timeout: <duration> | default = 10s]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 10]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
# username is not exposed as CLI flag.
[username: <string> | default = ""]
# password is not exposed as CLI flag.
[password: <string> | default = ""]
multi:
# primary is not exposed as CLI flag.
[primary: <string> | default = ""]
# secondary is not exposed as CLI flag.
[secondary: <string> | default = ""]
# mirror_enabled is not exposed as CLI flag.
[mirror_enabled: <boolean> | default = false]
# mirror_timeout is not exposed as CLI flag.
[mirror_timeout: <duration> | default = 2s]
# heartbeat_timeout is not exposed as CLI flag.
[heartbeat_timeout: <duration> | default = 5m]
# replication_factor is not exposed as CLI flag.
[replication_factor: <int> | default = 1]
# zone_awareness_enabled is not exposed as CLI flag.
[zone_awareness_enabled: <boolean> | default = false]
# num_tokens is not exposed as CLI flag.
[num_tokens: <int> | default = 128]
# heartbeat_period is not exposed as CLI flag.
[heartbeat_period: <duration> | default = 5s]
# observe_period is not exposed as CLI flag.
[observe_period: <duration> | default = 0s]
# join_after is not exposed as CLI flag.
[join_after: <duration> | default = 0s]
# min_ready_duration is not exposed as CLI flag.
[min_ready_duration: <duration> | default = 1m]
# interface_names is not exposed as CLI flag.
[interface_names: <list of string> | default = [eth0 en0]]
# final_sleep is not exposed as CLI flag.
[final_sleep: <duration> | default = 30s]
# tokens_file_path is not exposed as CLI flag.
[tokens_file_path: <string> | default = ""]
# availability_zone is not exposed as CLI flag.
[availability_zone: <string> | default = ""]
# unregister_on_shutdown is not exposed as CLI flag.
[unregister_on_shutdown: <boolean> | default = true]
# concurrent_flushes is not exposed as CLI flag.
[concurrent_flushes: <int> | default = 16]
# flush_check_period is not exposed as CLI flag.
[flush_check_period: <duration> | default = 10s]
# flush_op_timeout is not exposed as CLI flag.
[flush_op_timeout: <duration> | default = 5m]
# Duration after which to consider a trace complete if no spans have been
# received
# CLI flag: -ingester.trace-idle-period
[trace_idle_period: <duration> | default = 10s]
# Maximum duration which the head block can be appended to before cutting it.
# CLI flag: -ingester.max-block-duration
[max_block_duration: <duration> | default = 1h]
# Maximum size of the head block before cutting it.
# CLI flag: -ingester.max-block-bytes
[max_block_bytes: <int> | default = 1073741824]
# Duration to keep blocks in the ingester after they have been flushed.
# CLI flag: -ingester.complete-block-timeout
[complete_block_timeout: <duration> | default = 15m]
# override_ring_key is not exposed as CLI flag.
[override_ring_key: <string> | default = "ring"]
compactor_config
The compactor_config block configures the compactor service.
ring:
kvstore:
# store is not exposed as CLI flag.
[store: <string> | default = ""]
# prefix is not exposed as CLI flag.
[prefix: <string> | default = "collectors/"]
consul:
# host is not exposed as CLI flag.
[host: <string> | default = "localhost:8500"]
# acl_token is not exposed as CLI flag.
[acl_token: <string> | default = ""]
# http_client_timeout is not exposed as CLI flag.
[http_client_timeout: <duration> | default = 20s]
# consistent_reads is not exposed as CLI flag.
[consistent_reads: <boolean> | default = false]
# watch_rate_limit is not exposed as CLI flag.
[watch_rate_limit: <float> | default = 1]
# watch_burst_size is not exposed as CLI flag.
[watch_burst_size: <int> | default = 1]
etcd:
# endpoints is not exposed as CLI flag.
[endpoints: <list of string> | default = []]
# dial_timeout is not exposed as CLI flag.
[dial_timeout: <duration> | default = 10s]
# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 10]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
# username is not exposed as CLI flag.
[username: <string> | default = ""]
# password is not exposed as CLI flag.
[password: <string> | default = ""]
multi:
# primary is not exposed as CLI flag.
[primary: <string> | default = ""]
# secondary is not exposed as CLI flag.
[secondary: <string> | default = ""]
# mirror_enabled is not exposed as CLI flag.
[mirror_enabled: <boolean> | default = false]
# mirror_timeout is not exposed as CLI flag.
[mirror_timeout: <duration> | default = 2s]
# heartbeat_period is not exposed as CLI flag.
[heartbeat_period: <duration> | default = 5s]
# heartbeat_timeout is not exposed as CLI flag.
[heartbeat_timeout: <duration> | default = 1m]
# wait_stability_min_duration is not exposed as CLI flag.
[wait_stability_min_duration: <duration> | default = 1m]
# wait_stability_max_duration is not exposed as CLI flag.
[wait_stability_max_duration: <duration> | default = 5m]
# instance_interface_names is not exposed as CLI flag.
[instance_interface_names: <list of string> | default = [eth0 en0]]
# wait_active_instance_timeout is not exposed as CLI flag.
[wait_active_instance_timeout: <duration> | default = 10m]
compaction:
# chunk_size_bytes is not exposed as CLI flag.
[chunk_size_bytes: <int> | default = 5242880]
# flush_size_bytes is not exposed as CLI flag.
[flush_size_bytes: <int> | default = 31457280]
# Maximum time window across which to compact blocks.
# CLI flag: -compactor.compaction.compaction-window
[compaction_window: <duration> | default = 1h]
# Maximum number of traces in a compacted block.
# CLI flag: -compactor.compaction.max-objects-per-block
[max_compaction_objects: <int> | default = 6000000]
# Maximum size of a compacted block.
# CLI flag: -compactor.compaction.max-block-bytes
[max_block_bytes: <int> | default = 107374182400]
# Duration to keep blocks/traces.
# CLI flag: -compactor.compaction.block-retention
[block_retention: <duration> | default = 336h]
# compacted_block_retention is not exposed as CLI flag.
[compacted_block_retention: <duration> | default = 1h]
# retention_concurrency is not exposed as CLI flag.
[retention_concurrency: <int> | default = 10]
# iterator_buffer_size is not exposed as CLI flag.
[iterator_buffer_size: <int> | default = 1000]
# override_ring_key is not exposed as CLI flag.
[override_ring_key: <string> | default = "compactor"]
storage_config
The storage_config block configures how and where to store data.
trace:
pool:
# max_workers is not exposed as CLI flag.
[max_workers: <int> | default = 0]
# queue_depth is not exposed as CLI flag.
[queue_depth: <int> | default = 0]
wal:
# path is not exposed as CLI flag.
[path: <string> | default = ""]
# completedfilepath is not exposed as CLI flag.
[completedfilepath: <string> | default = ""]
# blocksfilepath is not exposed as CLI flag.
[blocksfilepath: <string> | default = ""]
# encoding is not exposed as CLI flag.
[encoding: <int> | default = none]
# search_encoding is not exposed as CLI flag.
[search_encoding: <int> | default = none]
block:
# index_downsample_bytes is not exposed as CLI flag.
[index_downsample_bytes: <int> | default = 0]
# index_page_size_bytes is not exposed as CLI flag.
[index_page_size_bytes: <int> | default = 0]
# bloom_filter_false_positive is not exposed as CLI flag.
[bloom_filter_false_positive: <float> | default = 0]
# bloom_filter_shard_size_bytes is not exposed as CLI flag.
[bloom_filter_shard_size_bytes: <int> | default = 0]
# encoding is not exposed as CLI flag.
[encoding: <int> | default = none]
# search_encoding is not exposed as CLI flag.
[search_encoding: <int> | default = none]
# search_page_size_bytes is not exposed as CLI flag.
[search_page_size_bytes: <int> | default = 0]
# Period at which to run the maintenance cycle.
# CLI flag: -storage.trace.blocklist_poll
[blocklist_poll: <duration> | default = 5m]
# blocklist_poll_concurrency is not exposed as CLI flag.
[blocklist_poll_concurrency: <int> | default = 50]
# blocklist_poll_fallback is not exposed as CLI flag.
[blocklist_poll_fallback: <boolean> | default = true]
# blocklist_poll_tenant_index_builders is not exposed as CLI flag.
[blocklist_poll_tenant_index_builders: <int> | default = 2]
# blocklist_poll_stale_tenant_index is not exposed as CLI flag.
[blocklist_poll_stale_tenant_index: <duration> | default = 0s]
# Trace backend (s3, azure, gcs, local)
# CLI flag: -storage.trace.backend
[backend: <string> | default = ""]
local:
# path is not exposed as CLI flag.
[path: <string> | default = ""]
gcs:
# bucket_name is not exposed as CLI flag.
[bucket_name: <string> | default = ""]
# chunk_buffer_size is not exposed as CLI flag.
[chunk_buffer_size: <int> | default = 0]
# endpoint is not exposed as CLI flag.
[endpoint: <string> | default = ""]
# insecure is not exposed as CLI flag.
[insecure: <boolean> | default = false]
# hedge_requests_at is not exposed as CLI flag.
[hedge_requests_at: <duration> | default = 0s]
s3:
# bucket is not exposed as CLI flag.
[bucket: <string> | default = ""]
# endpoint is not exposed as CLI flag.
[endpoint: <string> | default = ""]
# region is not exposed as CLI flag.
[region: <string> | default = ""]
# access_key is not exposed as CLI flag.
[access_key: <string> | default = ""]
# secret_key is not exposed as CLI flag.
[secret_key: <string> | default = ""]
# insecure is not exposed as CLI flag.
[insecure: <boolean> | default = false]
# part_size is not exposed as CLI flag.
[part_size: <int> | default = 0]
# hedge_requests_at is not exposed as CLI flag.
[hedge_requests_at: <duration> | default = 0s]
# signature_v2 is not exposed as CLI flag.
[signature_v2: <boolean> | default = false]
# forcepathstyle is not exposed as CLI flag.
[forcepathstyle: <boolean> | default = false]
azure:
# storage-account-name is not exposed as CLI flag.
[storage-account-name: <string> | default = ""]
# storage-account-key is not exposed as CLI flag.
[storage-account-key: <string> | default = ""]
# container-name is not exposed as CLI flag.
[container-name: <string> | default = ""]
# endpoint-suffix is not exposed as CLI flag.
[endpoint-suffix: <string> | default = ""]
# max-buffers is not exposed as CLI flag.
[max-buffers: <int> | default = 0]
# buffer-size is not exposed as CLI flag.
[buffer-size: <int> | default = 0]
# hedge-requests-at is not exposed as CLI flag.
[hedge-requests-at: <duration> | default = 0s]
# cache is not exposed as CLI flag.
[cache: <string> | default = ""]
# cache_min_compaction_level is not exposed as CLI flag.
[cache_min_compaction_level: <int> | default = 0]
# cache_max_block_age is not exposed as CLI flag.
[cache_max_block_age: <duration> | default = 0s]
background_cache:
# writeback_goroutines is not exposed as CLI flag.
[writeback_goroutines: <int> | default = 0]
# writeback_buffer is not exposed as CLI flag.
[writeback_buffer: <int> | default = 0]
memcached:
# host is not exposed as CLI flag.
[host: <string> | default = ""]
# service is not exposed as CLI flag.
[service: <string> | default = ""]
# addresses is not exposed as CLI flag.
[addresses: <string> | default = ""]
# timeout is not exposed as CLI flag.
[timeout: <duration> | default = 0s]
# max_idle_conns is not exposed as CLI flag.
[max_idle_conns: <int> | default = 0]
# max_item_size is not exposed as CLI flag.
[max_item_size: <int> | default = 0]
# update_interval is not exposed as CLI flag.
[update_interval: <duration> | default = 0s]
# consistent_hash is not exposed as CLI flag.
[consistent_hash: <boolean> | default = false]
# circuit_breaker_consecutive_failures is not exposed as CLI flag.
[circuit_breaker_consecutive_failures: <int> | default = 0]
# circuit_breaker_timeout is not exposed as CLI flag.
[circuit_breaker_timeout: <duration> | default = 0s]
# circuit_breaker_interval is not exposed as CLI flag.
[circuit_breaker_interval: <duration> | default = 0s]
# ttl is not exposed as CLI flag.
[ttl: <duration> | default = 0s]
redis:
# endpoint is not exposed as CLI flag.
[endpoint: <string> | default = ""]
# master_name is not exposed as CLI flag.
[master_name: <string> | default = ""]
# timeout is not exposed as CLI flag.
[timeout: <duration> | default = 0s]
# expiration is not exposed as CLI flag.
[expiration: <duration> | default = 0s]
# db is not exposed as CLI flag.
[db: <int> | default = 0]
# pool_size is not exposed as CLI flag.
[pool_size: <int> | default = 0]
# password is not exposed as CLI flag.
[password: <string> | default = ""]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
# idle_timeout is not exposed as CLI flag.
[idle_timeout: <duration> | default = 0s]
# max_connection_age is not exposed as CLI flag.
[max_connection_age: <duration> | default = 0s]
# ttl is not exposed as CLI flag.
[ttl: <duration> | default = 0s]
overrides_config
The overrides_config block configures the overrides module to set global or per-tenant override settings.
# ingestion_rate_strategy is not exposed as CLI flag.
[ingestion_rate_strategy: <string> | default = "local"]
# ingestion_rate_limit_bytes is not exposed as CLI flag.
[ingestion_rate_limit_bytes: <int> | default = 15000000]
# ingestion_burst_size_bytes is not exposed as CLI flag.
[ingestion_burst_size_bytes: <int> | default = 20000000]
# search_tags_allow_list is not exposed as CLI flag.
[search_tags_allow_list: <map of string to struct {}> | default = map[]]
# max_traces_per_user is not exposed as CLI flag.
[max_traces_per_user: <int> | default = 10000]
# max_global_traces_per_user is not exposed as CLI flag.
[max_global_traces_per_user: <int> | default = 0]
# max_bytes_per_trace is not exposed as CLI flag.
[max_bytes_per_trace: <int> | default = 50000]
# max_search_bytes_per_trace is not exposed as CLI flag.
[max_search_bytes_per_trace: <int> | default = 0]
# block_retention is not exposed as CLI flag.
[block_retention: <duration> | default = 0s]
# per_tenant_override_config is not exposed as CLI flag.
[per_tenant_override_config: <string> | default = ""]
# per_tenant_override_period is not exposed as CLI flag.
[per_tenant_override_period: <duration> | default = 10s]
memberlist_config
The memberlist_config block configures how the gossip ring connects between distributors, ingesters and queriers.
# node_name is not exposed as CLI flag.
[node_name: <string> | default = ""]
# randomize_node_name is not exposed as CLI flag.
[randomize_node_name: <boolean> | default = true]
# stream_timeout is not exposed as CLI flag.
[stream_timeout: <duration> | default = 10s]
# retransmit_factor is not exposed as CLI flag.
[retransmit_factor: <int> | default = 2]
# pull_push_interval is not exposed as CLI flag.
[pull_push_interval: <duration> | default = 30s]
# gossip_interval is not exposed as CLI flag.
[gossip_interval: <duration> | default = 1s]
# gossip_nodes is not exposed as CLI flag.
[gossip_nodes: <int> | default = 2]
# gossip_to_dead_nodes_time is not exposed as CLI flag.
[gossip_to_dead_nodes_time: <duration> | default = 30s]
# dead_node_reclaim_time is not exposed as CLI flag.
[dead_node_reclaim_time: <duration> | default = 0s]
# compression_enabled is not exposed as CLI flag.
[compression_enabled: <boolean> | default = false]
# advertise_addr is not exposed as CLI flag.
[advertise_addr: <string> | default = ""]
# advertise_port is not exposed as CLI flag.
[advertise_port: <int> | default = 7946]
# Host port to connect to memberlist cluster.
# CLI flag: -memberlist.host-port
[join_members: <list of string> | default = []]
# min_join_backoff is not exposed as CLI flag.
[min_join_backoff: <duration> | default = 1s]
# max_join_backoff is not exposed as CLI flag.
[max_join_backoff: <duration> | default = 1m]
# max_join_retries is not exposed as CLI flag.
[max_join_retries: <int> | default = 10]
# abort_if_cluster_join_fails is not exposed as CLI flag.
[abort_if_cluster_join_fails: <boolean> | default = true]
# rejoin_interval is not exposed as CLI flag.
[rejoin_interval: <duration> | default = 0s]
# left_ingesters_timeout is not exposed as CLI flag.
[left_ingesters_timeout: <duration> | default = 5m]
# leave_timeout is not exposed as CLI flag.
[leave_timeout: <duration> | default = 5s]
# message_history_buffer_bytes is not exposed as CLI flag.
[message_history_buffer_bytes: <int> | default = 0]
# bind_addr is not exposed as CLI flag.
[bind_addr: <list of string> | default = []]
# Port for memberlist to communicate on
# CLI flag: -memberlist.bind-port
[bind_port: <int> | default = 7946]
# packet_dial_timeout is not exposed as CLI flag.
[packet_dial_timeout: <duration> | default = 5s]
# packet_write_timeout is not exposed as CLI flag.
[packet_write_timeout: <duration> | default = 5s]
# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]
# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]
# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]
# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]
# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]
# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]
admin_api_config
The admin_api_config block configures the Admin API service.
# Designated header to parse when searching for the grafana user ID of the user
# accessing the API.
# CLI flag: -admin.api.user-header-name
[user_header_name: <string> | default = "X-WEBAUTH-USER"]
leader_election:
# This flag enables leader election for the admin api.
# CLI flag: -admin-api.leader-election.enabled
[enabled: <boolean> | default = true]
ring:
kvstore:
# Backend storage to use for the ring. Supported values are: consul, etcd,
# inmemory, memberlist, multi.
# CLI flag: -admin-api.leader-election.ring.store
[store: <string> | default = "consul"]
# The prefix for the keys in the store. Should end with a /.
# CLI flag: -admin-api.leader-election.ring.prefix
[prefix: <string> | default = "leader-election/"]
consul:
# Hostname and port of Consul.
# CLI flag: -admin-api.leader-election.ring.consul.hostname
[host: <string> | default = "localhost:8500"]
# ACL Token used to interact with Consul.
# CLI flag: -admin-api.leader-election.ring.consul.acl-token
[acl_token: <string> | default = ""]
# HTTP timeout when talking to Consul
# CLI flag: -admin-api.leader-election.ring.consul.client-timeout
[http_client_timeout: <duration> | default = 20s]
# Enable consistent reads to Consul.
# CLI flag: -admin-api.leader-election.ring.consul.consistent-reads
[consistent_reads: <boolean> | default = false]
# Rate limit when watching key or prefix in Consul, in requests per
# second. 0 disables the rate limit.
# CLI flag: -admin-api.leader-election.ring.consul.watch-rate-limit
[watch_rate_limit: <float> | default = 1]
# Burst size used in rate limit. Values less than 1 are treated as 1.
# CLI flag: -admin-api.leader-election.ring.consul.watch-burst-size
[watch_burst_size: <int> | default = 1]
etcd:
# The etcd endpoints to connect to.
# CLI flag: -admin-api.leader-election.ring.etcd.endpoints
[endpoints: <list of string> | default = []]
# The dial timeout for the etcd connection.
# CLI flag: -admin-api.leader-election.ring.etcd.dial-timeout
[dial_timeout: <duration> | default = 10s]
# The maximum number of retries to do for failed ops.
# CLI flag: -admin-api.leader-election.ring.etcd.max-retries
[max_retries: <int> | default = 10]
# Enable TLS.
# CLI flag: -admin-api.leader-election.ring.etcd.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for
# authenticating with the server. Also requires the key path to be
# configured.
# CLI flag: -admin-api.leader-election.ring.etcd.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the
# client certificate to be configured.
# CLI flag: -admin-api.leader-election.ring.etcd.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate
# against. If not set, the host's root CA certificates are used.
# CLI flag: -admin-api.leader-election.ring.etcd.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -admin-api.leader-election.ring.etcd.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -admin-api.leader-election.ring.etcd.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Etcd username.
# CLI flag: -admin-api.leader-election.ring.etcd.username
[username: <string> | default = ""]
# Etcd password.
# CLI flag: -admin-api.leader-election.ring.etcd.password
[password: <string> | default = ""]
multi:
# Primary backend storage used by multi-client.
# CLI flag: -admin-api.leader-election.ring.multi.primary
[primary: <string> | default = ""]
# Secondary backend storage used by multi-client.
# CLI flag: -admin-api.leader-election.ring.multi.secondary
[secondary: <string> | default = ""]
# Mirror writes to secondary store.
# CLI flag: -admin-api.leader-election.ring.multi.mirror-enabled
[mirror_enabled: <boolean> | default = false]
# Timeout for storing value to secondary store.
# CLI flag: -admin-api.leader-election.ring.multi.mirror-timeout
[mirror_timeout: <duration> | default = 2s]
# Period at which to heartbeat to the ring.
# CLI flag: -admin-api.leader-election.ring.heartbeat-period
[heartbeat_period: <duration> | default = 15s]
# The heartbeat timeout after which admin-api instances are considered
# unhealthy within the ring.
# CLI flag: -admin-api.leader-election.ring.heartbeat-timeout
[heartbeat_timeout: <duration> | default = 1m]
# Period to wait after generating tokens to resolve collisions. Required
# when using a gossip ring KV store.
# CLI flag: -admin-api.leader-election.ring.tokens-observe-period
[tokens_observe_period: <duration> | default = 1m]
# Name of network interface to read address from.
# CLI flag: -admin-api.leader-election.ring.instance-interface-names
[instance_interface_names: <list of string> | default = [eth0 en0]]
client_config:
# gRPC client max receive message size (bytes).
# CLI flag: -admin-api.leader-election.client.grpc-max-recv-msg-size
[max_recv_msg_size: <int> | default = 104857600]
# gRPC client max send message size (bytes).
# CLI flag: -admin-api.leader-election.client.grpc-max-send-msg-size
[max_send_msg_size: <int> | default = 16777216]
# Use compression when sending messages. Supported values are: 'gzip',
# 'snappy' and '' (disable compression)
# CLI flag: -admin-api.leader-election.client.grpc-compression
[grpc_compression: <string> | default = ""]
# Rate limit for gRPC client; 0 means disabled.
# CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit
[rate_limit: <float> | default = 0]
# Rate limit burst for gRPC client.
# CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit-burst
[rate_limit_burst: <int> | default = 0]
# Enable backoff and retry when we hit ratelimits.
# CLI flag: -admin-api.leader-election.client.backoff-on-ratelimits
[backoff_on_ratelimits: <boolean> | default = false]
backoff_config:
# Minimum delay when backing off.
# CLI flag: -admin-api.leader-election.client.backoff-min-period
[min_period: <duration> | default = 100ms]
# Maximum delay when backing off.
# CLI flag: -admin-api.leader-election.client.backoff-max-period
[max_period: <duration> | default = 10s]
# Number of times to backoff and retry before failing.
# CLI flag: -admin-api.leader-election.client.backoff-retries
[max_retries: <int> | default = 10]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -admin-api.leader-election.client.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -admin-api.leader-election.client.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -admin-api.leader-election.client.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -admin-api.leader-election.client.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -admin-api.leader-election.client.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -admin-api.leader-election.client.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
limits:
# Should API based per-instance limits be used.
# CLI flag: -admin-api.limits.enabled
[enabled: <boolean> | default = true]
# Period with which to refresh per-instance limits.
# CLI flag: -admin-api.limits.refresh-period
[refresh_period: <duration> | default = 1m]
admin_client_config
The admin_client_config block configures how the Admin API service connects to the storage backend.
storage:
# Set a backend to use, (gcs, s3)
# CLI flag: -admin.client.backend-type
[type: <string> | default = ""]
# Enable caching on the versioned client
# CLI flag: -admin.client.cache.enabled
[enable_cache: <boolean> | default = true]
s3:
# The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
# https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
# S3-compatible service in hostname:port format.
# CLI flag: -admin.client.s3.endpoint
[endpoint: <string> | default = ""]
# S3 region. If unset, the client will issue a S3 GetBucketLocation API call
# to autodetect it.
# CLI flag: -admin.client.s3.region
[region: <string> | default = ""]
# S3 bucket name
# CLI flag: -admin.client.s3.bucket-name
[bucket_name: <string> | default = ""]
# S3 secret access key
# CLI flag: -admin.client.s3.secret-access-key
[secret_access_key: <string> | default = ""]
# S3 access key ID
# CLI flag: -admin.client.s3.access-key-id
[access_key_id: <string> | default = ""]
# If enabled, use http:// for the S3 endpoint instead of https://. This
# could be useful in local dev/test environments while using an
# S3-compatible backend storage, like Minio.
# CLI flag: -admin.client.s3.insecure
[insecure: <boolean> | default = false]
# The signature version to use for authenticating against S3. Supported
# values are: v4, v2.
# CLI flag: -admin.client.s3.signature-version
[signature_version: <string> | default = "v4"]
sse:
# Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
# CLI flag: -admin.client.s3.sse.type
[type: <string> | default = ""]
# KMS Key ID used to encrypt objects in S3
# CLI flag: -admin.client.s3.sse.kms-key-id
[kms_key_id: <string> | default = ""]
# KMS Encryption Context used for object encryption. It expects JSON
# formatted string.
# CLI flag: -admin.client.s3.sse.kms-encryption-context
[kms_encryption_context: <string> | default = ""]
http:
# The time an idle connection will remain idle before closing.
# CLI flag: -admin.client.s3.http.idle-conn-timeout
[idle_conn_timeout: <duration> | default = 1m30s]
# The amount of time the client will wait for a servers response headers.
# CLI flag: -admin.client.s3.http.response-header-timeout
[response_header_timeout: <duration> | default = 2m]
# If the client connects to S3 via HTTPS and this option is enabled, the
# client will accept any certificate and hostname.
# CLI flag: -admin.client.s3.http.insecure-skip-verify
[insecure_skip_verify: <boolean> | default = false]
# Maximum time to wait for a TLS handshake. 0 means no limit.
# CLI flag: -admin.client.s3.tls-handshake-timeout
[tls_handshake_timeout: <duration> | default = 10s]
# The time to wait for a server's first response headers after fully
# writing the request headers if the request has an Expect header. 0 to
# send the request body immediately.
# CLI flag: -admin.client.s3.expect-continue-timeout
[expect_continue_timeout: <duration> | default = 1s]
# Maximum number of idle (keep-alive) connections across all hosts. 0
# means no limit.
# CLI flag: -admin.client.s3.max-idle-connections
[max_idle_connections: <int> | default = 100]
# Maximum number of idle (keep-alive) connections to keep per-host. If 0,
# a built-in default value is used.
# CLI flag: -admin.client.s3.max-idle-connections-per-host
[max_idle_connections_per_host: <int> | default = 100]
# Maximum number of connections per host. 0 means no limit.
# CLI flag: -admin.client.s3.max-connections-per-host
[max_connections_per_host: <int> | default = 0]
# Path to header map file containing name/value combos.
# CLI flag: -admin.client.s3.header-map.file-path
[header_map_file_path: <string> | default = ""]
# Interval at which to repoll the headers file, if set <= 0 polling is
# disabled.
# CLI flag: -admin.client.s3.header-map.poll-interval
[header_map_poll_interval: <duration> | default = 1m]
gcs:
# GCS bucket name
# CLI flag: -admin.client.gcs.bucket-name
[bucket_name: <string> | default = ""]
# JSON representing either a Google Developers Console
# client_credentials.json file or a Google Developers service account key
# file. If empty, fallback to Google default logic.
# CLI flag: -admin.client.gcs.service-account
[service_account: <string> | default = ""]
azure:
# Azure storage account name
# CLI flag: -admin.client.azure.account-name
[account_name: <string> | default = ""]
# Azure storage account key
# CLI flag: -admin.client.azure.account-key
[account_key: <string> | default = ""]
# Azure storage container name
# CLI flag: -admin.client.azure.container-name
[container_name: <string> | default = ""]
# Azure storage endpoint suffix without schema. The account name will be
# prefixed to this value to create the FQDN
# CLI flag: -admin.client.azure.endpoint-suffix
[endpoint_suffix: <string> | default = ""]
# Number of retries for recoverable errors
# CLI flag: -admin.client.azure.max-retries
[max_retries: <int> | default = 20]
# If set to true, the built-in __admin__ access policy will not be active.
# CLI flag: -admin.client.disable-default-admin-policy
[disable_default_admin_policy: <boolean> | default = false]
auth_config
The auth_config block configures the authentication type to use.
# method for authenticating incoming HTTP requests, (trust, enterprise).
# CLI flag: -auth.type
[type: <string> | default = "trust"]
# requires admin level auth for the /metrics endpoint.
# CLI flag: -auth.required-for-metrics
[required_for_metrics: <boolean> | default = false]
override:
# Override admin token. If set, this string will always be accepted as a token
# with admin level scope.
# CLI flag: -auth.override.token
[token: <string> | default = ""]
# If set, this file will be read at startup and the string from that file will
# be used as a admin scoped token.
# CLI flag: -auth.override.token-file
[token_file: <string> | default = ""]
admin:
# how long auth responses should be cached
# CLI flag: -auth.cache.ttl
[cache_ttl: <duration> | default = 10m]
oidc:
# JWT token issuer URL (example "https://accounts.google.com")
# CLI flag: -auth.admin.oidc.issuer-url
[issuer_url: <string> | default = ""]
# claim in the JWT token containing the access policy
# CLI flag: -auth.admin.oidc.access-policy-claim
[access_policy_claim: <string> | default = ""]
# regex to extract the access policy from the JWT token. The first submatch
# of the provided regex expression will be used.
# CLI flag: -auth.admin.oidc.access-policy-regex
[access_policy_regex: <string> | default = ""]
# optional audience to check in JWT token
# CLI flag: -auth.admin.oidc.audience
[audience: <string> | default = ""]
# name of the access policy to use when the token doesn't contain an access
# policy
# CLI flag: -auth.admin.oidc.default-access-policy
[default_access_policy: <string> | default = ""]
# enable ADFS compatibility
# CLI flag: -auth.admin.oidc.adfs-compatibility
[adfs_compatibility: <boolean> | default = false]
federation_config
The federation_config block configures the cross-cluster query federation service.
proxy_targets:
# Name contains the name of the proxy target, it will be used for the
# __cluster__ label.
[name: <string> | default = ""]
# URL is the URL to the GET API endpoints.
[url: <string> | default = ""]
# Those optional Basic Auth parameters allow to override the client provided
# credentials.
basic_auth:
# Basic Auth username
[username: <string> | default = ""]
# Basic Auth password
[password: <string> | default = ""]
# Maximum number of concurrent requests to federation targets.
# CLI flag: -federation.max-concurrency
[max_concurrency: <int> | default = 20]
# Timeout for hedging requests to federation targets.
# CLI flag: -federation.hedge-requests-at
[hedge_requests_at: <duration> | default = 0s]
# Timeout for requests to federation targets.
# CLI flag: -federation.read-timeout
[read_timeout: <duration> | default = 5s]
gateway_config
The gateway_config block configures the gateway service.
proxy:
default:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.default.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.default.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.default.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.default.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.default.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.default.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.default.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.default.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.default.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.default.read-timeout
[read_timeout: <duration> | default = 2m]
admin_api:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.admin-api.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.admin-api.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.admin-api.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.admin-api.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.admin-api.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.admin-api.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.admin-api.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.admin-api.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.admin-api.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.admin-api.read-timeout
[read_timeout: <duration> | default = 2m]
compactor:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.compactor.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.compactor.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.compactor.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.compactor.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.compactor.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.compactor.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.compactor.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.compactor.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.compactor.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.compactor.read-timeout
[read_timeout: <duration> | default = 2m]
distributor:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.distributor.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.distributor.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.distributor.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.distributor.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.distributor.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.distributor.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.distributor.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.distributor.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.distributor.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.distributor.read-timeout
[read_timeout: <duration> | default = 2m]
ingester:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.ingester.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.ingester.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.ingester.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.ingester.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.ingester.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.ingester.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.ingester.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.ingester.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.ingester.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.ingester.read-timeout
[read_timeout: <duration> | default = 2m]
querier:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.querier.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.querier.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.querier.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.querier.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.querier.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.querier.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.querier.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.querier.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.querier.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.querier.read-timeout
[read_timeout: <duration> | default = 2m]
query_frontend:
# URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
# scheme h2c:// for HTTP2 proxying.
# CLI flag: -gateway.proxy.query-frontend.url
[url: <string> | default = ""]
# Enable keep alive for the backend.
# CLI flag: -gateway.proxy.query-frontend.enable-keepalive
[enable_keepalive: <boolean> | default = true]
# Enable TLS in the GRPC client. This flag needs to be enabled when any
# other TLS flag is set. If set to false, insecure connection to gRPC server
# will be used.
# CLI flag: -gateway.proxy.query-frontend.tls-enabled
[tls_enabled: <boolean> | default = false]
# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -gateway.proxy.query-frontend.tls-cert-path
[tls_cert_path: <string> | default = ""]
# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -gateway.proxy.query-frontend.tls-key-path
[tls_key_path: <string> | default = ""]
# Path to the CA certificates file to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -gateway.proxy.query-frontend.tls-ca-path
[tls_ca_path: <string> | default = ""]
# Override the expected name on the server certificate.
# CLI flag: -gateway.proxy.query-frontend.tls-server-name
[tls_server_name: <string> | default = ""]
# Skip validating server certificate.
# CLI flag: -gateway.proxy.query-frontend.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]
# Timeout for write requests to the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.query-frontend.write-timeout
[write_timeout: <duration> | default = 30s]
# Timeout for read requests the backend, set to <=0 to disable.
# CLI flag: -gateway.proxy.query-frontend.read-timeout
[read_timeout: <duration> | default = 2m]
license_config
The license_config block configures the license validation module.
# Filepath to license jwt file.
# CLI flag: -license.path
[path: <string> | default = "./license.jwt"]
# Interval to check for new or existing licenses.
# CLI flag: -license.sync-interval
[sync_interval: <duration> | default = 1h]
tokengen_config
The tokengen_config block configures the tokengen service.
# The name of the access policy to generate a token for. It defaults to the
# built-in admin policy.
# CLI flag: -tokengen.access-policy
[access_policy: <string> | default = "__admin__"]
# If set, the generated token will be printed to a file at the provided path
# instead of stdout.
# CLI flag: -tokengen.token-file
[token_file: <string> | default = ""]
Related Enterprise Traces resources
Get started with distributed tracing with Grafana Tempo and Grafana Enterprise Traces
In this ObservabilityCON session, find out the latest features in the open source tracing project and the new addition to Grafana Enterprise Stack.
Correlate your metrics, logs, and traces with Grafana Stack
Show how Grafana’s opinionated stack will allow you to correlate your metrics, logs, and traces, all under one roof.
