Menu
Enterprise

Configuration reference

Grafana Enterprise Traces can be configured using a YAML file - specified using the -config.file flag - or CLI flags. In case you combine both, CLI flags take precedence over the YAML config file.

The current configuration of any GET component can be seen by visiting the /config HTTP path. Passwords are filtered out of this endpoint.

To specify which configuration file to load, pass the -config.file flag at the command line. The file is written in YAML format, defined by the scheme below. Brackets indicate that a parameter is optional.

Generic placeholders

  • <boolean>: a boolean that can take the values true or false
  • <int>: any integer matching the regular expression [1-9]+[0-9]*
  • <duration>: a duration matching the regular expression [0-9]+(ns|us|µs|ms|s|m|h|d|w|y) where y = 365 days
  • <string>: a regular string
  • <url>: a URL
  • <prefix>: a CLI flag prefix based on the context (look at the parent configuration block to see which CLI flags prefix should be used)
  • <time>: a timestamp, with available formats: 2006-01-20 (midnight, local timezone), 2006-01-20T15:04 (local timezone), and RFC 3339 formats: 2006-01-20T15:04:05Z (UTC) or 2006-01-20T15:04:05+07:00 (explicit timezone)

Use environment variables in the configuration

You can use environment variable references in the configuration file to set values that need to be configurable during deployment using --config.expand-env option. To do this, use:

${VAR}

Where VAR is the name of the environment variable.

Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.

To specify a default value, use:

${VAR:-default_value}

where default_value is the value to use if the environment variable is undefined.

You can find more about other supported syntax here

Supported contents and default values

yaml
# target module
# CLI flag: -target
[target: <string> | default = "all"]

# Set to true to enable auth (deprecated: use multitenancy.enabled)
# CLI flag: -auth.enabled
[auth_enabled: <boolean> | default = false]

# Set to true to enable multitenancy.
# CLI flag: -multitenancy.enabled
[multitenancy_enabled: <boolean> | default = false]

# stream_over_http_enabled is not exposed as CLI flag.
[stream_over_http_enabled: <boolean> | default = false]

# String prefix for all http api endpoints.
# CLI flag: -http-api-prefix
[http_api_prefix: <string> | default = ""]

# Set to true to replace the OpenTracing tracer with the OpenTelemetry tracer
# CLI flag: -use-otel-tracer
[use_otel_tracer: <boolean> | default = false]

# Set to true to enable all Go runtime metrics
# CLI flag: -enable-go-runtime-metrics
[enable_go_runtime_metrics: <boolean> | default = false]

# Set to true to enable autocomplete filtering
# CLI flag: -autocomplete-filtering.enabled
[autocomplete_filtering_enabled: <boolean> | default = false]

# The server_config block configures the HTTP and gRPC server of the launched
# services.
[server: <server_config>]

internal_server:
  # http_listen_network is not exposed as CLI flag.
  [http_listen_network: <string> | default = "tcp"]

  # http_listen_address is not exposed as CLI flag.
  [http_listen_address: <string> | default = "localhost"]

  # http_listen_port is not exposed as CLI flag.
  [http_listen_port: <int> | default = 3101]

  # http_listen_conn_limit is not exposed as CLI flag.
  [http_listen_conn_limit: <int> | default = 0]

  # grpc_listen_network is not exposed as CLI flag.
  [grpc_listen_network: <string> | default = ""]

  # grpc_listen_address is not exposed as CLI flag.
  [grpc_listen_address: <string> | default = ""]

  # grpc_listen_port is not exposed as CLI flag.
  [grpc_listen_port: <int> | default = 0]

  # grpc_listen_conn_limit is not exposed as CLI flag.
  [grpc_listen_conn_limit: <int> | default = 0]

  # tls_cipher_suites is not exposed as CLI flag.
  [tls_cipher_suites: <string> | default = ""]

  # tls_min_version is not exposed as CLI flag.
  [tls_min_version: <string> | default = ""]

  http_tls_config:
    # cert is not exposed as CLI flag.
    [cert: <string> | default = ""]

    # key is not exposed as CLI flag.
    [key: <string> | default = ""]

    # client_ca is not exposed as CLI flag.
    [client_ca: <string> | default = ""]

    # cert_file is not exposed as CLI flag.
    [cert_file: <string> | default = ""]

    # key_file is not exposed as CLI flag.
    [key_file: <string> | default = ""]

    # client_auth_type is not exposed as CLI flag.
    [client_auth_type: <string> | default = ""]

    # client_ca_file is not exposed as CLI flag.
    [client_ca_file: <string> | default = ""]

  grpc_tls_config:
    # cert is not exposed as CLI flag.
    [cert: <string> | default = ""]

    # key is not exposed as CLI flag.
    [key: <string> | default = ""]

    # client_ca is not exposed as CLI flag.
    [client_ca: <string> | default = ""]

    # cert_file is not exposed as CLI flag.
    [cert_file: <string> | default = ""]

    # key_file is not exposed as CLI flag.
    [key_file: <string> | default = ""]

    # client_auth_type is not exposed as CLI flag.
    [client_auth_type: <string> | default = ""]

    # client_ca_file is not exposed as CLI flag.
    [client_ca_file: <string> | default = ""]

  # register_instrumentation is not exposed as CLI flag.
  [register_instrumentation: <boolean> | default = false]

  # graceful_shutdown_timeout is not exposed as CLI flag.
  [graceful_shutdown_timeout: <duration> | default = 30s]

  # http_server_read_timeout is not exposed as CLI flag.
  [http_server_read_timeout: <duration> | default = 30s]

  # http_server_write_timeout is not exposed as CLI flag.
  [http_server_write_timeout: <duration> | default = 30s]

  # http_server_idle_timeout is not exposed as CLI flag.
  [http_server_idle_timeout: <duration> | default = 2m]

  # grpc_server_max_recv_msg_size is not exposed as CLI flag.
  [grpc_server_max_recv_msg_size: <int> | default = 0]

  # grpc_server_max_send_msg_size is not exposed as CLI flag.
  [grpc_server_max_send_msg_size: <int> | default = 0]

  # grpc_server_max_concurrent_streams is not exposed as CLI flag.
  [grpc_server_max_concurrent_streams: <int> | default = 0]

  # grpc_server_max_connection_idle is not exposed as CLI flag.
  [grpc_server_max_connection_idle: <duration> | default = 0s]

  # grpc_server_max_connection_age is not exposed as CLI flag.
  [grpc_server_max_connection_age: <duration> | default = 0s]

  # grpc_server_max_connection_age_grace is not exposed as CLI flag.
  [grpc_server_max_connection_age_grace: <duration> | default = 0s]

  # grpc_server_keepalive_time is not exposed as CLI flag.
  [grpc_server_keepalive_time: <duration> | default = 0s]

  # grpc_server_keepalive_timeout is not exposed as CLI flag.
  [grpc_server_keepalive_timeout: <duration> | default = 0s]

  # grpc_server_min_time_between_pings is not exposed as CLI flag.
  [grpc_server_min_time_between_pings: <duration> | default = 0s]

  # grpc_server_ping_without_stream_allowed is not exposed as CLI flag.
  [grpc_server_ping_without_stream_allowed: <boolean> | default = false]

  # log_format is not exposed as CLI flag.
  [log_format: <string> | default = ""]

  # log_level is not exposed as CLI flag.
  [log_level: <string> | default = "{ panic <nil>}"]

  # log_source_ips_enabled is not exposed as CLI flag.
  [log_source_ips_enabled: <boolean> | default = false]

  # log_source_ips_header is not exposed as CLI flag.
  [log_source_ips_header: <string> | default = ""]

  # log_source_ips_regex is not exposed as CLI flag.
  [log_source_ips_regex: <string> | default = ""]

  # log_request_headers is not exposed as CLI flag.
  [log_request_headers: <boolean> | default = false]

  # log_request_at_info_level_enabled is not exposed as CLI flag.
  [log_request_at_info_level_enabled: <boolean> | default = false]

  # log_request_exclude_headers_list is not exposed as CLI flag.
  [log_request_exclude_headers_list: <string> | default = ""]

  # http_path_prefix is not exposed as CLI flag.
  [http_path_prefix: <string> | default = ""]

  # enable is not exposed as CLI flag.
  [enable: <boolean> | default = false]

# The distributor_config block configures the distributor service.
[distributor: <distributor_config>]

# The ingester_client_config block configures how the distributor services
# connect to the ingester services.
[ingester_client: <ingester_client_config>]

metrics_generator_client:
  pool_config:
    # checkinterval is not exposed as CLI flag.
    [checkinterval: <duration> | default = 15s]

    # healthcheckenabled is not exposed as CLI flag.
    [healthcheckenabled: <boolean> | default = true]

    # healthchecktimeout is not exposed as CLI flag.
    [healthchecktimeout: <duration> | default = 1s]

    # maxconcurrenthealthchecks is not exposed as CLI flag.
    [maxconcurrenthealthchecks: <int> | default = 0]

  # remote_timeout is not exposed as CLI flag.
  [remote_timeout: <duration> | default = 5s]

  grpc_client_config:
    # max_recv_msg_size is not exposed as CLI flag.
    [max_recv_msg_size: <int> | default = 104857600]

    # max_send_msg_size is not exposed as CLI flag.
    [max_send_msg_size: <int> | default = 104857600]

    # grpc_compression is not exposed as CLI flag.
    [grpc_compression: <string> | default = "snappy"]

    # rate_limit is not exposed as CLI flag.
    [rate_limit: <float> | default = 0]

    # rate_limit_burst is not exposed as CLI flag.
    [rate_limit_burst: <int> | default = 0]

    # backoff_on_ratelimits is not exposed as CLI flag.
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # min_period is not exposed as CLI flag.
      [min_period: <duration> | default = 100ms]

      # max_period is not exposed as CLI flag.
      [max_period: <duration> | default = 10s]

      # max_retries is not exposed as CLI flag.
      [max_retries: <int> | default = 10]

    # initial_stream_window_size is not exposed as CLI flag.
    [initial_stream_window_size: <int> | default = 65535]

    # initial_connection_window_size is not exposed as CLI flag.
    [initial_connection_window_size: <int> | default = 65535]

    # tls_enabled is not exposed as CLI flag.
    [tls_enabled: <boolean> | default = false]

    # tls_cert_path is not exposed as CLI flag.
    [tls_cert_path: <string> | default = ""]

    # tls_key_path is not exposed as CLI flag.
    [tls_key_path: <string> | default = ""]

    # tls_ca_path is not exposed as CLI flag.
    [tls_ca_path: <string> | default = ""]

    # tls_server_name is not exposed as CLI flag.
    [tls_server_name: <string> | default = ""]

    # tls_insecure_skip_verify is not exposed as CLI flag.
    [tls_insecure_skip_verify: <boolean> | default = false]

    # tls_cipher_suites is not exposed as CLI flag.
    [tls_cipher_suites: <string> | default = ""]

    # tls_min_version is not exposed as CLI flag.
    [tls_min_version: <string> | default = ""]

    # connect_timeout is not exposed as CLI flag.
    [connect_timeout: <duration> | default = 5s]

    # connect_backoff_base_delay is not exposed as CLI flag.
    [connect_backoff_base_delay: <duration> | default = 1s]

    # connect_backoff_max_delay is not exposed as CLI flag.
    [connect_backoff_max_delay: <duration> | default = 5s]

# The querier_config block configures the querier service.
[querier: <querier_config>]

# The query_frontend_config block configures the query frontend service.
[query_frontend: <query_frontend_config>]

# The compactor_config block configures the compactor service.
[compactor: <compactor_config>]

# The ingester_config block configures the ingester service.
[ingester: <ingester_config>]

metrics_generator:
  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -generatorstore
      [store: <string> | default = "consul"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -generatorprefix
      [prefix: <string> | default = "collectors/"]

      consul:
        # Hostname and port of Consul.
        # CLI flag: -generatorconsul.hostname
        [host: <string> | default = "localhost:8500"]

        # ACL Token used to interact with Consul.
        # CLI flag: -generatorconsul.acl-token
        [acl_token: <string> | default = ""]

        # HTTP timeout when talking to Consul
        # CLI flag: -generatorconsul.client-timeout
        [http_client_timeout: <duration> | default = 20s]

        # Enable consistent reads to Consul.
        # CLI flag: -generatorconsul.consistent-reads
        [consistent_reads: <boolean> | default = false]

        # Rate limit when watching key or prefix in Consul, in requests per
        # second. 0 disables the rate limit.
        # CLI flag: -generatorconsul.watch-rate-limit
        [watch_rate_limit: <float> | default = 1]

        # Burst size used in rate limit. Values less than 1 are treated as 1.
        # CLI flag: -generatorconsul.watch-burst-size
        [watch_burst_size: <int> | default = 1]

        # Maximum duration to wait before retrying a Compare And Swap (CAS)
        # operation.
        # CLI flag: -generatorconsul.cas-retry-delay
        [cas_retry_delay: <duration> | default = 1s]

      etcd:
        # The etcd endpoints to connect to.
        # CLI flag: -generatoretcd.endpoints
        [endpoints: <list of string> | default = []]

        # The dial timeout for the etcd connection.
        # CLI flag: -generatoretcd.dial-timeout
        [dial_timeout: <duration> | default = 10s]

        # The maximum number of retries to do for failed ops.
        # CLI flag: -generatoretcd.max-retries
        [max_retries: <int> | default = 10]

        # Enable TLS.
        # CLI flag: -generatoretcd.tls-enabled
        [tls_enabled: <boolean> | default = false]

        # Path to the client certificate, which will be used for authenticating
        # with the server. Also requires the key path to be configured.
        # CLI flag: -generatoretcd.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # Path to the key for the client certificate. Also requires the client
        # certificate to be configured.
        # CLI flag: -generatoretcd.tls-key-path
        [tls_key_path: <string> | default = ""]

        # Path to the CA certificates to validate server certificate against. If
        # not set, the host's root CA certificates are used.
        # CLI flag: -generatoretcd.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # Override the expected name on the server certificate.
        # CLI flag: -generatoretcd.tls-server-name
        [tls_server_name: <string> | default = ""]

        # Skip validating server certificate.
        # CLI flag: -generatoretcd.tls-insecure-skip-verify
        [tls_insecure_skip_verify: <boolean> | default = false]

        # Override the default cipher suite list (separated by commas).
        # CLI flag: -generatoretcd.tls-cipher-suites
        [tls_cipher_suites: <string> | default = ""]

        # Override the default minimum TLS version. Allowed values:
        # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
        # CLI flag: -generatoretcd.tls-min-version
        [tls_min_version: <string> | default = ""]

        # Etcd username.
        # CLI flag: -generatoretcd.username
        [username: <string> | default = ""]

        # Etcd password.
        # CLI flag: -generatoretcd.password
        [password: <string> | default = ""]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -generatormulti.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -generatormulti.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -generatormulti.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -generatormulti.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # heartbeat_period is not exposed as CLI flag.
    [heartbeat_period: <duration> | default = 5s]

    # heartbeat_timeout is not exposed as CLI flag.
    [heartbeat_timeout: <duration> | default = 1m]

    # instance_id is not exposed as CLI flag.
    [instance_id: <string> | default = "Martins-MacBook-Pro.local"]

    # instance_interface_names is not exposed as CLI flag.
    [instance_interface_names: <list of string> | default = [eth0 en0]]

    # instance_addr is not exposed as CLI flag.
    [instance_addr: <string> | default = ""]

    # instance_port is not exposed as CLI flag.
    [instance_port: <int> | default = 0]

    # enable_inet6 is not exposed as CLI flag.
    [enable_inet6: <boolean> | default = false]

  processor:
    service_graphs:
      # wait is not exposed as CLI flag.
      [wait: <duration> | default = 10s]

      # max_items is not exposed as CLI flag.
      [max_items: <int> | default = 10000]

      # workers is not exposed as CLI flag.
      [workers: <int> | default = 10]

      # histogram_buckets is not exposed as CLI flag.
      [histogram_buckets: <list of float> | default = [0.1 0.2 0.4 0.8 1.6 3.2 6.4 12.8]]

      # dimensions is not exposed as CLI flag.
      [dimensions: <list of string> | default = []]

      # enable_client_server_prefix is not exposed as CLI flag.
      [enable_client_server_prefix: <boolean> | default = false]

      # peer_attributes is not exposed as CLI flag.
      [peer_attributes: <list of string> | default = [peer.service db.name db.system]]

      # span_multiplier_key is not exposed as CLI flag.
      [span_multiplier_key: <string> | default = ""]

    span_metrics:
      # histogram_buckets is not exposed as CLI flag.
      [histogram_buckets: <list of float> | default = [0.002 0.004 0.008 0.016 0.032 0.064 0.128 0.256 0.512 1.024 2.048 4.096 8.192 16.384]]

      intrinsic_dimensions:
        # service is not exposed as CLI flag.
        [service: <boolean> | default = true]

        # span_name is not exposed as CLI flag.
        [span_name: <boolean> | default = true]

        # span_kind is not exposed as CLI flag.
        [span_kind: <boolean> | default = true]

        # status_code is not exposed as CLI flag.
        [status_code: <boolean> | default = true]

        # status_message is not exposed as CLI flag.
        [status_message: <boolean> | default = false]

      # dimensions is not exposed as CLI flag.
      [dimensions: <list of string> | default = []]

      dimension_mappings:
        # name is not exposed as CLI flag.
        [name: <string> | default = ""]

        # source_labels is not exposed as CLI flag.
        [source_labels: <list of string> | default = []]

        # join is not exposed as CLI flag.
        [join: <string> | default = ""]

      # enable_target_info is not exposed as CLI flag.
      [enable_target_info: <boolean> | default = false]

      # span_multiplier_key is not exposed as CLI flag.
      [span_multiplier_key: <string> | default = ""]

      # subprocessors is not exposed as CLI flag.
      [subprocessors: <map of spanmetrics.Subprocessor to bool> | default = map[span-metrics-latency:true span-metrics-count:true span-metrics-size:true]]

      filter_policies:
        include:
          # match_type is not exposed as CLI flag.
          [match_type: <string> | default = ""]

          # policy match condition
          [attributes: <struct> | default = none]

        exclude:
          # match_type is not exposed as CLI flag.
          [match_type: <string> | default = ""]

          # policy match condition
          [attributes: <struct> | default = none]

      # target_info_excluded_dimensions is not exposed as CLI flag.
      [target_info_excluded_dimensions: <list of string> | default = []]

    local_blocks:
      block:
        # bloom_filter_false_positive is not exposed as CLI flag.
        [bloom_filter_false_positive: <float> | default = 0]

        # bloom_filter_shard_size_bytes is not exposed as CLI flag.
        [bloom_filter_shard_size_bytes: <int> | default = 0]

        # version is not exposed as CLI flag.
        [version: <string> | default = ""]

        # search_encoding is not exposed as CLI flag.
        [search_encoding: <int> | default = none]

        # search_page_size_bytes is not exposed as CLI flag.
        [search_page_size_bytes: <int> | default = 0]

        # v2_index_downsample_bytes is not exposed as CLI flag.
        [v2_index_downsample_bytes: <int> | default = 0]

        # v2_index_page_size_bytes is not exposed as CLI flag.
        [v2_index_page_size_bytes: <int> | default = 0]

        # v2_encoding is not exposed as CLI flag.
        [v2_encoding: <int> | default = none]

        # parquet_row_group_size_bytes is not exposed as CLI flag.
        [parquet_row_group_size_bytes: <int> | default = 0]

        parquet_dedicated_columns:
          # scope is not exposed as CLI flag.
          [scope: <string> | default = ""]

          # name is not exposed as CLI flag.
          [name: <string> | default = ""]

          # type is not exposed as CLI flag.
          [type: <string> | default = ""]

      search:
        # chunk_size_bytes is not exposed as CLI flag.
        [chunk_size_bytes: <int> | default = 0]

        # prefetch_trace_count is not exposed as CLI flag.
        [prefetch_trace_count: <int> | default = 0]

        # read_buffer_count is not exposed as CLI flag.
        [read_buffer_count: <int> | default = 0]

        # read_buffer_size_bytes is not exposed as CLI flag.
        [read_buffer_size_bytes: <int> | default = 0]

        cache_control:
          # footer is not exposed as CLI flag.
          [footer: <boolean> | default = false]

          # column_index is not exposed as CLI flag.
          [column_index: <boolean> | default = false]

          # offset_index is not exposed as CLI flag.
          [offset_index: <boolean> | default = false]

      # flush_check_period is not exposed as CLI flag.
      [flush_check_period: <duration> | default = 10s]

      # trace_idle_period is not exposed as CLI flag.
      [trace_idle_period: <duration> | default = 10s]

      # max_block_duration is not exposed as CLI flag.
      [max_block_duration: <duration> | default = 1m]

      # max_block_bytes is not exposed as CLI flag.
      [max_block_bytes: <int> | default = 500000000]

      # complete_block_timeout is not exposed as CLI flag.
      [complete_block_timeout: <duration> | default = 1h]

      # max_live_traces is not exposed as CLI flag.
      [max_live_traces: <int> | default = 0]

  registry:
    # collection_interval is not exposed as CLI flag.
    [collection_interval: <duration> | default = 15s]

    # stale_duration is not exposed as CLI flag.
    [stale_duration: <duration> | default = 15m]

    # external_labels is not exposed as CLI flag.
    [external_labels: <map of string to string> | default = map[]]

    # max_label_name_length is not exposed as CLI flag.
    [max_label_name_length: <int> | default = 1024]

    # max_label_value_length is not exposed as CLI flag.
    [max_label_value_length: <int> | default = 2048]

  storage:
    # path is not exposed as CLI flag.
    [path: <string> | default = ""]

    wal:
      # wal_segment_size is not exposed as CLI flag.
      [wal_segment_size: <int> | default = 134217728]

      # wal_compression is not exposed as CLI flag.
      [wal_compression: <boolean> | default = false]

      # stripe_size is not exposed as CLI flag.
      [stripe_size: <int> | default = 16384]

      # truncate_frequency is not exposed as CLI flag.
      [truncate_frequency: <duration> | default = 2h]

      # min_wal_time is not exposed as CLI flag.
      [min_wal_time: <int> | default = 300000]

      # max_wal_time is not exposed as CLI flag.
      [max_wal_time: <int> | default = 14400000]

      # no_lockfile is not exposed as CLI flag.
      [no_lockfile: <boolean> | default = false]

    # remote_write_flush_deadline is not exposed as CLI flag.
    [remote_write_flush_deadline: <duration> | default = 1m]

    # Remote-write client configuration to send rule samples to a Prometheus
    # remote-write endpoint.
    # See
    # https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write
    [remote_write: <array> | default = none]

  traces_storage:
    # path is not exposed as CLI flag.
    [path: <string> | default = ""]

    # completedfilepath is not exposed as CLI flag.
    [completedfilepath: <string> | default = ""]

    # blocksfilepath is not exposed as CLI flag.
    [blocksfilepath: <string> | default = ""]

    # v2_encoding is not exposed as CLI flag.
    [v2_encoding: <int> | default = none]

    # search_encoding is not exposed as CLI flag.
    [search_encoding: <int> | default = none]

    # ingestion_time_range_slack is not exposed as CLI flag.
    [ingestion_time_range_slack: <duration> | default = 0s]

    # version is not exposed as CLI flag.
    [version: <string> | default = "vParquet2"]

  # metrics_ingestion_time_range_slack is not exposed as CLI flag.
  [metrics_ingestion_time_range_slack: <duration> | default = 30s]

  # query_timeout is not exposed as CLI flag.
  [query_timeout: <duration> | default = 30s]

  # override_ring_key is not exposed as CLI flag.
  [override_ring_key: <string> | default = "metrics-generator"]

# The storage_config block configures how and where to store data.
[storage: <storage_config>]

# The overrides_config block configures the overrides module to set global or
# per-tenant override settings.
[overrides: <overrides_config>]

# The memberlist_config block configures how the gossip ring connects between
# distributors, ingesters and queriers.
[memberlist: <memberlist_config>]

usage_report:
  # Enable anonymous usage reporting.
  # CLI flag: -reporting.enabled
  [reporting_enabled: <boolean> | default = true]

  backoff:
    # Minimum delay when backing off.
    # CLI flag: -reporting.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # Maximum delay when backing off.
    # CLI flag: -reporting.backoff-max-period
    [max_period: <duration> | default = 10s]

    # Number of times to backoff and retry before failing.
    # CLI flag: -reporting.backoff-retries
    [max_retries: <int> | default = 10]

# The admin_api_config block configures the Admin API service.
[admin_api: <admin_api_config>]

# The admin_client_config block configures how the Admin API service connects to
# the storage backend.
[admin_client: <admin_client_config>]

# The auth_config block configures the authentication type to use.
[auth: <auth_config>]

# Unique ID of this GET cluster. If undefined the name in the license is used.
# CLI flag: -cluster-name
[cluster_name: <string> | default = ""]

# The tokengen_config block configures the tokengen service.
[tokengen: <tokengen_config>]

# The federation_config block configures the cross-cluster query federation
# service.
[federation: <federation_config>]

# The gateway_config block configures the gateway service.
[gateway: <gateway_config>]

# The license_config block configures the license validation module.
[license: <license_config>]

server_config

The server_config block configures the HTTP and gRPC server of the launched services.

yaml
# http_listen_network is not exposed as CLI flag.
[http_listen_network: <string> | default = "tcp"]

# http_listen_address is not exposed as CLI flag.
[http_listen_address: <string> | default = ""]

# HTTP server listen port.
# CLI flag: -server.http-listen-port
[http_listen_port: <int> | default = 80]

# http_listen_conn_limit is not exposed as CLI flag.
[http_listen_conn_limit: <int> | default = 0]

# grpc_listen_network is not exposed as CLI flag.
[grpc_listen_network: <string> | default = "tcp"]

# grpc_listen_address is not exposed as CLI flag.
[grpc_listen_address: <string> | default = ""]

# gRPC server listen port.
# CLI flag: -server.grpc-listen-port
[grpc_listen_port: <int> | default = 9095]

# grpc_listen_conn_limit is not exposed as CLI flag.
[grpc_listen_conn_limit: <int> | default = 0]

# tls_cipher_suites is not exposed as CLI flag.
[tls_cipher_suites: <string> | default = ""]

# tls_min_version is not exposed as CLI flag.
[tls_min_version: <string> | default = ""]

http_tls_config:
  # cert is not exposed as CLI flag.
  [cert: <string> | default = ""]

  # key is not exposed as CLI flag.
  [key: <string> | default = ""]

  # client_ca is not exposed as CLI flag.
  [client_ca: <string> | default = ""]

  # cert_file is not exposed as CLI flag.
  [cert_file: <string> | default = ""]

  # key_file is not exposed as CLI flag.
  [key_file: <string> | default = ""]

  # client_auth_type is not exposed as CLI flag.
  [client_auth_type: <string> | default = ""]

  # client_ca_file is not exposed as CLI flag.
  [client_ca_file: <string> | default = ""]

grpc_tls_config:
  # cert is not exposed as CLI flag.
  [cert: <string> | default = ""]

  # key is not exposed as CLI flag.
  [key: <string> | default = ""]

  # client_ca is not exposed as CLI flag.
  [client_ca: <string> | default = ""]

  # cert_file is not exposed as CLI flag.
  [cert_file: <string> | default = ""]

  # key_file is not exposed as CLI flag.
  [key_file: <string> | default = ""]

  # client_auth_type is not exposed as CLI flag.
  [client_auth_type: <string> | default = ""]

  # client_ca_file is not exposed as CLI flag.
  [client_ca_file: <string> | default = ""]

# register_instrumentation is not exposed as CLI flag.
[register_instrumentation: <boolean> | default = true]

# graceful_shutdown_timeout is not exposed as CLI flag.
[graceful_shutdown_timeout: <duration> | default = 30s]

# http_server_read_timeout is not exposed as CLI flag.
[http_server_read_timeout: <duration> | default = 30s]

# http_server_write_timeout is not exposed as CLI flag.
[http_server_write_timeout: <duration> | default = 30s]

# http_server_idle_timeout is not exposed as CLI flag.
[http_server_idle_timeout: <duration> | default = 2m]

# grpc_server_max_recv_msg_size is not exposed as CLI flag.
[grpc_server_max_recv_msg_size: <int> | default = 16777216]

# grpc_server_max_send_msg_size is not exposed as CLI flag.
[grpc_server_max_send_msg_size: <int> | default = 16777216]

# grpc_server_max_concurrent_streams is not exposed as CLI flag.
[grpc_server_max_concurrent_streams: <int> | default = 100]

# grpc_server_max_connection_idle is not exposed as CLI flag.
[grpc_server_max_connection_idle: <duration> | default = 2562047h47m16.854775807s]

# grpc_server_max_connection_age is not exposed as CLI flag.
[grpc_server_max_connection_age: <duration> | default = 2562047h47m16.854775807s]

# grpc_server_max_connection_age_grace is not exposed as CLI flag.
[grpc_server_max_connection_age_grace: <duration> | default = 2562047h47m16.854775807s]

# grpc_server_keepalive_time is not exposed as CLI flag.
[grpc_server_keepalive_time: <duration> | default = 2h]

# grpc_server_keepalive_timeout is not exposed as CLI flag.
[grpc_server_keepalive_timeout: <duration> | default = 20s]

# grpc_server_min_time_between_pings is not exposed as CLI flag.
[grpc_server_min_time_between_pings: <duration> | default = 10s]

# grpc_server_ping_without_stream_allowed is not exposed as CLI flag.
[grpc_server_ping_without_stream_allowed: <boolean> | default = true]

# log_format is not exposed as CLI flag.
[log_format: <string> | default = "logfmt"]

# Only log messages with the given severity or above. Valid levels: [debug,
# info, warn, error]
# CLI flag: -log.level
[log_level: <string> | default = "info"]

# log_source_ips_enabled is not exposed as CLI flag.
[log_source_ips_enabled: <boolean> | default = false]

# log_source_ips_header is not exposed as CLI flag.
[log_source_ips_header: <string> | default = ""]

# log_source_ips_regex is not exposed as CLI flag.
[log_source_ips_regex: <string> | default = ""]

# log_request_headers is not exposed as CLI flag.
[log_request_headers: <boolean> | default = false]

# log_request_at_info_level_enabled is not exposed as CLI flag.
[log_request_at_info_level_enabled: <boolean> | default = false]

# log_request_exclude_headers_list is not exposed as CLI flag.
[log_request_exclude_headers_list: <string> | default = ""]

# http_path_prefix is not exposed as CLI flag.
[http_path_prefix: <string> | default = ""]

distributor_config

The distributor_config block configures the distributor service.

yaml
ring:
  kvstore:
    # store is not exposed as CLI flag.
    [store: <string> | default = "memberlist"]

    # prefix is not exposed as CLI flag.
    [prefix: <string> | default = "collectors/"]

    consul:
      # host is not exposed as CLI flag.
      [host: <string> | default = "localhost:8500"]

      # acl_token is not exposed as CLI flag.
      [acl_token: <string> | default = ""]

      # http_client_timeout is not exposed as CLI flag.
      [http_client_timeout: <duration> | default = 20s]

      # consistent_reads is not exposed as CLI flag.
      [consistent_reads: <boolean> | default = false]

      # watch_rate_limit is not exposed as CLI flag.
      [watch_rate_limit: <float> | default = 1]

      # watch_burst_size is not exposed as CLI flag.
      [watch_burst_size: <int> | default = 1]

      # cas_retry_delay is not exposed as CLI flag.
      [cas_retry_delay: <duration> | default = 1s]

    etcd:
      # endpoints is not exposed as CLI flag.
      [endpoints: <list of string> | default = []]

      # dial_timeout is not exposed as CLI flag.
      [dial_timeout: <duration> | default = 10s]

      # max_retries is not exposed as CLI flag.
      [max_retries: <int> | default = 10]

      # tls_enabled is not exposed as CLI flag.
      [tls_enabled: <boolean> | default = false]

      # tls_cert_path is not exposed as CLI flag.
      [tls_cert_path: <string> | default = ""]

      # tls_key_path is not exposed as CLI flag.
      [tls_key_path: <string> | default = ""]

      # tls_ca_path is not exposed as CLI flag.
      [tls_ca_path: <string> | default = ""]

      # tls_server_name is not exposed as CLI flag.
      [tls_server_name: <string> | default = ""]

      # tls_insecure_skip_verify is not exposed as CLI flag.
      [tls_insecure_skip_verify: <boolean> | default = false]

      # tls_cipher_suites is not exposed as CLI flag.
      [tls_cipher_suites: <string> | default = ""]

      # tls_min_version is not exposed as CLI flag.
      [tls_min_version: <string> | default = ""]

      # username is not exposed as CLI flag.
      [username: <string> | default = ""]

      # password is not exposed as CLI flag.
      [password: <string> | default = ""]

    multi:
      # primary is not exposed as CLI flag.
      [primary: <string> | default = ""]

      # secondary is not exposed as CLI flag.
      [secondary: <string> | default = ""]

      # mirror_enabled is not exposed as CLI flag.
      [mirror_enabled: <boolean> | default = false]

      # mirror_timeout is not exposed as CLI flag.
      [mirror_timeout: <duration> | default = 2s]

  # heartbeat_period is not exposed as CLI flag.
  [heartbeat_period: <duration> | default = 5s]

  # heartbeat_timeout is not exposed as CLI flag.
  [heartbeat_timeout: <duration> | default = 5m]

  # instance_interface_names is not exposed as CLI flag.
  [instance_interface_names: <list of string> | default = [eth0 en0]]

# receivers is not exposed as CLI flag.
[receivers: <map of string to interface {}> | default = map[]]

# override_ring_key is not exposed as CLI flag.
[override_ring_key: <string> | default = "distributor"]

# Enable to log every received trace id to help debug ingestion.
# CLI flag: -distributor.log-received-traces
[log_received_traces: <boolean> | default = false]

log_received_spans:
  # Enable to log every received span to help debug ingestion or calculate span
  # error distributions using the logs.
  # CLI flag: -distributor.log-received-spans.enabled
  [enabled: <boolean> | default = false]

  # Enable to include span attributes in the logs.
  # CLI flag: -distributor.log-received-spans.include-attributes
  [include_all_attributes: <boolean> | default = false]

  # Enable to filter out spans without status error.
  # CLI flag: -distributor.log-received-spans.filter-by-status-error
  [filter_by_status_error: <boolean> | default = false]

forwarders:
  # name is not exposed as CLI flag.
  [name: <string> | default = ""]

  # backend is not exposed as CLI flag.
  [backend: <string> | default = ""]

  otlpgrpc:
    # endpoints is not exposed as CLI flag.
    [endpoints: <list of string> | default = []]

    tls:
      # insecure is not exposed as CLI flag.
      [insecure: <boolean> | default = false]

      # cert_file is not exposed as CLI flag.
      [cert_file: <string> | default = ""]

  filter:
    traces:
      # span is not exposed as CLI flag.
      [span: <list of string> | default = []]

      # spanevent is not exposed as CLI flag.
      [spanevent: <list of string> | default = []]

# extend_writes is not exposed as CLI flag.
[extend_writes: <boolean> | default = true]

query_frontend_config

The query_frontend_config block configures the query frontend service.

yaml
# max_outstanding_per_tenant is not exposed as CLI flag.
[max_outstanding_per_tenant: <int> | default = 2000]

# querier_forget_delay is not exposed as CLI flag.
[querier_forget_delay: <duration> | default = 0s]

# max_batch_size is not exposed as CLI flag.
[max_batch_size: <int> | default = 5]

# max_retries is not exposed as CLI flag.
[max_retries: <int> | default = 2]

search:
  # concurrent_jobs is not exposed as CLI flag.
  [concurrent_jobs: <int> | default = 1000]

  # target_bytes_per_job is not exposed as CLI flag.
  [target_bytes_per_job: <int> | default = 104857600]

  # default_result_limit is not exposed as CLI flag.
  [default_result_limit: <int> | default = 20]

  # max_result_limit is not exposed as CLI flag.
  [max_result_limit: <int> | default = 0]

  # max_duration is not exposed as CLI flag.
  [max_duration: <duration> | default = 168h]

  # query_backend_after is not exposed as CLI flag.
  [query_backend_after: <duration> | default = 15m]

  # query_ingesters_until is not exposed as CLI flag.
  [query_ingesters_until: <duration> | default = 30m]

  # duration_slo is not exposed as CLI flag.
  [duration_slo: <duration> | default = 0s]

  # throughput_bytes_slo is not exposed as CLI flag.
  [throughput_bytes_slo: <float> | default = 0]

trace_by_id:
  # query_shards is not exposed as CLI flag.
  [query_shards: <int> | default = 50]

  # concurrent_shards is not exposed as CLI flag.
  [concurrent_shards: <int> | default = 0]

  # hedge_requests_at is not exposed as CLI flag.
  [hedge_requests_at: <duration> | default = 2s]

  # hedge_requests_up_to is not exposed as CLI flag.
  [hedge_requests_up_to: <int> | default = 2]

  # duration_slo is not exposed as CLI flag.
  [duration_slo: <duration> | default = 0s]

  # throughput_bytes_slo is not exposed as CLI flag.
  [throughput_bytes_slo: <float> | default = 0]

querier_config

The querier_config block configures the querier service.

yaml
search:
  # query_timeout is not exposed as CLI flag.
  [query_timeout: <duration> | default = 30s]

  # prefer_self is not exposed as CLI flag.
  [prefer_self: <int> | default = 10]

  # external_hedge_requests_at is not exposed as CLI flag.
  [external_hedge_requests_at: <duration> | default = 8s]

  # external_hedge_requests_up_to is not exposed as CLI flag.
  [external_hedge_requests_up_to: <int> | default = 2]

  # external_backend is not exposed as CLI flag.
  [external_backend: <string> | default = ""]

  google_cloud_run:
    # external_endpoints is not exposed as CLI flag.
    [external_endpoints: <list of string> | default = []]

    # noauth is not exposed as CLI flag.
    [noauth: <boolean> | default = false]

  # external_endpoints is not exposed as CLI flag.
  [external_endpoints: <list of string> | default = []]

trace_by_id:
  # query_timeout is not exposed as CLI flag.
  [query_timeout: <duration> | default = 10s]

# extra_query_delay is not exposed as CLI flag.
[extra_query_delay: <duration> | default = 0s]

# max_concurrent_queries is not exposed as CLI flag.
[max_concurrent_queries: <int> | default = 20]

frontend_worker:
  # Address of query frontend service, in host:port format.
  # CLI flag: -querier.frontend-address
  [frontend_address: <string> | default = ""]

  # dns_lookup_duration is not exposed as CLI flag.
  [dns_lookup_duration: <duration> | default = 10s]

  # parallelism is not exposed as CLI flag.
  [parallelism: <int> | default = 2]

  # match_max_concurrent is not exposed as CLI flag.
  [match_max_concurrent: <boolean> | default = true]

  # id is not exposed as CLI flag.
  [id: <string> | default = ""]

  grpc_client_config:
    # max_recv_msg_size is not exposed as CLI flag.
    [max_recv_msg_size: <int> | default = 104857600]

    # max_send_msg_size is not exposed as CLI flag.
    [max_send_msg_size: <int> | default = 16777216]

    # grpc_compression is not exposed as CLI flag.
    [grpc_compression: <string> | default = "gzip"]

    # rate_limit is not exposed as CLI flag.
    [rate_limit: <float> | default = 0]

    # rate_limit_burst is not exposed as CLI flag.
    [rate_limit_burst: <int> | default = 0]

    # backoff_on_ratelimits is not exposed as CLI flag.
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # min_period is not exposed as CLI flag.
      [min_period: <duration> | default = 100ms]

      # max_period is not exposed as CLI flag.
      [max_period: <duration> | default = 1s]

      # max_retries is not exposed as CLI flag.
      [max_retries: <int> | default = 5]

    # initial_stream_window_size is not exposed as CLI flag.
    [initial_stream_window_size: <int> | default = 0]

    # initial_connection_window_size is not exposed as CLI flag.
    [initial_connection_window_size: <int> | default = 0]

    # tls_enabled is not exposed as CLI flag.
    [tls_enabled: <boolean> | default = false]

    # tls_cert_path is not exposed as CLI flag.
    [tls_cert_path: <string> | default = ""]

    # tls_key_path is not exposed as CLI flag.
    [tls_key_path: <string> | default = ""]

    # tls_ca_path is not exposed as CLI flag.
    [tls_ca_path: <string> | default = ""]

    # tls_server_name is not exposed as CLI flag.
    [tls_server_name: <string> | default = ""]

    # tls_insecure_skip_verify is not exposed as CLI flag.
    [tls_insecure_skip_verify: <boolean> | default = false]

    # tls_cipher_suites is not exposed as CLI flag.
    [tls_cipher_suites: <string> | default = ""]

    # tls_min_version is not exposed as CLI flag.
    [tls_min_version: <string> | default = ""]

    # connect_timeout is not exposed as CLI flag.
    [connect_timeout: <duration> | default = 0s]

    # connect_backoff_base_delay is not exposed as CLI flag.
    [connect_backoff_base_delay: <duration> | default = 0s]

    # connect_backoff_max_delay is not exposed as CLI flag.
    [connect_backoff_max_delay: <duration> | default = 0s]

# query_relevant_ingesters is not exposed as CLI flag.
[query_relevant_ingesters: <boolean> | default = false]

# secondary_ingester_ring is not exposed as CLI flag.
[secondary_ingester_ring: <string> | default = ""]

ingester_client_config

The ingester_client_config block configures how the distributor services connect to the ingester services.

yaml
pool_config:
  # checkinterval is not exposed as CLI flag.
  [checkinterval: <duration> | default = 15s]

  # healthcheckenabled is not exposed as CLI flag.
  [healthcheckenabled: <boolean> | default = true]

  # healthchecktimeout is not exposed as CLI flag.
  [healthchecktimeout: <duration> | default = 1s]

  # maxconcurrenthealthchecks is not exposed as CLI flag.
  [maxconcurrenthealthchecks: <int> | default = 0]

# remote_timeout is not exposed as CLI flag.
[remote_timeout: <duration> | default = 5s]

grpc_client_config:
  # max_recv_msg_size is not exposed as CLI flag.
  [max_recv_msg_size: <int> | default = 104857600]

  # max_send_msg_size is not exposed as CLI flag.
  [max_send_msg_size: <int> | default = 104857600]

  # grpc_compression is not exposed as CLI flag.
  [grpc_compression: <string> | default = "snappy"]

  # rate_limit is not exposed as CLI flag.
  [rate_limit: <float> | default = 0]

  # rate_limit_burst is not exposed as CLI flag.
  [rate_limit_burst: <int> | default = 0]

  # backoff_on_ratelimits is not exposed as CLI flag.
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # min_period is not exposed as CLI flag.
    [min_period: <duration> | default = 100ms]

    # max_period is not exposed as CLI flag.
    [max_period: <duration> | default = 10s]

    # max_retries is not exposed as CLI flag.
    [max_retries: <int> | default = 10]

  # initial_stream_window_size is not exposed as CLI flag.
  [initial_stream_window_size: <int> | default = 65535]

  # initial_connection_window_size is not exposed as CLI flag.
  [initial_connection_window_size: <int> | default = 65535]

  # tls_enabled is not exposed as CLI flag.
  [tls_enabled: <boolean> | default = false]

  # tls_cert_path is not exposed as CLI flag.
  [tls_cert_path: <string> | default = ""]

  # tls_key_path is not exposed as CLI flag.
  [tls_key_path: <string> | default = ""]

  # tls_ca_path is not exposed as CLI flag.
  [tls_ca_path: <string> | default = ""]

  # tls_server_name is not exposed as CLI flag.
  [tls_server_name: <string> | default = ""]

  # tls_insecure_skip_verify is not exposed as CLI flag.
  [tls_insecure_skip_verify: <boolean> | default = false]

  # tls_cipher_suites is not exposed as CLI flag.
  [tls_cipher_suites: <string> | default = ""]

  # tls_min_version is not exposed as CLI flag.
  [tls_min_version: <string> | default = ""]

  # connect_timeout is not exposed as CLI flag.
  [connect_timeout: <duration> | default = 5s]

  # connect_backoff_base_delay is not exposed as CLI flag.
  [connect_backoff_base_delay: <duration> | default = 1s]

  # connect_backoff_max_delay is not exposed as CLI flag.
  [connect_backoff_max_delay: <duration> | default = 5s]

ingester_config

The ingester_config block configures the ingester service.

yaml
lifecycler:
  ring:
    kvstore:
      # store is not exposed as CLI flag.
      [store: <string> | default = "memberlist"]

      # prefix is not exposed as CLI flag.
      [prefix: <string> | default = "collectors/"]

      consul:
        # host is not exposed as CLI flag.
        [host: <string> | default = "localhost:8500"]

        # acl_token is not exposed as CLI flag.
        [acl_token: <string> | default = ""]

        # http_client_timeout is not exposed as CLI flag.
        [http_client_timeout: <duration> | default = 20s]

        # consistent_reads is not exposed as CLI flag.
        [consistent_reads: <boolean> | default = false]

        # watch_rate_limit is not exposed as CLI flag.
        [watch_rate_limit: <float> | default = 1]

        # watch_burst_size is not exposed as CLI flag.
        [watch_burst_size: <int> | default = 1]

        # cas_retry_delay is not exposed as CLI flag.
        [cas_retry_delay: <duration> | default = 1s]

      etcd:
        # endpoints is not exposed as CLI flag.
        [endpoints: <list of string> | default = []]

        # dial_timeout is not exposed as CLI flag.
        [dial_timeout: <duration> | default = 10s]

        # max_retries is not exposed as CLI flag.
        [max_retries: <int> | default = 10]

        # tls_enabled is not exposed as CLI flag.
        [tls_enabled: <boolean> | default = false]

        # tls_cert_path is not exposed as CLI flag.
        [tls_cert_path: <string> | default = ""]

        # tls_key_path is not exposed as CLI flag.
        [tls_key_path: <string> | default = ""]

        # tls_ca_path is not exposed as CLI flag.
        [tls_ca_path: <string> | default = ""]

        # tls_server_name is not exposed as CLI flag.
        [tls_server_name: <string> | default = ""]

        # tls_insecure_skip_verify is not exposed as CLI flag.
        [tls_insecure_skip_verify: <boolean> | default = false]

        # tls_cipher_suites is not exposed as CLI flag.
        [tls_cipher_suites: <string> | default = ""]

        # tls_min_version is not exposed as CLI flag.
        [tls_min_version: <string> | default = ""]

        # username is not exposed as CLI flag.
        [username: <string> | default = ""]

        # password is not exposed as CLI flag.
        [password: <string> | default = ""]

      multi:
        # primary is not exposed as CLI flag.
        [primary: <string> | default = ""]

        # secondary is not exposed as CLI flag.
        [secondary: <string> | default = ""]

        # mirror_enabled is not exposed as CLI flag.
        [mirror_enabled: <boolean> | default = false]

        # mirror_timeout is not exposed as CLI flag.
        [mirror_timeout: <duration> | default = 2s]

    # heartbeat_timeout is not exposed as CLI flag.
    [heartbeat_timeout: <duration> | default = 5m]

    # replication_factor is not exposed as CLI flag.
    [replication_factor: <int> | default = 1]

    # zone_awareness_enabled is not exposed as CLI flag.
    [zone_awareness_enabled: <boolean> | default = false]

    # excluded_zones is not exposed as CLI flag.
    [excluded_zones: <string> | default = ""]

  # num_tokens is not exposed as CLI flag.
  [num_tokens: <int> | default = 128]

  # heartbeat_period is not exposed as CLI flag.
  [heartbeat_period: <duration> | default = 5s]

  # heartbeat_timeout is not exposed as CLI flag.
  [heartbeat_timeout: <duration> | default = 1m]

  # observe_period is not exposed as CLI flag.
  [observe_period: <duration> | default = 0s]

  # join_after is not exposed as CLI flag.
  [join_after: <duration> | default = 0s]

  # min_ready_duration is not exposed as CLI flag.
  [min_ready_duration: <duration> | default = 15s]

  # interface_names is not exposed as CLI flag.
  [interface_names: <list of string> | default = [en0]]

  # enable_inet6 is not exposed as CLI flag.
  [enable_inet6: <boolean> | default = false]

  # final_sleep is not exposed as CLI flag.
  [final_sleep: <duration> | default = 0s]

  # tokens_file_path is not exposed as CLI flag.
  [tokens_file_path: <string> | default = ""]

  # availability_zone is not exposed as CLI flag.
  [availability_zone: <string> | default = ""]

  # unregister_on_shutdown is not exposed as CLI flag.
  [unregister_on_shutdown: <boolean> | default = true]

  # readiness_check_ring_health is not exposed as CLI flag.
  [readiness_check_ring_health: <boolean> | default = true]

  # address is not exposed as CLI flag.
  [address: <string> | default = ""]

  # port is not exposed as CLI flag.
  [port: <int> | default = 0]

  # ID to register in the ring.
  # CLI flag: -ingester.lifecycler.ID
  [id: <string> | default = "Martins-MacBook-Pro.local"]

# concurrent_flushes is not exposed as CLI flag.
[concurrent_flushes: <int> | default = 4]

# flush_check_period is not exposed as CLI flag.
[flush_check_period: <duration> | default = 10s]

# flush_op_timeout is not exposed as CLI flag.
[flush_op_timeout: <duration> | default = 5m]

# Duration after which to consider a trace complete if no spans have been
# received
# CLI flag: -ingester.trace-idle-period
[trace_idle_period: <duration> | default = 10s]

# Maximum duration which the head block can be appended to before cutting it.
# CLI flag: -ingester.max-block-duration
[max_block_duration: <duration> | default = 30m]

# Maximum size of the head block before cutting it.
# CLI flag: -ingester.max-block-bytes
[max_block_bytes: <int> | default = 524288000]

# Duration to keep blocks in the ingester after they have been flushed.
# CLI flag: -ingester.complete-block-timeout
[complete_block_timeout: <duration> | default = 15m]

# override_ring_key is not exposed as CLI flag.
[override_ring_key: <string> | default = "ring"]

# flush_all_on_shutdown is not exposed as CLI flag.
[flush_all_on_shutdown: <boolean> | default = false]

compactor_config

The compactor_config block configures the compactor service.

yaml
# Disable compaction.
# CLI flag: -compactor.disabled
[disabled: <boolean> | default = false]

ring:
  kvstore:
    # store is not exposed as CLI flag.
    [store: <string> | default = ""]

    # prefix is not exposed as CLI flag.
    [prefix: <string> | default = "collectors/"]

    consul:
      # host is not exposed as CLI flag.
      [host: <string> | default = "localhost:8500"]

      # acl_token is not exposed as CLI flag.
      [acl_token: <string> | default = ""]

      # http_client_timeout is not exposed as CLI flag.
      [http_client_timeout: <duration> | default = 20s]

      # consistent_reads is not exposed as CLI flag.
      [consistent_reads: <boolean> | default = false]

      # watch_rate_limit is not exposed as CLI flag.
      [watch_rate_limit: <float> | default = 1]

      # watch_burst_size is not exposed as CLI flag.
      [watch_burst_size: <int> | default = 1]

      # cas_retry_delay is not exposed as CLI flag.
      [cas_retry_delay: <duration> | default = 1s]

    etcd:
      # endpoints is not exposed as CLI flag.
      [endpoints: <list of string> | default = []]

      # dial_timeout is not exposed as CLI flag.
      [dial_timeout: <duration> | default = 10s]

      # max_retries is not exposed as CLI flag.
      [max_retries: <int> | default = 10]

      # tls_enabled is not exposed as CLI flag.
      [tls_enabled: <boolean> | default = false]

      # tls_cert_path is not exposed as CLI flag.
      [tls_cert_path: <string> | default = ""]

      # tls_key_path is not exposed as CLI flag.
      [tls_key_path: <string> | default = ""]

      # tls_ca_path is not exposed as CLI flag.
      [tls_ca_path: <string> | default = ""]

      # tls_server_name is not exposed as CLI flag.
      [tls_server_name: <string> | default = ""]

      # tls_insecure_skip_verify is not exposed as CLI flag.
      [tls_insecure_skip_verify: <boolean> | default = false]

      # tls_cipher_suites is not exposed as CLI flag.
      [tls_cipher_suites: <string> | default = ""]

      # tls_min_version is not exposed as CLI flag.
      [tls_min_version: <string> | default = ""]

      # username is not exposed as CLI flag.
      [username: <string> | default = ""]

      # password is not exposed as CLI flag.
      [password: <string> | default = ""]

    multi:
      # primary is not exposed as CLI flag.
      [primary: <string> | default = ""]

      # secondary is not exposed as CLI flag.
      [secondary: <string> | default = ""]

      # mirror_enabled is not exposed as CLI flag.
      [mirror_enabled: <boolean> | default = false]

      # mirror_timeout is not exposed as CLI flag.
      [mirror_timeout: <duration> | default = 2s]

  # heartbeat_period is not exposed as CLI flag.
  [heartbeat_period: <duration> | default = 5s]

  # heartbeat_timeout is not exposed as CLI flag.
  [heartbeat_timeout: <duration> | default = 1m]

  # wait_stability_min_duration is not exposed as CLI flag.
  [wait_stability_min_duration: <duration> | default = 1m]

  # wait_stability_max_duration is not exposed as CLI flag.
  [wait_stability_max_duration: <duration> | default = 5m]

  # instance_interface_names is not exposed as CLI flag.
  [instance_interface_names: <list of string> | default = [eth0 en0]]

  # enable_inet6 is not exposed as CLI flag.
  [enable_inet6: <boolean> | default = false]

  # wait_active_instance_timeout is not exposed as CLI flag.
  [wait_active_instance_timeout: <duration> | default = 10m]

compaction:
  # v2_in_buffer_bytes is not exposed as CLI flag.
  [v2_in_buffer_bytes: <int> | default = 5242880]

  # v2_out_buffer_bytes is not exposed as CLI flag.
  [v2_out_buffer_bytes: <int> | default = 20971520]

  # v2_prefetch_traces_count is not exposed as CLI flag.
  [v2_prefetch_traces_count: <int> | default = 1000]

  # Maximum time window across which to compact blocks.
  # CLI flag: -compactor.compaction.compaction-window
  [compaction_window: <duration> | default = 1h]

  # Maximum number of traces in a compacted block.
  # CLI flag: -compactor.compaction.max-objects-per-block
  [max_compaction_objects: <int> | default = 6000000]

  # Maximum size of a compacted block.
  # CLI flag: -compactor.compaction.max-block-bytes
  [max_block_bytes: <int> | default = 107374182400]

  # Duration to keep blocks/traces.
  # CLI flag: -compactor.compaction.block-retention
  [block_retention: <duration> | default = 336h]

  # compacted_block_retention is not exposed as CLI flag.
  [compacted_block_retention: <duration> | default = 1h]

  # retention_concurrency is not exposed as CLI flag.
  [retention_concurrency: <int> | default = 10]

  # max_time_per_tenant is not exposed as CLI flag.
  [max_time_per_tenant: <duration> | default = 5m]

  # compaction_cycle is not exposed as CLI flag.
  [compaction_cycle: <duration> | default = 30s]

# override_ring_key is not exposed as CLI flag.
[override_ring_key: <string> | default = "compactor"]

storage_config

The storage_config block configures how and where to store data.

yaml
trace:
  pool:
    # max_workers is not exposed as CLI flag.
    [max_workers: <int> | default = 0]

    # queue_depth is not exposed as CLI flag.
    [queue_depth: <int> | default = 0]

  wal:
    # path is not exposed as CLI flag.
    [path: <string> | default = ""]

    # completedfilepath is not exposed as CLI flag.
    [completedfilepath: <string> | default = ""]

    # blocksfilepath is not exposed as CLI flag.
    [blocksfilepath: <string> | default = ""]

    # v2_encoding is not exposed as CLI flag.
    [v2_encoding: <int> | default = none]

    # search_encoding is not exposed as CLI flag.
    [search_encoding: <int> | default = none]

    # ingestion_time_range_slack is not exposed as CLI flag.
    [ingestion_time_range_slack: <duration> | default = 0s]

    # version is not exposed as CLI flag.
    [version: <string> | default = ""]

  block:
    # bloom_filter_false_positive is not exposed as CLI flag.
    [bloom_filter_false_positive: <float> | default = 0]

    # bloom_filter_shard_size_bytes is not exposed as CLI flag.
    [bloom_filter_shard_size_bytes: <int> | default = 0]

    # version is not exposed as CLI flag.
    [version: <string> | default = ""]

    # search_encoding is not exposed as CLI flag.
    [search_encoding: <int> | default = none]

    # search_page_size_bytes is not exposed as CLI flag.
    [search_page_size_bytes: <int> | default = 0]

    # v2_index_downsample_bytes is not exposed as CLI flag.
    [v2_index_downsample_bytes: <int> | default = 0]

    # v2_index_page_size_bytes is not exposed as CLI flag.
    [v2_index_page_size_bytes: <int> | default = 0]

    # v2_encoding is not exposed as CLI flag.
    [v2_encoding: <int> | default = none]

    # parquet_row_group_size_bytes is not exposed as CLI flag.
    [parquet_row_group_size_bytes: <int> | default = 0]

    parquet_dedicated_columns:
      # scope is not exposed as CLI flag.
      [scope: <string> | default = ""]

      # name is not exposed as CLI flag.
      [name: <string> | default = ""]

      # type is not exposed as CLI flag.
      [type: <string> | default = ""]

  search:
    # chunk_size_bytes is not exposed as CLI flag.
    [chunk_size_bytes: <int> | default = 0]

    # prefetch_trace_count is not exposed as CLI flag.
    [prefetch_trace_count: <int> | default = 0]

    # read_buffer_count is not exposed as CLI flag.
    [read_buffer_count: <int> | default = 0]

    # read_buffer_size_bytes is not exposed as CLI flag.
    [read_buffer_size_bytes: <int> | default = 0]

    cache_control:
      # footer is not exposed as CLI flag.
      [footer: <boolean> | default = false]

      # column_index is not exposed as CLI flag.
      [column_index: <boolean> | default = false]

      # offset_index is not exposed as CLI flag.
      [offset_index: <boolean> | default = false]

  # Period at which to run the maintenance cycle.
  # CLI flag: -storage.trace.blocklist_poll
  [blocklist_poll: <duration> | default = 5m]

  # blocklist_poll_concurrency is not exposed as CLI flag.
  [blocklist_poll_concurrency: <int> | default = 50]

  # blocklist_poll_fallback is not exposed as CLI flag.
  [blocklist_poll_fallback: <boolean> | default = true]

  # blocklist_poll_tenant_index_builders is not exposed as CLI flag.
  [blocklist_poll_tenant_index_builders: <int> | default = 2]

  # blocklist_poll_stale_tenant_index is not exposed as CLI flag.
  [blocklist_poll_stale_tenant_index: <duration> | default = 0s]

  # blocklist_poll_jitter_ms is not exposed as CLI flag.
  [blocklist_poll_jitter_ms: <int> | default = 0]

  # blocklist_poll_tolerate_consecutive_errors is not exposed as CLI flag.
  [blocklist_poll_tolerate_consecutive_errors: <int> | default = 1]

  # Trace backend (s3, azure, gcs, local)
  # CLI flag: -storage.trace.backend
  [backend: <string> | default = ""]

  local:
    # path is not exposed as CLI flag.
    [path: <string> | default = ""]

  gcs:
    # bucket_name is not exposed as CLI flag.
    [bucket_name: <string> | default = ""]

    # prefix is not exposed as CLI flag.
    [prefix: <string> | default = ""]

    # chunk_buffer_size is not exposed as CLI flag.
    [chunk_buffer_size: <int> | default = 0]

    # endpoint is not exposed as CLI flag.
    [endpoint: <string> | default = ""]

    # hedge_requests_at is not exposed as CLI flag.
    [hedge_requests_at: <duration> | default = 0s]

    # hedge_requests_up_to is not exposed as CLI flag.
    [hedge_requests_up_to: <int> | default = 0]

    # insecure is not exposed as CLI flag.
    [insecure: <boolean> | default = false]

    # object_cache_control is not exposed as CLI flag.
    [object_cache_control: <string> | default = ""]

    # object_metadata is not exposed as CLI flag.
    [object_metadata: <map of string to string> | default = map[]]

  s3:
    # tls_cert_path is not exposed as CLI flag.
    [tls_cert_path: <string> | default = ""]

    # tls_key_path is not exposed as CLI flag.
    [tls_key_path: <string> | default = ""]

    # tls_ca_path is not exposed as CLI flag.
    [tls_ca_path: <string> | default = ""]

    # tls_server_name is not exposed as CLI flag.
    [tls_server_name: <string> | default = ""]

    # tls_insecure_skip_verify is not exposed as CLI flag.
    [tls_insecure_skip_verify: <boolean> | default = false]

    # tls_cipher_suites is not exposed as CLI flag.
    [tls_cipher_suites: <string> | default = ""]

    # tls_min_version is not exposed as CLI flag.
    [tls_min_version: <string> | default = ""]

    # bucket is not exposed as CLI flag.
    [bucket: <string> | default = ""]

    # prefix is not exposed as CLI flag.
    [prefix: <string> | default = ""]

    # endpoint is not exposed as CLI flag.
    [endpoint: <string> | default = ""]

    # region is not exposed as CLI flag.
    [region: <string> | default = ""]

    # access_key is not exposed as CLI flag.
    [access_key: <string> | default = ""]

    # secret_key is not exposed as CLI flag.
    [secret_key: <string> | default = ""]

    # session_token is not exposed as CLI flag.
    [session_token: <string> | default = ""]

    # insecure is not exposed as CLI flag.
    [insecure: <boolean> | default = false]

    # part_size is not exposed as CLI flag.
    [part_size: <int> | default = 0]

    # hedge_requests_at is not exposed as CLI flag.
    [hedge_requests_at: <duration> | default = 0s]

    # hedge_requests_up_to is not exposed as CLI flag.
    [hedge_requests_up_to: <int> | default = 0]

    # signature_v2 is not exposed as CLI flag.
    [signature_v2: <boolean> | default = false]

    # forcepathstyle is not exposed as CLI flag.
    [forcepathstyle: <boolean> | default = false]

    # bucket_lookup_type is not exposed as CLI flag.
    [bucket_lookup_type: <int> | default = 0]

    # tags is not exposed as CLI flag.
    [tags: <map of string to string> | default = map[]]

    # storage_class is not exposed as CLI flag.
    [storage_class: <string> | default = ""]

    # metadata is not exposed as CLI flag.
    [metadata: <map of string to string> | default = map[]]

    # native_aws_auth_enabled is not exposed as CLI flag.
    [native_aws_auth_enabled: <boolean> | default = false]

  azure:
    # storage_account_name is not exposed as CLI flag.
    [storage_account_name: <string> | default = ""]

    # storage_account_key is not exposed as CLI flag.
    [storage_account_key: <string> | default = ""]

    # use_managed_identity is not exposed as CLI flag.
    [use_managed_identity: <boolean> | default = false]

    # use_federated_token is not exposed as CLI flag.
    [use_federated_token: <boolean> | default = false]

    # user_assigned_id is not exposed as CLI flag.
    [user_assigned_id: <string> | default = ""]

    # container_name is not exposed as CLI flag.
    [container_name: <string> | default = ""]

    # prefix is not exposed as CLI flag.
    [prefix: <string> | default = ""]

    # endpoint_suffix is not exposed as CLI flag.
    [endpoint_suffix: <string> | default = ""]

    # max_buffers is not exposed as CLI flag.
    [max_buffers: <int> | default = 0]

    # buffer_size is not exposed as CLI flag.
    [buffer_size: <int> | default = 0]

    # hedge_requests_at is not exposed as CLI flag.
    [hedge_requests_at: <duration> | default = 0s]

    # hedge_requests_up_to is not exposed as CLI flag.
    [hedge_requests_up_to: <int> | default = 0]

    # use_v2_sdk is not exposed as CLI flag.
    [use_v2_sdk: <boolean> | default = false]

  # cache is not exposed as CLI flag.
  [cache: <string> | default = ""]

  # cache_min_compaction_level is not exposed as CLI flag.
  [cache_min_compaction_level: <int> | default = 0]

  # cache_max_block_age is not exposed as CLI flag.
  [cache_max_block_age: <duration> | default = 0s]

  background_cache:
    # writeback_goroutines is not exposed as CLI flag.
    [writeback_goroutines: <int> | default = 0]

    # writeback_buffer is not exposed as CLI flag.
    [writeback_buffer: <int> | default = 0]

  memcached:
    # host is not exposed as CLI flag.
    [host: <string> | default = ""]

    # service is not exposed as CLI flag.
    [service: <string> | default = ""]

    # addresses is not exposed as CLI flag.
    [addresses: <string> | default = ""]

    # timeout is not exposed as CLI flag.
    [timeout: <duration> | default = 0s]

    # max_idle_conns is not exposed as CLI flag.
    [max_idle_conns: <int> | default = 0]

    # max_item_size is not exposed as CLI flag.
    [max_item_size: <int> | default = 0]

    # update_interval is not exposed as CLI flag.
    [update_interval: <duration> | default = 0s]

    # consistent_hash is not exposed as CLI flag.
    [consistent_hash: <boolean> | default = false]

    # circuit_breaker_consecutive_failures is not exposed as CLI flag.
    [circuit_breaker_consecutive_failures: <int> | default = 0]

    # circuit_breaker_timeout is not exposed as CLI flag.
    [circuit_breaker_timeout: <duration> | default = 0s]

    # circuit_breaker_interval is not exposed as CLI flag.
    [circuit_breaker_interval: <duration> | default = 0s]

    # ttl is not exposed as CLI flag.
    [ttl: <duration> | default = 0s]

  redis:
    # endpoint is not exposed as CLI flag.
    [endpoint: <string> | default = ""]

    # master_name is not exposed as CLI flag.
    [master_name: <string> | default = ""]

    # timeout is not exposed as CLI flag.
    [timeout: <duration> | default = 0s]

    # expiration is not exposed as CLI flag.
    [expiration: <duration> | default = 0s]

    # db is not exposed as CLI flag.
    [db: <int> | default = 0]

    # pool_size is not exposed as CLI flag.
    [pool_size: <int> | default = 0]

    # username is not exposed as CLI flag.
    [username: <string> | default = ""]

    # password is not exposed as CLI flag.
    [password: <string> | default = ""]

    # sentinel_username is not exposed as CLI flag.
    [sentinel_username: <string> | default = ""]

    # sentinel_password is not exposed as CLI flag.
    [sentinel_password: <string> | default = ""]

    # tls_enabled is not exposed as CLI flag.
    [tls_enabled: <boolean> | default = false]

    # tls_insecure_skip_verify is not exposed as CLI flag.
    [tls_insecure_skip_verify: <boolean> | default = false]

    # idle_timeout is not exposed as CLI flag.
    [idle_timeout: <duration> | default = 0s]

    # max_connection_age is not exposed as CLI flag.
    [max_connection_age: <duration> | default = 0s]

    # ttl is not exposed as CLI flag.
    [ttl: <duration> | default = 0s]

overrides_config

The overrides_config block configures the overrides module to set global or per-tenant override settings.

yaml
defaults:
  ingestion:
    # Whether the various ingestion rate limits should be applied individually
    # to each distributor instance (local), or evenly shared across the cluster
    # (global).
    # CLI flag: -distributor.rate-limit-strategy
    [rate_strategy: <string> | default = "local"]

    # Per-user ingestion rate limit in bytes per second.
    # CLI flag: -distributor.ingestion-rate-limit-bytes
    [rate_limit_bytes: <int> | default = 15000000]

    # Per-user ingestion burst size in bytes. Should be set to the expected size
    # (in bytes) of a single push request.
    # CLI flag: -distributor.ingestion-burst-size-bytes
    [burst_size_bytes: <int> | default = 20000000]

    # Maximum number of active traces per user, per ingester. 0 to disable.
    # CLI flag: -ingester.max-traces-per-user
    [max_traces_per_user: <int> | default = 10000]

    # Maximum number of active traces per user, across the cluster. 0 to
    # disable.
    # CLI flag: -ingester.max-global-traces-per-user
    [max_global_traces_per_user: <int> | default = 0]

  read:
    # Maximum size of response for a tag-values query. Used mainly to limit
    # large the number of values associated with a particular tag
    # CLI flag: -querier.max-bytes-per-tag-values-query
    [max_bytes_per_tag_values_query: <int> | default = 5000000]

    # Maximum number of blocks to query for a tag-values query. 0 to disable.
    # CLI flag: -querier.max-blocks-per-tag-values-query
    [max_blocks_per_tag_values_query: <int> | default = 0]

    # max_search_duration is not exposed as CLI flag.
    [max_search_duration: <duration> | default = 0s]

  compaction:
    # block_retention is not exposed as CLI flag.
    [block_retention: <duration> | default = 0s]

  metrics_generator:
    # ring_size is not exposed as CLI flag.
    [ring_size: <int> | default = 0]

    # processors is not exposed as CLI flag.
    [processors: <map of string to struct {}> | default = map[]]

    # max_active_series is not exposed as CLI flag.
    [max_active_series: <int> | default = 0]

    # collection_interval is not exposed as CLI flag.
    [collection_interval: <duration> | default = 0s]

    # disable_collection is not exposed as CLI flag.
    [disable_collection: <boolean> | default = false]

    forwarder:
      # queue_size is not exposed as CLI flag.
      [queue_size: <int> | default = 0]

      # workers is not exposed as CLI flag.
      [workers: <int> | default = 0]

    processor:
      service_graphs:
        # histogram_buckets is not exposed as CLI flag.
        [histogram_buckets: <list of float> | default = []]

        # dimensions is not exposed as CLI flag.
        [dimensions: <list of string> | default = []]

        # peer_attributes is not exposed as CLI flag.
        [peer_attributes: <list of string> | default = []]

        # enable_client_server_prefix is not exposed as CLI flag.
        [enable_client_server_prefix: <boolean> | default = false]

      span_metrics:
        # histogram_buckets is not exposed as CLI flag.
        [histogram_buckets: <list of float> | default = []]

        # dimensions is not exposed as CLI flag.
        [dimensions: <list of string> | default = []]

        # intrinsic_dimensions is not exposed as CLI flag.
        [intrinsic_dimensions: <map of string to bool> | default = map[]]

        filter_policies:
          include:
            # match_type is not exposed as CLI flag.
            [match_type: <string> | default = ""]

            # policy match condition
            [attributes: <struct> | default = none]

          exclude:
            # match_type is not exposed as CLI flag.
            [match_type: <string> | default = ""]

            # policy match condition
            [attributes: <struct> | default = none]

        dimension_mappings:
          # name is not exposed as CLI flag.
          [name: <string> | default = ""]

          # source_labels is not exposed as CLI flag.
          [source_labels: <list of string> | default = []]

          # join is not exposed as CLI flag.
          [join: <string> | default = ""]

        # enable_target_info is not exposed as CLI flag.
        [enable_target_info: <boolean> | default = false]

        # target_info_excluded_dimensions is not exposed as CLI flag.
        [target_info_excluded_dimensions: <list of string> | default = []]

      local_blocks:
        # max_live_traces is not exposed as CLI flag.
        [max_live_traces: <int> | default = 0]

        # max_block_duration is not exposed as CLI flag.
        [max_block_duration: <duration> | default = 0s]

        # max_block_bytes is not exposed as CLI flag.
        [max_block_bytes: <int> | default = 0]

        # flush_check_period is not exposed as CLI flag.
        [flush_check_period: <duration> | default = 0s]

        # trace_idle_period is not exposed as CLI flag.
        [trace_idle_period: <duration> | default = 0s]

        # complete_block_timeout is not exposed as CLI flag.
        [complete_block_timeout: <duration> | default = 0s]

    # ingestion_time_range_slack is not exposed as CLI flag.
    [ingestion_time_range_slack: <duration> | default = 0s]

  # forwarders is not exposed as CLI flag.
  [forwarders: <list of string> | default = []]

  global:
    # Maximum size of a trace in bytes.  0 to disable.
    # CLI flag: -ingester.max-bytes-per-trace
    [max_bytes_per_trace: <int> | default = 5000000]

  storage:
    parquet_dedicated_columns:
      # scope is not exposed as CLI flag.
      [scope: <string> | default = ""]

      # name is not exposed as CLI flag.
      [name: <string> | default = ""]

      # type is not exposed as CLI flag.
      [type: <string> | default = ""]

# File name of per-user Overrides.
# CLI flag: -config.per-user-override-config
[per_tenant_override_config: <string> | default = ""]

# Period with this to reload the Overrides.
# CLI flag: -config.per-user-override-period
[per_tenant_override_period: <duration> | default = 10s]

user_configurable_overrides:
  # enabled is not exposed as CLI flag.
  [enabled: <boolean> | default = false]

  # poll_interval is not exposed as CLI flag.
  [poll_interval: <duration> | default = 1m]

  client:
    # backend is not exposed as CLI flag.
    [backend: <string> | default = ""]

    # confirm_versioning is not exposed as CLI flag.
    [confirm_versioning: <boolean> | default = true]

    local:
      # path is not exposed as CLI flag.
      [path: <string> | default = ""]

    gcs:
      # bucket_name is not exposed as CLI flag.
      [bucket_name: <string> | default = ""]

      # prefix is not exposed as CLI flag.
      [prefix: <string> | default = ""]

      # chunk_buffer_size is not exposed as CLI flag.
      [chunk_buffer_size: <int> | default = 0]

      # endpoint is not exposed as CLI flag.
      [endpoint: <string> | default = ""]

      # hedge_requests_at is not exposed as CLI flag.
      [hedge_requests_at: <duration> | default = 0s]

      # hedge_requests_up_to is not exposed as CLI flag.
      [hedge_requests_up_to: <int> | default = 0]

      # insecure is not exposed as CLI flag.
      [insecure: <boolean> | default = false]

      # object_cache_control is not exposed as CLI flag.
      [object_cache_control: <string> | default = ""]

      # object_metadata is not exposed as CLI flag.
      [object_metadata: <map of string to string> | default = map[]]

    s3:
      # tls_cert_path is not exposed as CLI flag.
      [tls_cert_path: <string> | default = ""]

      # tls_key_path is not exposed as CLI flag.
      [tls_key_path: <string> | default = ""]

      # tls_ca_path is not exposed as CLI flag.
      [tls_ca_path: <string> | default = ""]

      # tls_server_name is not exposed as CLI flag.
      [tls_server_name: <string> | default = ""]

      # tls_insecure_skip_verify is not exposed as CLI flag.
      [tls_insecure_skip_verify: <boolean> | default = false]

      # tls_cipher_suites is not exposed as CLI flag.
      [tls_cipher_suites: <string> | default = ""]

      # tls_min_version is not exposed as CLI flag.
      [tls_min_version: <string> | default = ""]

      # bucket is not exposed as CLI flag.
      [bucket: <string> | default = ""]

      # prefix is not exposed as CLI flag.
      [prefix: <string> | default = ""]

      # endpoint is not exposed as CLI flag.
      [endpoint: <string> | default = ""]

      # region is not exposed as CLI flag.
      [region: <string> | default = ""]

      # access_key is not exposed as CLI flag.
      [access_key: <string> | default = ""]

      # secret_key is not exposed as CLI flag.
      [secret_key: <string> | default = ""]

      # session_token is not exposed as CLI flag.
      [session_token: <string> | default = ""]

      # insecure is not exposed as CLI flag.
      [insecure: <boolean> | default = false]

      # part_size is not exposed as CLI flag.
      [part_size: <int> | default = 0]

      # hedge_requests_at is not exposed as CLI flag.
      [hedge_requests_at: <duration> | default = 0s]

      # hedge_requests_up_to is not exposed as CLI flag.
      [hedge_requests_up_to: <int> | default = 0]

      # signature_v2 is not exposed as CLI flag.
      [signature_v2: <boolean> | default = false]

      # forcepathstyle is not exposed as CLI flag.
      [forcepathstyle: <boolean> | default = false]

      # bucket_lookup_type is not exposed as CLI flag.
      [bucket_lookup_type: <int> | default = 0]

      # tags is not exposed as CLI flag.
      [tags: <map of string to string> | default = map[]]

      # storage_class is not exposed as CLI flag.
      [storage_class: <string> | default = ""]

      # metadata is not exposed as CLI flag.
      [metadata: <map of string to string> | default = map[]]

      # native_aws_auth_enabled is not exposed as CLI flag.
      [native_aws_auth_enabled: <boolean> | default = false]

    azure:
      # storage_account_name is not exposed as CLI flag.
      [storage_account_name: <string> | default = ""]

      # storage_account_key is not exposed as CLI flag.
      [storage_account_key: <string> | default = ""]

      # use_managed_identity is not exposed as CLI flag.
      [use_managed_identity: <boolean> | default = false]

      # use_federated_token is not exposed as CLI flag.
      [use_federated_token: <boolean> | default = false]

      # user_assigned_id is not exposed as CLI flag.
      [user_assigned_id: <string> | default = ""]

      # container_name is not exposed as CLI flag.
      [container_name: <string> | default = ""]

      # prefix is not exposed as CLI flag.
      [prefix: <string> | default = ""]

      # endpoint_suffix is not exposed as CLI flag.
      [endpoint_suffix: <string> | default = ""]

      # max_buffers is not exposed as CLI flag.
      [max_buffers: <int> | default = 0]

      # buffer_size is not exposed as CLI flag.
      [buffer_size: <int> | default = 0]

      # hedge_requests_at is not exposed as CLI flag.
      [hedge_requests_at: <duration> | default = 0s]

      # hedge_requests_up_to is not exposed as CLI flag.
      [hedge_requests_up_to: <int> | default = 0]

      # use_v2_sdk is not exposed as CLI flag.
      [use_v2_sdk: <boolean> | default = false]

memberlist_config

The memberlist_config block configures how the gossip ring connects between distributors, ingesters and queriers.

yaml
# node_name is not exposed as CLI flag.
[node_name: <string> | default = ""]

# randomize_node_name is not exposed as CLI flag.
[randomize_node_name: <boolean> | default = true]

# stream_timeout is not exposed as CLI flag.
[stream_timeout: <duration> | default = 10s]

# retransmit_factor is not exposed as CLI flag.
[retransmit_factor: <int> | default = 2]

# pull_push_interval is not exposed as CLI flag.
[pull_push_interval: <duration> | default = 30s]

# gossip_interval is not exposed as CLI flag.
[gossip_interval: <duration> | default = 1s]

# gossip_nodes is not exposed as CLI flag.
[gossip_nodes: <int> | default = 2]

# gossip_to_dead_nodes_time is not exposed as CLI flag.
[gossip_to_dead_nodes_time: <duration> | default = 30s]

# dead_node_reclaim_time is not exposed as CLI flag.
[dead_node_reclaim_time: <duration> | default = 0s]

# compression_enabled is not exposed as CLI flag.
[compression_enabled: <boolean> | default = false]

# advertise_addr is not exposed as CLI flag.
[advertise_addr: <string> | default = ""]

# advertise_port is not exposed as CLI flag.
[advertise_port: <int> | default = 7946]

# cluster_label is not exposed as CLI flag.
[cluster_label: <string> | default = ""]

# cluster_label_verification_disabled is not exposed as CLI flag.
[cluster_label_verification_disabled: <boolean> | default = false]

# Host port to connect to memberlist cluster.
# CLI flag: -memberlist.host-port
[join_members: <list of string> | default = []]

# min_join_backoff is not exposed as CLI flag.
[min_join_backoff: <duration> | default = 1s]

# max_join_backoff is not exposed as CLI flag.
[max_join_backoff: <duration> | default = 1m]

# max_join_retries is not exposed as CLI flag.
[max_join_retries: <int> | default = 10]

# abort_if_cluster_join_fails is not exposed as CLI flag.
[abort_if_cluster_join_fails: <boolean> | default = false]

# rejoin_interval is not exposed as CLI flag.
[rejoin_interval: <duration> | default = 0s]

# left_ingesters_timeout is not exposed as CLI flag.
[left_ingesters_timeout: <duration> | default = 5m]

# leave_timeout is not exposed as CLI flag.
[leave_timeout: <duration> | default = 20s]

# message_history_buffer_bytes is not exposed as CLI flag.
[message_history_buffer_bytes: <int> | default = 0]

# bind_addr is not exposed as CLI flag.
[bind_addr: <list of string> | default = []]

# Port for memberlist to communicate on
# CLI flag: -memberlist.bind-port
[bind_port: <int> | default = 7946]

# packet_dial_timeout is not exposed as CLI flag.
[packet_dial_timeout: <duration> | default = 2s]

# packet_write_timeout is not exposed as CLI flag.
[packet_write_timeout: <duration> | default = 5s]

# tls_enabled is not exposed as CLI flag.
[tls_enabled: <boolean> | default = false]

# tls_cert_path is not exposed as CLI flag.
[tls_cert_path: <string> | default = ""]

# tls_key_path is not exposed as CLI flag.
[tls_key_path: <string> | default = ""]

# tls_ca_path is not exposed as CLI flag.
[tls_ca_path: <string> | default = ""]

# tls_server_name is not exposed as CLI flag.
[tls_server_name: <string> | default = ""]

# tls_insecure_skip_verify is not exposed as CLI flag.
[tls_insecure_skip_verify: <boolean> | default = false]

# tls_cipher_suites is not exposed as CLI flag.
[tls_cipher_suites: <string> | default = ""]

# tls_min_version is not exposed as CLI flag.
[tls_min_version: <string> | default = ""]

admin_api_config

The admin_api_config block configures the Admin API service.

yaml
# Designated header to parse when searching for the grafana user ID of the user
# accessing the API.
# CLI flag: -admin.api.user-header-name
[user_header_name: <string> | default = "X-WEBAUTH-USER"]

leader_election:
  # This flag enables leader election for the admin api.
  # CLI flag: -admin-api.leader-election.enabled
  [enabled: <boolean> | default = true]

  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -admin-api.leader-election.ring.store
      [store: <string> | default = "consul"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -admin-api.leader-election.ring.prefix
      [prefix: <string> | default = "leader-election/"]

      consul:
        # Hostname and port of Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.hostname
        [host: <string> | default = "localhost:8500"]

        # ACL Token used to interact with Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.acl-token
        [acl_token: <string> | default = ""]

        # HTTP timeout when talking to Consul
        # CLI flag: -admin-api.leader-election.ring.consul.client-timeout
        [http_client_timeout: <duration> | default = 20s]

        # Enable consistent reads to Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.consistent-reads
        [consistent_reads: <boolean> | default = false]

        # Rate limit when watching key or prefix in Consul, in requests per
        # second. 0 disables the rate limit.
        # CLI flag: -admin-api.leader-election.ring.consul.watch-rate-limit
        [watch_rate_limit: <float> | default = 1]

        # Burst size used in rate limit. Values less than 1 are treated as 1.
        # CLI flag: -admin-api.leader-election.ring.consul.watch-burst-size
        [watch_burst_size: <int> | default = 1]

        # Maximum duration to wait before retrying a Compare And Swap (CAS)
        # operation.
        # CLI flag: -admin-api.leader-election.ring.consul.cas-retry-delay
        [cas_retry_delay: <duration> | default = 1s]

      etcd:
        # The etcd endpoints to connect to.
        # CLI flag: -admin-api.leader-election.ring.etcd.endpoints
        [endpoints: <list of string> | default = []]

        # The dial timeout for the etcd connection.
        # CLI flag: -admin-api.leader-election.ring.etcd.dial-timeout
        [dial_timeout: <duration> | default = 10s]

        # The maximum number of retries to do for failed ops.
        # CLI flag: -admin-api.leader-election.ring.etcd.max-retries
        [max_retries: <int> | default = 10]

        # Enable TLS.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-enabled
        [tls_enabled: <boolean> | default = false]

        # Path to the client certificate, which will be used for authenticating
        # with the server. Also requires the key path to be configured.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # Path to the key for the client certificate. Also requires the client
        # certificate to be configured.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-key-path
        [tls_key_path: <string> | default = ""]

        # Path to the CA certificates to validate server certificate against. If
        # not set, the host's root CA certificates are used.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # Override the expected name on the server certificate.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-server-name
        [tls_server_name: <string> | default = ""]

        # Skip validating server certificate.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-insecure-skip-verify
        [tls_insecure_skip_verify: <boolean> | default = false]

        # Override the default cipher suite list (separated by commas).
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-cipher-suites
        [tls_cipher_suites: <string> | default = ""]

        # Override the default minimum TLS version. Allowed values:
        # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-min-version
        [tls_min_version: <string> | default = ""]

        # Etcd username.
        # CLI flag: -admin-api.leader-election.ring.etcd.username
        [username: <string> | default = ""]

        # Etcd password.
        # CLI flag: -admin-api.leader-election.ring.etcd.password
        [password: <string> | default = ""]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # Period at which to heartbeat to the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-period
    [heartbeat_period: <duration> | default = 15s]

    # The heartbeat timeout after which admin-api instances are considered
    # unhealthy within the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # Period to wait after generating tokens to resolve collisions. Required
    # when using a gossip ring KV store.
    # CLI flag: -admin-api.leader-election.ring.tokens-observe-period
    [tokens_observe_period: <duration> | default = 1m]

    # Instance ID to register in the ring.
    # CLI flag: -admin-api.leader-election.ring.instance-id
    [instance_id: <string> | default = "Martins-MacBook-Pro.local"]

    # Name of network interface to read address from.
    # CLI flag: -admin-api.leader-election.ring.instance-interface-names
    [instance_interface_names: <list of string> | default = [en0]]

    # Port to advertize in the ring (defaults to server.grpc-listen-port).
    # CLI flag: -admin-api.leader-election.ring.instance-port
    [instance_port: <int> | default = 0]

    # IP address to advertize in the ring.
    # CLI flag: -admin-api.leader-election.ring.instance-addr
    [instance_addr: <string> | default = ""]

    # Enable using a IPv6 instance address.
    # CLI flag: -admin-api.leader-election.ring.instance-enable-ipv6
    [instance_enable_ipv6: <boolean> | default = false]

  client_config:
    # gRPC client max receive message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-recv-msg-size
    [max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-send-msg-size
    [max_send_msg_size: <int> | default = 104857600]

    # Use compression when sending messages. Supported values are: 'gzip',
    # 'snappy' and '' (disable compression)
    # CLI flag: -admin-api.leader-election.client.grpc-compression
    [grpc_compression: <string> | default = ""]

    # Rate limit for gRPC client; 0 means disabled.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit
    [rate_limit: <float> | default = 0]

    # Rate limit burst for gRPC client.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit-burst
    [rate_limit_burst: <int> | default = 0]

    # Enable backoff and retry when we hit rate limits.
    # CLI flag: -admin-api.leader-election.client.backoff-on-ratelimits
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # Minimum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-min-period
      [min_period: <duration> | default = 100ms]

      # Maximum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-max-period
      [max_period: <duration> | default = 10s]

      # Number of times to backoff and retry before failing.
      # CLI flag: -admin-api.leader-election.client.backoff-retries
      [max_retries: <int> | default = 10]

    # Initial stream window size. Values less than the default are not supported
    # and are ignored. Setting this to a value other than the default disables
    # the BDP estimator.
    # CLI flag: -admin-api.leader-election.client.initial-stream-window-size
    [initial_stream_window_size: <int> | default = 63KiB1023B]

    # Initial connection window size. Values less than the default are not
    # supported and are ignored. Setting this to a value other than the default
    # disables the BDP estimator.
    # CLI flag: -admin-api.leader-election.client.initial-connection-window-size
    [initial_connection_window_size: <int> | default = 63KiB1023B]

    # Enable TLS in the gRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -admin-api.leader-election.client.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -admin-api.leader-election.client.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -admin-api.leader-election.client.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -admin-api.leader-election.client.tls-min-version
    [tls_min_version: <string> | default = ""]

    # The maximum amount of time to establish a connection. A value of 0 means
    # default gRPC client connect timeout and backoff.
    # CLI flag: -admin-api.leader-election.client.connect-timeout
    [connect_timeout: <duration> | default = 5s]

    # Initial backoff delay after first connection failure. Only relevant if
    # ConnectTimeout > 0.
    # CLI flag: -admin-api.leader-election.client.connect-backoff-base-delay
    [connect_backoff_base_delay: <duration> | default = 1s]

    # Maximum backoff delay when establishing a connection. Only relevant if
    # ConnectTimeout > 0.
    # CLI flag: -admin-api.leader-election.client.connect-backoff-max-delay
    [connect_backoff_max_delay: <duration> | default = 5s]

limits:
  # Enable API based limits per-tenant.
  # CLI flag: -admin-api.limits.enabled
  [enabled: <boolean> | default = true]

  # Period with which to refresh per-tenant limits.
  # CLI flag: -admin-api.limits.refresh-period
  [refresh_period: <duration> | default = 1m]

admin_client_config

The admin_client_config block configures how the Admin API service connects to the storage backend.

yaml
storage:
  # Enable caching on the versioned client.
  # CLI flag: -admin.client.cache.enabled
  [enable_cache: <boolean> | default = true]

  cache:
    # Cache backend type. Supported values are: memcached, redis, inmemory.
    # CLI flag: -admin.client.cache.backend
    [backend: <string> | default = "inmemory"]

    memcached:
      # Comma-separated list of memcached addresses. Each address can be an IP
      # address, hostname, or an entry specified in the DNS Service Discovery
      # format.
      # CLI flag: -admin.client.cache.memcached.addresses
      [addresses: <string> | default = ""]

      # The socket read/write timeout.
      # CLI flag: -admin.client.cache.memcached.timeout
      [timeout: <duration> | default = 200ms]

      # The connection timeout.
      # CLI flag: -admin.client.cache.memcached.connect-timeout
      [connect_timeout: <duration> | default = 200ms]

      # The minimum number of idle connections to keep open as a percentage
      # (0-100) of the number of recently used idle connections. If negative,
      # idle connections are kept open indefinitely.
      # CLI flag: -admin.client.cache.memcached.min-idle-connections-headroom-percentage
      [min_idle_connections_headroom_percentage: <float> | default = -1]

      # The maximum number of idle connections that will be maintained per
      # address.
      # CLI flag: -admin.client.cache.memcached.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # The maximum number of concurrent asynchronous operations can occur.
      # CLI flag: -admin.client.cache.memcached.max-async-concurrency
      [max_async_concurrency: <int> | default = 50]

      # The maximum number of enqueued asynchronous operations allowed.
      # CLI flag: -admin.client.cache.memcached.max-async-buffer-size
      [max_async_buffer_size: <int> | default = 25000]

      # The maximum number of concurrent connections running get operations. If
      # set to 0, concurrency is unlimited.
      # CLI flag: -admin.client.cache.memcached.max-get-multi-concurrency
      [max_get_multi_concurrency: <int> | default = 100]

      # The maximum number of keys a single underlying get operation should run.
      # If more keys are specified, internally keys are split into multiple
      # batches and fetched concurrently, honoring the max concurrency. If set
      # to 0, the max batch size is unlimited.
      # CLI flag: -admin.client.cache.memcached.max-get-multi-batch-size
      [max_get_multi_batch_size: <int> | default = 100]

      # The maximum size of an item stored in memcached, in bytes. Bigger items
      # are not stored. If set to 0, no maximum size is enforced.
      # CLI flag: -admin.client.cache.memcached.max-item-size
      [max_item_size: <int> | default = 1048576]

      # Enable connecting to Memcached with TLS.
      # CLI flag: -admin.client.cache.memcached.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Path to the client certificate, which will be used for authenticating
      # with the server. Also requires the key path to be configured.
      # CLI flag: -admin.client.cache.memcached.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # Path to the key for the client certificate. Also requires the client
      # certificate to be configured.
      # CLI flag: -admin.client.cache.memcached.tls-key-path
      [tls_key_path: <string> | default = ""]

      # Path to the CA certificates to validate server certificate against. If
      # not set, the host's root CA certificates are used.
      # CLI flag: -admin.client.cache.memcached.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # Override the expected name on the server certificate.
      # CLI flag: -admin.client.cache.memcached.tls-server-name
      [tls_server_name: <string> | default = ""]

      # Skip validating server certificate.
      # CLI flag: -admin.client.cache.memcached.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Override the default cipher suite list (separated by commas).
      # CLI flag: -admin.client.cache.memcached.tls-cipher-suites
      [tls_cipher_suites: <string> | default = ""]

      # Override the default minimum TLS version. Allowed values: VersionTLS10,
      # VersionTLS11, VersionTLS12, VersionTLS13
      # CLI flag: -admin.client.cache.memcached.tls-min-version
      [tls_min_version: <string> | default = ""]

    redis:
      # Redis Server or Cluster configuration endpoint to use for caching. A
      # comma-separated list of endpoints for Redis Cluster or Redis Sentinel.
      # CLI flag: -admin.client.cache.redis.endpoint
      [endpoint: <string> | default = ""]

      # Username to use when connecting to Redis.
      # CLI flag: -admin.client.cache.redis.username
      [username: <string> | default = ""]

      # Password to use when connecting to Redis.
      # CLI flag: -admin.client.cache.redis.password
      [password: <string> | default = ""]

      # Database index.
      # CLI flag: -admin.client.cache.redis.db
      [db: <int> | default = 0]

      # Redis Sentinel master name. An empty string for Redis Server or Redis
      # Cluster.
      # CLI flag: -admin.client.cache.redis.master-name
      [master_name: <string> | default = ""]

      # Client dial timeout.
      # CLI flag: -admin.client.cache.redis.dial-timeout
      [dial_timeout: <duration> | default = 5s]

      # Client read timeout.
      # CLI flag: -admin.client.cache.redis.read-timeout
      [read_timeout: <duration> | default = 3s]

      # Client write timeout.
      # CLI flag: -admin.client.cache.redis.write-timeout
      [write_timeout: <duration> | default = 3s]

      # Maximum number of connections in the pool.
      # CLI flag: -admin.client.cache.redis.connection-pool-size
      [connection_pool_size: <int> | default = 100]

      # Minimum number of idle connections.
      # CLI flag: -admin.client.cache.redis.min-idle-connections
      [min_idle_connections: <int> | default = 10]

      # Amount of time after which client closes idle connections.
      # CLI flag: -admin.client.cache.redis.idle-timeout
      [idle_timeout: <duration> | default = 5m]

      # Close connections older than this duration. If the value is zero, then
      # the pool does not close connections based on age.
      # CLI flag: -admin.client.cache.redis.max-connection-age
      [max_connection_age: <duration> | default = 0s]

      # The maximum size of an item stored in Redis. Bigger items are not
      # stored. If set to 0, no maximum size is enforced.
      # CLI flag: -admin.client.cache.redis.max-item-size
      [max_item_size: <int> | default = 16777216]

      # The maximum number of concurrent asynchronous operations can occur.
      # CLI flag: -admin.client.cache.redis.max-async-concurrency
      [max_async_concurrency: <int> | default = 50]

      # The maximum number of enqueued asynchronous operations allowed.
      # CLI flag: -admin.client.cache.redis.max-async-buffer-size
      [max_async_buffer_size: <int> | default = 25000]

      # The maximum number of concurrent connections running get operations. If
      # set to 0, concurrency is unlimited.
      # CLI flag: -admin.client.cache.redis.max-get-multi-concurrency
      [max_get_multi_concurrency: <int> | default = 100]

      # The maximum size per batch for mget operations.
      # CLI flag: -admin.client.cache.redis.max-get-multi-batch-size
      [max_get_multi_batch_size: <int> | default = 100]

      # Enable connecting to Redis with TLS.
      # CLI flag: -admin.client.cache.redis.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Path to the client certificate, which will be used for authenticating
      # with the server. Also requires the key path to be configured.
      # CLI flag: -admin.client.cache.redis.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # Path to the key for the client certificate. Also requires the client
      # certificate to be configured.
      # CLI flag: -admin.client.cache.redis.tls-key-path
      [tls_key_path: <string> | default = ""]

      # Path to the CA certificates to validate server certificate against. If
      # not set, the host's root CA certificates are used.
      # CLI flag: -admin.client.cache.redis.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # Override the expected name on the server certificate.
      # CLI flag: -admin.client.cache.redis.tls-server-name
      [tls_server_name: <string> | default = ""]

      # Skip validating server certificate.
      # CLI flag: -admin.client.cache.redis.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Override the default cipher suite list (separated by commas).
      # CLI flag: -admin.client.cache.redis.tls-cipher-suites
      [tls_cipher_suites: <string> | default = ""]

      # Override the default minimum TLS version. Allowed values: VersionTLS10,
      # VersionTLS11, VersionTLS12, VersionTLS13
      # CLI flag: -admin.client.cache.redis.tls-min-version
      [tls_min_version: <string> | default = ""]

    # How long an item should be cached before being evicted. Only available for
    # remote cache types (memcached, redis).
    # CLI flag: -admin.client.cache.expiration
    [expiration: <duration> | default = 24h]

    # How frequently to reload tokens from storage to keep the cache warm.
    # Default disabled.
    # CLI flag: -admin.client.cache.refresh-interval
    [refresh_interval: <duration> | default = 0s]

  # Backend storage to use. Supported backends are: s3, gcs, azure, swift,
  # filesystem.
  # CLI flag: -admin.client.backend
  [backend: <string> | default = "filesystem"]

  s3:
    # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
    # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
    # S3-compatible service in hostname:port format.
    # CLI flag: -admin.client.s3.endpoint
    [endpoint: <string> | default = ""]

    # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
    # to autodetect it.
    # CLI flag: -admin.client.s3.region
    [region: <string> | default = ""]

    # S3 bucket name
    # CLI flag: -admin.client.s3.bucket-name
    [bucket_name: <string> | default = ""]

    # S3 secret access key
    # CLI flag: -admin.client.s3.secret-access-key
    [secret_access_key: <string> | default = ""]

    # S3 access key ID
    # CLI flag: -admin.client.s3.access-key-id
    [access_key_id: <string> | default = ""]

    # If enabled, use http:// for the S3 endpoint instead of https://. This
    # could be useful in local dev/test environments while using an
    # S3-compatible backend storage, like Minio.
    # CLI flag: -admin.client.s3.insecure
    [insecure: <boolean> | default = false]

    # The signature version to use for authenticating against S3. Supported
    # values are: v4, v2.
    # CLI flag: -admin.client.s3.signature-version
    [signature_version: <string> | default = "v4"]

    sse:
      # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
      # CLI flag: -admin.client.s3.sse.type
      [type: <string> | default = ""]

      # KMS Key ID used to encrypt objects in S3
      # CLI flag: -admin.client.s3.sse.kms-key-id
      [kms_key_id: <string> | default = ""]

      # KMS Encryption Context used for object encryption. It expects JSON
      # formatted string.
      # CLI flag: -admin.client.s3.sse.kms-encryption-context
      [kms_encryption_context: <string> | default = ""]

    http:
      # The time an idle connection will remain idle before closing.
      # CLI flag: -admin.client.s3.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # The amount of time the client will wait for a servers response headers.
      # CLI flag: -admin.client.s3.http.response-header-timeout
      [response_header_timeout: <duration> | default = 2m]

      # If the client connects to S3 via HTTPS and this option is enabled, the
      # client will accept any certificate and hostname.
      # CLI flag: -admin.client.s3.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

      # Maximum time to wait for a TLS handshake. 0 means no limit.
      # CLI flag: -admin.client.s3.tls-handshake-timeout
      [tls_handshake_timeout: <duration> | default = 10s]

      # The time to wait for a server's first response headers after fully
      # writing the request headers if the request has an Expect header. 0 to
      # send the request body immediately.
      # CLI flag: -admin.client.s3.expect-continue-timeout
      [expect_continue_timeout: <duration> | default = 1s]

      # Maximum number of idle (keep-alive) connections across all hosts. 0
      # means no limit.
      # CLI flag: -admin.client.s3.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # Maximum number of idle (keep-alive) connections to keep per-host. If 0,
      # a built-in default value is used.
      # CLI flag: -admin.client.s3.max-idle-connections-per-host
      [max_idle_connections_per_host: <int> | default = 100]

      # Maximum number of connections per host. 0 means no limit.
      # CLI flag: -admin.client.s3.max-connections-per-host
      [max_connections_per_host: <int> | default = 0]

  gcs:
    # GCS bucket name
    # CLI flag: -admin.client.gcs.bucket-name
    [bucket_name: <string> | default = ""]

    # JSON either from a Google Developers Console client_credentials.json file,
    # or a Google Developers service account key. Needs to be valid JSON, not a
    # filesystem path.
    # CLI flag: -admin.client.gcs.service-account
    [service_account: <string> | default = ""]

  azure:
    # Azure storage account name
    # CLI flag: -admin.client.azure.account-name
    [account_name: <string> | default = ""]

    # Azure storage account key
    # CLI flag: -admin.client.azure.account-key
    [account_key: <string> | default = ""]

    # Azure storage container name
    # CLI flag: -admin.client.azure.container-name
    [container_name: <string> | default = ""]

    # Azure storage endpoint suffix without schema. The account name will be
    # prefixed to this value to create the FQDN. If set to empty string, default
    # endpoint suffix is used.
    # CLI flag: -admin.client.azure.endpoint-suffix
    [endpoint_suffix: <string> | default = ""]

    # Number of retries for recoverable errors
    # CLI flag: -admin.client.azure.max-retries
    [max_retries: <int> | default = 20]

    # User assigned identity. If empty, then System assigned identity is used.
    # CLI flag: -admin.client.azure.user-assigned-id
    [user_assigned_id: <string> | default = ""]

  swift:
    # OpenStack Swift authentication API version. 0 to autodetect.
    # CLI flag: -admin.client.swift.auth-version
    [auth_version: <int> | default = 0]

    # OpenStack Swift authentication URL
    # CLI flag: -admin.client.swift.auth-url
    [auth_url: <string> | default = ""]

    # OpenStack Swift username.
    # CLI flag: -admin.client.swift.username
    [username: <string> | default = ""]

    # OpenStack Swift user's domain name.
    # CLI flag: -admin.client.swift.user-domain-name
    [user_domain_name: <string> | default = ""]

    # OpenStack Swift user's domain ID.
    # CLI flag: -admin.client.swift.user-domain-id
    [user_domain_id: <string> | default = ""]

    # OpenStack Swift user ID.
    # CLI flag: -admin.client.swift.user-id
    [user_id: <string> | default = ""]

    # OpenStack Swift API key.
    # CLI flag: -admin.client.swift.password
    [password: <string> | default = ""]

    # OpenStack Swift user's domain ID.
    # CLI flag: -admin.client.swift.domain-id
    [domain_id: <string> | default = ""]

    # OpenStack Swift user's domain name.
    # CLI flag: -admin.client.swift.domain-name
    [domain_name: <string> | default = ""]

    # OpenStack Swift project ID (v2,v3 auth only).
    # CLI flag: -admin.client.swift.project-id
    [project_id: <string> | default = ""]

    # OpenStack Swift project name (v2,v3 auth only).
    # CLI flag: -admin.client.swift.project-name
    [project_name: <string> | default = ""]

    # ID of the OpenStack Swift project's domain (v3 auth only), only needed if
    # it differs the from user domain.
    # CLI flag: -admin.client.swift.project-domain-id
    [project_domain_id: <string> | default = ""]

    # Name of the OpenStack Swift project's domain (v3 auth only), only needed
    # if it differs from the user domain.
    # CLI flag: -admin.client.swift.project-domain-name
    [project_domain_name: <string> | default = ""]

    # OpenStack Swift Region to use (v2,v3 auth only).
    # CLI flag: -admin.client.swift.region-name
    [region_name: <string> | default = ""]

    # Name of the OpenStack Swift container to put chunks in.
    # CLI flag: -admin.client.swift.container-name
    [container_name: <string> | default = ""]

    # Max retries on requests error.
    # CLI flag: -admin.client.swift.max-retries
    [max_retries: <int> | default = 3]

    # Time after which a connection attempt is aborted.
    # CLI flag: -admin.client.swift.connect-timeout
    [connect_timeout: <duration> | default = 10s]

    # Time after which an idle request is aborted. The timeout watchdog is reset
    # each time some data is received, so the timeout triggers after X time no
    # data is received on a request.
    # CLI flag: -admin.client.swift.request-timeout
    [request_timeout: <duration> | default = 5s]

  filesystem:
    # Local filesystem storage directory.
    # CLI flag: -admin.client.filesystem.dir
    [dir: <string> | default = ""]

  # Prefix for all objects stored in the backend storage. For simplicity, it may
  # only contain digits and English alphabet letters.
  # CLI flag: -admin.client.storage-prefix
  [storage_prefix: <string> | default = ""]

  # Set a backend to use, (gcs, s3, azure). Deprecated, please use
  # '-admin.client.backend' instead.
  # CLI flag: -admin.client.backend-type
  [type: <string> | default = ""]

# If set to true, the built-in __admin__ access policy will not be active.
# CLI flag: -admin.client.disable-default-admin-policy
[disable_default_admin_policy: <boolean> | default = false]

auth_config

The auth_config block configures the authentication type to use.

yaml
# method for authenticating incoming HTTP requests, (trust, enterprise).
# CLI flag: -auth.type
[type: <string> | default = "enterprise"]

# requires admin level auth for the /metrics endpoint.
# CLI flag: -auth.required-for-metrics
[required_for_metrics: <boolean> | default = false]

override:
  # Override admin token. If set, this string will always be accepted as a token
  # with admin level scope.
  # CLI flag: -auth.override.token
  [token: <string> | default = ""]

  # If set, this file will be read at startup and the string from that file will
  # be used as a admin scoped token.
  # CLI flag: -auth.override.token-file
  [token_file: <string> | default = ""]

admin:
  # how long auth responses should be cached
  # CLI flag: -auth.cache.ttl
  [cache_ttl: <duration> | default = 10m]

  cache_refresh:
    # Whether asynchronous background refreshes are enabled.
    # CLI flag: -auth.cache.refresh.enabled
    [enabled: <boolean> | default = false]

    # Number of workers for background asynchronous refresh.
    # CLI flag: -auth.cache.refresh.concurrency
    [concurrency: <int> | default = 2]

    # Maximum number of pending background refreshes.
    # CLI flag: -auth.cache.refresh.buffer
    [buffer: <int> | default = 256]

    # Remaining time to live of an item when background refreshes may begin to
    # occur.
    # CLI flag: -auth.cache.refresh.refresh-ttl
    [refresh_ttl: <duration> | default = 3m]

    # Minimum time distance between retries if a refresh attempt fails, 0 means
    # that every sub-sequent get operation will result in a retry.
    # CLI flag: -auth.cache.refresh.retry-interval
    [retry_interval: <duration> | default = 30s]

  oidc:
    # JWT token issuer URL (example "https://accounts.google.com")
    # CLI flag: -auth.admin.oidc.issuer-url
    [issuer_url: <string> | default = ""]

    # claim in the JWT token containing the access policy
    # CLI flag: -auth.admin.oidc.access-policy-claim
    [access_policy_claim: <string> | default = ""]

    # regex to extract the access policy from the JWT token. The first submatch
    # of the provided regex expression will be used.
    # CLI flag: -auth.admin.oidc.access-policy-regex
    [access_policy_regex: <string> | default = ""]

    # optional audience to check in JWT token
    # CLI flag: -auth.admin.oidc.audience
    [audience: <string> | default = ""]

    # name of the access policy to use when the token doesn't contain an access
    # policy
    # CLI flag: -auth.admin.oidc.default-access-policy
    [default_access_policy: <string> | default = ""]

    # enable ADFS compatibility
    # CLI flag: -auth.admin.oidc.adfs-compatibility
    [adfs_compatibility: <boolean> | default = false]

federation_config

The federation_config block configures the cross-cluster query federation service.

yaml
proxy_targets:
  # Name contains the name of the proxy target, it will be used for the
  # __cluster__ label.
  [name: <string> | default = ""]

  # URL is the URL to the GET API endpoints.
  [url: <string> | default = ""]

  # tls_cert_path is not exposed as CLI flag.
  [tls_cert_path: <string> | default = ""]

  # tls_key_path is not exposed as CLI flag.
  [tls_key_path: <string> | default = ""]

  # tls_ca_path is not exposed as CLI flag.
  [tls_ca_path: <string> | default = ""]

  # tls_server_name is not exposed as CLI flag.
  [tls_server_name: <string> | default = ""]

  # tls_insecure_skip_verify is not exposed as CLI flag.
  [tls_insecure_skip_verify: <boolean> | default = false]

  # tls_cipher_suites is not exposed as CLI flag.
  [tls_cipher_suites: <string> | default = ""]

  # tls_min_version is not exposed as CLI flag.
  [tls_min_version: <string> | default = ""]

  # Those optional Basic Auth parameters allow to override the client provided
  # credentials.
  basic_auth:
    # Basic Auth username
    [username: <string> | default = ""]

    # Basic Auth password
    [password: <string> | default = ""]

# Maximum number of concurrent requests to federation targets.
# CLI flag: -federation.max-concurrency
[max_concurrency: <int> | default = 20]

# Timeout for hedging requests to federation targets.
# CLI flag: -federation.hedge-requests-at
[hedge_requests_at: <duration> | default = 0s]

# Timeout for requests to federation targets.
# CLI flag: -federation.read-timeout
[read_timeout: <duration> | default = 5s]

gateway_config

The gateway_config block configures the gateway service.

yaml
proxy:
  default:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.default.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.default.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.default.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.default.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.default.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.default.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.default.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.default.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.default.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.default.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.default.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.default.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.default.read-timeout
    [read_timeout: <duration> | default = 2m]

  admin_api:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.admin-api.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.admin-api.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.admin-api.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.admin-api.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.admin-api.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.admin-api.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.admin-api.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.read-timeout
    [read_timeout: <duration> | default = 2m]

  compactor:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.compactor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.compactor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.compactor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.compactor.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.compactor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.compactor.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.compactor.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.read-timeout
    [read_timeout: <duration> | default = 2m]

  distributor:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.distributor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.distributor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.distributor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.distributor.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.distributor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.distributor.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.distributor.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.read-timeout
    [read_timeout: <duration> | default = 2m]

    otlp/grpc:
      # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
      # scheme h2c:// for HTTP2 proxying.
      # CLI flag: -gateway.proxy.distributorotlp-grpc.url
      [url: <string> | default = ""]

      # Enable keep alive for the backend.
      # CLI flag: -gateway.proxy.distributorotlp-grpc.enable-keepalive
      [enable_keepalive: <boolean> | default = true]

      # Enable TLS in the GRPC client. This flag needs to be enabled when any
      # other TLS flag is set. If set to false, insecure connection to gRPC
      # server will be used.
      # CLI flag: -gateway.proxy.distributorotlp-grpc.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Timeout when dialing backend. For proxying over GRPC, this will be used
      # only during the initial dial at startup. For proxying over HTTP this is
      # the connection timeout. Set to 0 to disable.
      # CLI flag: -gateway.proxy.distributorotlp-grpc.dial-timeout
      [dial_timeout: <duration> | default = 5s]

      # Path to the client certificate, which will be used for authenticating
      # with the server. Also requires the key path to be configured.
      # CLI flag: -gateway.proxy.distributorotlp-grpc.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # Path to the key for the client certificate. Also requires the client
      # certificate to be configured.
      # CLI flag: -gateway.proxy.distributorotlp-grpc.tls-key-path
      [tls_key_path: <string> | default = ""]

      # Path to the CA certificates to validate server certificate against. If
      # not set, the host's root CA certificates are used.
      # CLI flag: -gateway.proxy.distributorotlp-grpc.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # Override the expected name on the server certificate.
      # CLI flag: -gateway.proxy.distributorotlp-grpc.tls-server-name
      [tls_server_name: <string> | default = ""]

      # Skip validating server certificate.
      # CLI flag: -gateway.proxy.distributorotlp-grpc.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Override the default cipher suite list (separated by commas).
      # CLI flag: -gateway.proxy.distributorotlp-grpc.tls-cipher-suites
      [tls_cipher_suites: <string> | default = ""]

      # Override the default minimum TLS version. Allowed values: VersionTLS10,
      # VersionTLS11, VersionTLS12, VersionTLS13
      # CLI flag: -gateway.proxy.distributorotlp-grpc.tls-min-version
      [tls_min_version: <string> | default = ""]

      # Timeout for write requests to the backend, set to <=0 to disable.
      # CLI flag: -gateway.proxy.distributorotlp-grpc.write-timeout
      [write_timeout: <duration> | default = 30s]

      # Timeout for read requests the backend, set to <=0 to disable.
      # CLI flag: -gateway.proxy.distributorotlp-grpc.read-timeout
      [read_timeout: <duration> | default = 2m]

    otlp/http:
      # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
      # scheme h2c:// for HTTP2 proxying.
      # CLI flag: -gateway.proxy.distributorotlp-http.url
      [url: <string> | default = ""]

      # Enable keep alive for the backend.
      # CLI flag: -gateway.proxy.distributorotlp-http.enable-keepalive
      [enable_keepalive: <boolean> | default = true]

      # Enable TLS in the GRPC client. This flag needs to be enabled when any
      # other TLS flag is set. If set to false, insecure connection to gRPC
      # server will be used.
      # CLI flag: -gateway.proxy.distributorotlp-http.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Timeout when dialing backend. For proxying over GRPC, this will be used
      # only during the initial dial at startup. For proxying over HTTP this is
      # the connection timeout. Set to 0 to disable.
      # CLI flag: -gateway.proxy.distributorotlp-http.dial-timeout
      [dial_timeout: <duration> | default = 5s]

      # Path to the client certificate, which will be used for authenticating
      # with the server. Also requires the key path to be configured.
      # CLI flag: -gateway.proxy.distributorotlp-http.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # Path to the key for the client certificate. Also requires the client
      # certificate to be configured.
      # CLI flag: -gateway.proxy.distributorotlp-http.tls-key-path
      [tls_key_path: <string> | default = ""]

      # Path to the CA certificates to validate server certificate against. If
      # not set, the host's root CA certificates are used.
      # CLI flag: -gateway.proxy.distributorotlp-http.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # Override the expected name on the server certificate.
      # CLI flag: -gateway.proxy.distributorotlp-http.tls-server-name
      [tls_server_name: <string> | default = ""]

      # Skip validating server certificate.
      # CLI flag: -gateway.proxy.distributorotlp-http.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Override the default cipher suite list (separated by commas).
      # CLI flag: -gateway.proxy.distributorotlp-http.tls-cipher-suites
      [tls_cipher_suites: <string> | default = ""]

      # Override the default minimum TLS version. Allowed values: VersionTLS10,
      # VersionTLS11, VersionTLS12, VersionTLS13
      # CLI flag: -gateway.proxy.distributorotlp-http.tls-min-version
      [tls_min_version: <string> | default = ""]

      # Timeout for write requests to the backend, set to <=0 to disable.
      # CLI flag: -gateway.proxy.distributorotlp-http.write-timeout
      [write_timeout: <duration> | default = 30s]

      # Timeout for read requests the backend, set to <=0 to disable.
      # CLI flag: -gateway.proxy.distributorotlp-http.read-timeout
      [read_timeout: <duration> | default = 2m]

  ingester:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ingester.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ingester.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.ingester.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.ingester.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ingester.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.ingester.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.ingester.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.read-timeout
    [read_timeout: <duration> | default = 2m]

  querier:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.querier.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.querier.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.querier.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.querier.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.querier.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.querier.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.querier.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.querier.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.querier.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.querier.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.querier.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.querier.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.querier.read-timeout
    [read_timeout: <duration> | default = 2m]

  query_frontend:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.query-frontend.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.query-frontend.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.query-frontend.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.query-frontend.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.query-frontend.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.query-frontend.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.read-timeout
    [read_timeout: <duration> | default = 2m]

  metrics_generator:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.metrics-generator.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.metrics-generator.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.metrics-generator.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.metrics-generator.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.metrics-generator.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.metrics-generator.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.metrics-generator.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.metrics-generator.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.metrics-generator.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.metrics-generator.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.metrics-generator.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.metrics-generator.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.metrics-generator.read-timeout
    [read_timeout: <duration> | default = 2m]

license_config

The license_config block configures the license validation module.

yaml
# Filepath to license jwt file.
# CLI flag: -license.path
[path: <string> | default = "./license.jwt"]

# Interval to check for new or existing licenses.
# CLI flag: -license.sync-interval
[sync_interval: <duration> | default = 1h]

tokengen_config

The tokengen_config block configures the tokengen service.

yaml
# The name of the access policy to generate a token for. It defaults to the
# built-in admin policy.
# CLI flag: -tokengen.access-policy
[access_policy: <string> | default = "__admin__"]

# If set, the generated token will be written to a file at the provided path in
# addition to being logged. Note that if the file already exists, it will not be
# overwritten, and tokengen will fail with an error.
# CLI flag: -tokengen.token-file
[token_file: <string> | default = ""]