Grafana Phlare operator and user guideConfigure Grafana PhlareGrafana Phlare configuration parameters

Grafana Phlare configuration parameters

You can configure Grafana Phlare by using a YAML file or via command-line flags that represent configuration parameters. To specify the YAML file, use the -config.file command-line option. If you specify both the command-line flags and YAML configuration parameters, the command-line flags take precedence over values in a YAML file.

To see the current configuration of any component, go to the /config HTTP API endpoint. Passwords are filtered out of this endpoint.

Parameters are written in YAML format, and brackets indicate that a parameter is optional.

Generic placeholders

  • <boolean>: a boolean that can take the values true or false
  • <int>: any integer matching the regular expression [1-9]+[0-9]*
  • <duration>: a duration matching the regular expression [0-9]+(ns|us|µs|ms|s|m|h|d|w|y) where y = 365 days
  • <string>: a string
  • <url>: a URL
  • <filepath>: a string containing an absolute or relative path and filename to a file on disk
  • <prefix>: a CLI flag prefix based on the context (look at the parent configuration block to see which CLI flags prefix should be used)
  • <relabel_config>: a Prometheus relabeling configuration
  • <time>: a timestamp, with available formats:
    • 2006-01-20 (midnight, local timezone)
    • 2006-01-20T15:04 (local timezone)
    • RFC 3339 formats: 2006-01-20T15:04:05Z (UTC) or 2006-01-20T15:04:05+07:00 (explicit timezone)

Use environment variables in the configuration

You can use environment variable references in the YAML configuration file to set values that need to be configurable during deployment. To do this, pass -config.expand-env=true on the command line and use ${VAR}, where VAR is the name of the environment variable.

Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.

To specify a default value, use ${VAR:default_value}, where default_value is the value to use if the environment variable is undefined.

Configuration parameters

# Comma-separated list of Phlare modules to load. The alias 'all' can be used in
# the list to load a number of core modules and will enable single-binary mode.
# CLI flag: -target
[target: <string> | default = "all"]

[scrape_configs: <list of ScrapeConfigs> | default = ]

client:
  # URL of log server.
  # CLI flag: -client.url
  [url: <url> | default = ]

  [batchwait: <duration> | default = ]

  [batchsize: <int> | default = ]

  basic_auth:
    [username: <string> | default = ""]

    [password: <string> | default = ""]

    [password_file: <string> | default = ""]

  authorization:
    [type: <string> | default = ""]

    [credentials: <string> | default = ""]

    [credentials_file: <string> | default = ""]

  oauth2:
    [client_id: <string> | default = ""]

    [client_secret: <string> | default = ""]

    [client_secret_file: <string> | default = ""]

    [scopes: <list of strings> | default = ]

    [token_url: <string> | default = ""]

    [endpoint_params: <map of string to string> | default = ]

    proxy_url:
      [url: <url> | default = ]

    tls_config:
      [ca_file: <string> | default = ""]

      [cert_file: <string> | default = ""]

      [key_file: <string> | default = ""]

      [server_name: <string> | default = ""]

      [insecure_skip_verify: <boolean> | default = ]

      [min_version: <int> | default = ]

  [bearer_token: <string> | default = ""]

  [bearer_token_file: <string> | default = ""]

  proxy_url:
    [url: <url> | default = ]

  tls_config:
    [ca_file: <string> | default = ""]

    [cert_file: <string> | default = ""]

    [key_file: <string> | default = ""]

    [server_name: <string> | default = ""]

    [insecure_skip_verify: <boolean> | default = ]

    [min_version: <int> | default = ]

  [follow_redirects: <boolean> | default = ]

  [enable_http2: <boolean> | default = ]

  # Tenant ID to use when pushing profiles to Phlare (default: anonymous).
  # CLI flag: -client.tenant-id
  [tenant_id: <string> | default = "anonymous"]

# The server block configures the HTTP and gRPC server of the launched
# service(s).
[server: <server>]

# The distributor block configures the distributor.
[distributor: <distributor>]

# The querier block configures the querier.
[querier: <querier>]

# The ingester block configures the ingester.
[ingester: <ingester>]

# The memberlist block configures the Gossip memberlist.
[memberlist: <memberlist>]

phlaredb:
  # Directory used for local storage.
  # CLI flag: -phlaredb.data-path
  [data_path: <string> | default = "./data"]

  # Upper limit to the duration of a Phlare block.
  # CLI flag: -phlaredb.max-block-duration
  [max_block_duration: <duration> | default = 3h]

tracing:
  # Set to false to disable tracing.
  # CLI flag: -tracing.enabled
  [enabled: <boolean> | default = true]

storage:
  # Backend storage to use. Supported backends are: s3, gcs, azure, swift,
  # filesystem.
  # CLI flag: -storage.backend
  [backend: <string> | default = "filesystem"]

  # The s3_backend block configures the connection to Amazon S3 object storage
  # backend.
  [s3: <s3_storage_backend>]

  # The gcs_backend block configures the connection to Google Cloud Storage
  # object storage backend.
  [gcs: <gcs_storage_backend>]

  # The azure_storage_backend block configures the connection to Azure object
  # storage backend.
  [azure: <azure_storage_backend>]

  # The swift_storage_backend block configures the connection to OpenStack
  # Object Storage (Swift) object storage backend.
  [swift: <swift_storage_backend>]

  # The filesystem_storage_backend block configures the usage of local file
  # system as object storage backend.
  [filesystem: <filesystem_storage_backend>]

  # Prefix for all objects stored in the backend storage. For simplicity, it may
  # only contain digits and English alphabet letters.
  # CLI flag: -storage.storage-prefix
  [storage_prefix: <string> | default = ""]

# When set to true, incoming HTTP requests must specify tenant ID in HTTP
# X-Scope-OrgId header. When set to false, tenant ID anonymous is used instead.
# CLI flag: -auth.multitenancy-enabled
[multitenancy_enabled: <boolean> | default = false]

analytics:
  # Enable anonymous usage reporting.
  # CLI flag: -usage-stats.enabled
  [reporting_enabled: <boolean> | default = true]

server

The server block configures the HTTP and gRPC server of the launched service(s).

# HTTP server listen network, default tcp
# CLI flag: -server.http-listen-network
[http_listen_network: <string> | default = "tcp"]

# HTTP server listen address.
# CLI flag: -server.http-listen-address
[http_listen_address: <string> | default = ""]

# HTTP server listen port.
# CLI flag: -server.http-listen-port
[http_listen_port: <int> | default = 4100]

# Maximum number of simultaneous http connections, <=0 to disable
# CLI flag: -server.http-conn-limit
[http_listen_conn_limit: <int> | default = 0]

# gRPC server listen network
# CLI flag: -server.grpc-listen-network
[grpc_listen_network: <string> | default = "tcp"]

# gRPC server listen address.
# CLI flag: -server.grpc-listen-address
[grpc_listen_address: <string> | default = ""]

# gRPC server listen port.
# CLI flag: -server.grpc-listen-port
[grpc_listen_port: <int> | default = 9095]

# Maximum number of simultaneous grpc connections, <=0 to disable
# CLI flag: -server.grpc-conn-limit
[grpc_listen_conn_limit: <int> | default = 0]

http_tls_config:
  # HTTP server cert path.
  # CLI flag: -server.http-tls-cert-path
  [cert_file: <string> | default = ""]

  # HTTP server key path.
  # CLI flag: -server.http-tls-key-path
  [key_file: <string> | default = ""]

  # HTTP TLS Client Auth type.
  # CLI flag: -server.http-tls-client-auth
  [client_auth_type: <string> | default = ""]

  # HTTP TLS Client CA path.
  # CLI flag: -server.http-tls-ca-path
  [client_ca_file: <string> | default = ""]

  [cipher_suites: <list of ints> | default = ]

  [curve_preferences: <list of ints> | default = ]

  [min_version: <int> | default = ]

  [max_version: <int> | default = ]

  [prefer_server_cipher_suites: <boolean> | default = ]

grpc_tls_config:
  # GRPC TLS server cert path.
  # CLI flag: -server.grpc-tls-cert-path
  [cert_file: <string> | default = ""]

  # GRPC TLS server key path.
  # CLI flag: -server.grpc-tls-key-path
  [key_file: <string> | default = ""]

  # GRPC TLS Client Auth type.
  # CLI flag: -server.grpc-tls-client-auth
  [client_auth_type: <string> | default = ""]

  # GRPC TLS Client CA path.
  # CLI flag: -server.grpc-tls-ca-path
  [client_ca_file: <string> | default = ""]

  [cipher_suites: <list of ints> | default = ]

  [curve_preferences: <list of ints> | default = ]

  [min_version: <int> | default = ]

  [max_version: <int> | default = ]

  [prefer_server_cipher_suites: <boolean> | default = ]

# Register the intrumentation handlers (/metrics etc).
# CLI flag: -server.register-instrumentation
[register_instrumentation: <boolean> | default = true]

# Timeout for graceful shutdowns
# CLI flag: -server.graceful-shutdown-timeout
[graceful_shutdown_timeout: <duration> | default = 30s]

# Read timeout for HTTP server
# CLI flag: -server.http-read-timeout
[http_server_read_timeout: <duration> | default = 30s]

# Write timeout for HTTP server
# CLI flag: -server.http-write-timeout
[http_server_write_timeout: <duration> | default = 30s]

# Idle timeout for HTTP server
# CLI flag: -server.http-idle-timeout
[http_server_idle_timeout: <duration> | default = 2m]

# Limit on the size of a gRPC message this server can receive (bytes).
# CLI flag: -server.grpc-max-recv-msg-size-bytes
[grpc_server_max_recv_msg_size: <int> | default = 4194304]

# Limit on the size of a gRPC message this server can send (bytes).
# CLI flag: -server.grpc-max-send-msg-size-bytes
[grpc_server_max_send_msg_size: <int> | default = 4194304]

# Limit on the number of concurrent streams for gRPC calls (0 = unlimited)
# CLI flag: -server.grpc-max-concurrent-streams
[grpc_server_max_concurrent_streams: <int> | default = 100]

# The duration after which an idle connection should be closed. Default:
# infinity
# CLI flag: -server.grpc.keepalive.max-connection-idle
[grpc_server_max_connection_idle: <duration> | default = 2562047h47m16.854775807s]

# The duration for the maximum amount of time a connection may exist before it
# will be closed. Default: infinity
# CLI flag: -server.grpc.keepalive.max-connection-age
[grpc_server_max_connection_age: <duration> | default = 2562047h47m16.854775807s]

# An additive period after max-connection-age after which the connection will be
# forcibly closed. Default: infinity
# CLI flag: -server.grpc.keepalive.max-connection-age-grace
[grpc_server_max_connection_age_grace: <duration> | default = 2562047h47m16.854775807s]

# Duration after which a keepalive probe is sent in case of no activity over the
# connection., Default: 2h
# CLI flag: -server.grpc.keepalive.time
[grpc_server_keepalive_time: <duration> | default = 2h]

# After having pinged for keepalive check, the duration after which an idle
# connection should be closed, Default: 20s
# CLI flag: -server.grpc.keepalive.timeout
[grpc_server_keepalive_timeout: <duration> | default = 20s]

# Minimum amount of time a client should wait before sending a keepalive ping.
# If client sends keepalive ping more often, server will send GOAWAY and close
# the connection.
# CLI flag: -server.grpc.keepalive.min-time-between-pings
[grpc_server_min_time_between_pings: <duration> | default = 5m]

# If true, server allows keepalive pings even when there are no active
# streams(RPCs). If false, and client sends ping when there are no active
# streams, server will send GOAWAY and close the connection.
# CLI flag: -server.grpc.keepalive.ping-without-stream-allowed
[grpc_server_ping_without_stream_allowed: <boolean> | default = false]

# Output log messages in the given format. Valid formats: [logfmt, json]
# CLI flag: -log.format
[log_format: <string> | default = "logfmt"]

# Only log messages with the given severity or above. Valid levels: [debug,
# info, warn, error]
# CLI flag: -log.level
[log_level: <string> | default = "info"]

# Optionally log the source IPs.
# CLI flag: -server.log-source-ips-enabled
[log_source_ips_enabled: <boolean> | default = false]

# Header field storing the source IPs. Only used if
# server.log-source-ips-enabled is true. If not set the default Forwarded,
# X-Real-IP and X-Forwarded-For headers are used
# CLI flag: -server.log-source-ips-header
[log_source_ips_header: <string> | default = ""]

# Regex for matching the source IPs. Only used if server.log-source-ips-enabled
# is true. If not set the default Forwarded, X-Real-IP and X-Forwarded-For
# headers are used
# CLI flag: -server.log-source-ips-regex
[log_source_ips_regex: <string> | default = ""]

# Optionally log requests at info level instead of debug level.
# CLI flag: -server.log-request-at-info-level-enabled
[log_request_at_info_level_enabled: <boolean> | default = false]

# Base path to serve all API routes from (e.g. /v1/)
# CLI flag: -server.path-prefix
[http_path_prefix: <string> | default = ""]

distributor

The distributor block configures the distributor.

# Timeout when pushing data to ingester.
# CLI flag: -distributor.push.timeout
[pushtimeout: <duration> | default = 5s]

pool_config:
  # How frequently to clean up clients for ingesters that have gone away.
  # CLI flag: -distributor.client-cleanup-period
  [client_cleanup_period: <duration> | default = 15s]

  # Run a health check on each ingester client during periodic cleanup.
  # CLI flag: -distributor.health-check-ingesters
  [health_check_ingesters: <boolean> | default = true]

  # Timeout for ingester client healthcheck RPCs.
  # CLI flag: -distributor.health-check-timeout
  [remote_timeout: <duration> | default = 5s]

ingester

The ingester block configures the ingester.

lifecycler:
  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -ring.store
      [store: <string> | default = "consul"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -ring.prefix
      [prefix: <string> | default = "collectors/"]

      consul:
        # Hostname and port of Consul.
        # CLI flag: -consul.hostname
        [host: <string> | default = "localhost:8500"]

        # ACL Token used to interact with Consul.
        # CLI flag: -consul.acl-token
        [acl_token: <string> | default = ""]

        # HTTP timeout when talking to Consul
        # CLI flag: -consul.client-timeout
        [http_client_timeout: <duration> | default = 20s]

        # Enable consistent reads to Consul.
        # CLI flag: -consul.consistent-reads
        [consistent_reads: <boolean> | default = false]

        # Rate limit when watching key or prefix in Consul, in requests per
        # second. 0 disables the rate limit.
        # CLI flag: -consul.watch-rate-limit
        [watch_rate_limit: <float> | default = 1]

        # Burst size used in rate limit. Values less than 1 are treated as 1.
        # CLI flag: -consul.watch-burst-size
        [watch_burst_size: <int> | default = 1]

        # Maximum duration to wait before retrying a Compare And Swap (CAS)
        # operation.
        # CLI flag: -consul.cas-retry-delay
        [cas_retry_delay: <duration> | default = 1s]

      etcd:
        # The etcd endpoints to connect to.
        # CLI flag: -etcd.endpoints
        [endpoints: <list of strings> | default = []]

        # The dial timeout for the etcd connection.
        # CLI flag: -etcd.dial-timeout
        [dial_timeout: <duration> | default = 10s]

        # The maximum number of retries to do for failed ops.
        # CLI flag: -etcd.max-retries
        [max_retries: <int> | default = 10]

        # Enable TLS.
        # CLI flag: -etcd.tls-enabled
        [tls_enabled: <boolean> | default = false]

        # Path to the client certificate file, which will be used for
        # authenticating with the server. Also requires the key path to be
        # configured.
        # CLI flag: -etcd.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # Path to the key file for the client certificate. Also requires the
        # client certificate to be configured.
        # CLI flag: -etcd.tls-key-path
        [tls_key_path: <string> | default = ""]

        # Path to the CA certificates file to validate server certificate
        # against. If not set, the host's root CA certificates are used.
        # CLI flag: -etcd.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # Override the expected name on the server certificate.
        # CLI flag: -etcd.tls-server-name
        [tls_server_name: <string> | default = ""]

        # Skip validating server certificate.
        # CLI flag: -etcd.tls-insecure-skip-verify
        [tls_insecure_skip_verify: <boolean> | default = false]

        # Override the default cipher suite list (separated by commas). Allowed
        # values:
        # 
        # Secure Ciphers:
        # - TLS_RSA_WITH_AES_128_CBC_SHA
        # - TLS_RSA_WITH_AES_256_CBC_SHA
        # - TLS_RSA_WITH_AES_128_GCM_SHA256
        # - TLS_RSA_WITH_AES_256_GCM_SHA384
        # - TLS_AES_128_GCM_SHA256
        # - TLS_AES_256_GCM_SHA384
        # - TLS_CHACHA20_POLY1305_SHA256
        # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        # 
        # Insecure Ciphers:
        # - TLS_RSA_WITH_RC4_128_SHA
        # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
        # - TLS_RSA_WITH_AES_128_CBC_SHA256
        # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
        # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
        # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
        # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        # CLI flag: -etcd.tls-cipher-suites
        [tls_cipher_suites: <string> | default = ""]

        # Override the default minimum TLS version. Allowed values:
        # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
        # CLI flag: -etcd.tls-min-version
        [tls_min_version: <string> | default = ""]

        # Etcd username.
        # CLI flag: -etcd.username
        [username: <string> | default = ""]

        # Etcd password.
        # CLI flag: -etcd.password
        [password: <string> | default = ""]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -multi.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -multi.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # The heartbeat timeout after which ingesters are skipped for reads/writes.
    # 0 = never (timeout disabled).
    # CLI flag: -ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # The number of ingesters to write to and read from.
    # CLI flag: -distributor.replication-factor
    [replication_factor: <int> | default = 1]

    # True to enable the zone-awareness and replicate ingested samples across
    # different availability zones.
    # CLI flag: -distributor.zone-awareness-enabled
    [zone_awareness_enabled: <boolean> | default = false]

    # Comma-separated list of zones to exclude from the ring. Instances in
    # excluded zones will be filtered out from the ring.
    # CLI flag: -distributor.excluded-zones
    [excluded_zones: <string> | default = ""]

  # Number of tokens for each ingester.
  # CLI flag: -ingester.num-tokens
  [num_tokens: <int> | default = 128]

  # Period at which to heartbeat to consul. 0 = disabled.
  # CLI flag: -ingester.heartbeat-period
  [heartbeat_period: <duration> | default = 5s]

  # Heartbeat timeout after which instance is assumed to be unhealthy. 0 =
  # disabled.
  # CLI flag: -ingester.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # Observe tokens after generating to resolve collisions. Useful when using
  # gossiping ring.
  # CLI flag: -ingester.observe-period
  [observe_period: <duration> | default = 0s]

  # Period to wait for a claim from another member; will join automatically
  # after this.
  # CLI flag: -ingester.join-after
  [join_after: <duration> | default = 0s]

  # Minimum duration to wait after the internal readiness checks have passed but
  # before succeeding the readiness endpoint. This is used to slowdown
  # deployment controllers (eg. Kubernetes) after an instance is ready and
  # before they proceed with a rolling update, to give the rest of the cluster
  # instances enough time to receive ring updates.
  # CLI flag: -ingester.min-ready-duration
  [min_ready_duration: <duration> | default = 15s]

  # Name of network interface to read address from.
  # CLI flag: -ingester.lifecycler.interface
  [interface_names: <list of strings> | default = [<private network interfaces>]]

  # Duration to sleep for before exiting, to ensure metrics are scraped.
  # CLI flag: -ingester.final-sleep
  [final_sleep: <duration> | default = 0s]

  # File path where tokens are stored. If empty, tokens are not stored at
  # shutdown and restored at startup.
  # CLI flag: -ingester.tokens-file-path
  [tokens_file_path: <string> | default = ""]

  # The availability zone where this instance is running.
  # CLI flag: -ingester.availability-zone
  [availability_zone: <string> | default = ""]

  # Unregister from the ring upon clean shutdown. It can be useful to disable
  # for rolling restarts with consistent naming in conjunction with
  # -distributor.extend-writes=false.
  # CLI flag: -ingester.unregister-on-shutdown
  [unregister_on_shutdown: <boolean> | default = true]

  # When enabled the readiness probe succeeds only after all instances are
  # ACTIVE and healthy in the ring, otherwise only the instance itself is
  # checked. This option should be disabled if in your cluster multiple
  # instances can be rolled out simultaneously, otherwise rolling updates may be
  # slowed down.
  # CLI flag: -ingester.readiness-check-ring-health
  [readiness_check_ring_health: <boolean> | default = true]

  # IP address to advertise in the ring.
  # CLI flag: -ingester.lifecycler.addr
  [address: <string> | default = ""]

  # port to advertise in consul (defaults to server.grpc-listen-port).
  # CLI flag: -ingester.lifecycler.port
  [port: <int> | default = 0]

  # ID to register in the ring.
  # CLI flag: -ingester.lifecycler.ID
  [id: <string> | default = "<hostname>"]

querier

The querier block configures the querier.

pool_config:
  # How frequently to clean up clients for ingesters that have gone away.
  # CLI flag: -querier.client-cleanup-period
  [client_cleanup_period: <duration> | default = 15s]

  # Run a health check on each ingester client during periodic cleanup.
  # CLI flag: -querier.health-check-ingesters
  [health_check_ingesters: <boolean> | default = true]

  # Timeout for ingester client healthcheck RPCs.
  # CLI flag: -querier.health-check-timeout
  [remote_timeout: <duration> | default = 5s]

# Time to wait before sending more than the minimum successful query requests.
# CLI flag: -querier.extra-query-delay
[extra_query_delay: <duration> | default = 0s]

memberlist

The memberlist block configures the Gossip memberlist.

# Name of the node in memberlist cluster. Defaults to hostname.
# CLI flag: -memberlist.nodename
[node_name: <string> | default = ""]

# Add random suffix to the node name.
# CLI flag: -memberlist.randomize-node-name
[randomize_node_name: <boolean> | default = true]

# The timeout for establishing a connection with a remote node, and for
# read/write operations.
# CLI flag: -memberlist.stream-timeout
[stream_timeout: <duration> | default = 10s]

# Multiplication factor used when sending out messages (factor * log(N+1)).
# CLI flag: -memberlist.retransmit-factor
[retransmit_factor: <int> | default = 4]

# How often to use pull/push sync.
# CLI flag: -memberlist.pullpush-interval
[pull_push_interval: <duration> | default = 30s]

# How often to gossip.
# CLI flag: -memberlist.gossip-interval
[gossip_interval: <duration> | default = 200ms]

# How many nodes to gossip to.
# CLI flag: -memberlist.gossip-nodes
[gossip_nodes: <int> | default = 3]

# How long to keep gossiping to dead nodes, to give them chance to refute their
# death.
# CLI flag: -memberlist.gossip-to-dead-nodes-time
[gossip_to_dead_nodes_time: <duration> | default = 30s]

# How soon can dead node's name be reclaimed with new address. 0 to disable.
# CLI flag: -memberlist.dead-node-reclaim-time
[dead_node_reclaim_time: <duration> | default = 0s]

# Enable message compression. This can be used to reduce bandwidth usage at the
# cost of slightly more CPU utilization.
# CLI flag: -memberlist.compression-enabled
[compression_enabled: <boolean> | default = true]

# Gossip address to advertise to other members in the cluster. Used for NAT
# traversal.
# CLI flag: -memberlist.advertise-addr
[advertise_addr: <string> | default = ""]

# Gossip port to advertise to other members in the cluster. Used for NAT
# traversal.
# CLI flag: -memberlist.advertise-port
[advertise_port: <int> | default = 7946]

# The cluster label is an optional string to include in outbound packets and
# gossip streams. Other members in the memberlist cluster will discard any
# message whose label doesn't match the configured one, unless the
# 'cluster-label-verification-disabled' configuration option is set to true.
# CLI flag: -memberlist.cluster-label
[cluster_label: <string> | default = ""]

# When true, memberlist doesn't verify that inbound packets and gossip streams
# have the cluster label matching the configured one. This verification should
# be disabled while rolling out the change to the configured cluster label in a
# live memberlist cluster.
# CLI flag: -memberlist.cluster-label-verification-disabled
[cluster_label_verification_disabled: <boolean> | default = false]

# Other cluster members to join. Can be specified multiple times. It can be an
# IP, hostname or an entry specified in the DNS Service Discovery format.
# CLI flag: -memberlist.join
[join_members: <list of strings> | default = []]

# Min backoff duration to join other cluster members.
# CLI flag: -memberlist.min-join-backoff
[min_join_backoff: <duration> | default = 1s]

# Max backoff duration to join other cluster members.
# CLI flag: -memberlist.max-join-backoff
[max_join_backoff: <duration> | default = 1m]

# Max number of retries to join other cluster members.
# CLI flag: -memberlist.max-join-retries
[max_join_retries: <int> | default = 10]

# If this node fails to join memberlist cluster, abort.
# CLI flag: -memberlist.abort-if-join-fails
[abort_if_cluster_join_fails: <boolean> | default = false]

# If not 0, how often to rejoin the cluster. Occasional rejoin can help to fix
# the cluster split issue, and is harmless otherwise. For example when using
# only few components as a seed nodes (via -memberlist.join), then it's
# recommended to use rejoin. If -memberlist.join points to dynamic service that
# resolves to all gossiping nodes (eg. Kubernetes headless service), then rejoin
# is not needed.
# CLI flag: -memberlist.rejoin-interval
[rejoin_interval: <duration> | default = 0s]

# How long to keep LEFT ingesters in the ring.
# CLI flag: -memberlist.left-ingesters-timeout
[left_ingesters_timeout: <duration> | default = 5m]

# Timeout for leaving memberlist cluster.
# CLI flag: -memberlist.leave-timeout
[leave_timeout: <duration> | default = 20s]

# How much space to use for keeping received and sent messages in memory for
# troubleshooting (two buffers). 0 to disable.
# CLI flag: -memberlist.message-history-buffer-bytes
[message_history_buffer_bytes: <int> | default = 0]

# IP address to listen on for gossip messages. Multiple addresses may be
# specified. Defaults to 0.0.0.0
# CLI flag: -memberlist.bind-addr
[bind_addr: <list of strings> | default = []]

# Port to listen on for gossip messages.
# CLI flag: -memberlist.bind-port
[bind_port: <int> | default = 7946]

# Timeout used when connecting to other nodes to send packet.
# CLI flag: -memberlist.packet-dial-timeout
[packet_dial_timeout: <duration> | default = 2s]

# Timeout for writing 'packet' data.
# CLI flag: -memberlist.packet-write-timeout
[packet_write_timeout: <duration> | default = 5s]

# Enable TLS on the memberlist transport layer.
# CLI flag: -memberlist.tls-enabled
[tls_enabled: <boolean> | default = false]

# Path to the client certificate file, which will be used for authenticating
# with the server. Also requires the key path to be configured.
# CLI flag: -memberlist.tls-cert-path
[tls_cert_path: <string> | default = ""]

# Path to the key file for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -memberlist.tls-key-path
[tls_key_path: <string> | default = ""]

# Path to the CA certificates file to validate server certificate against. If
# not set, the host's root CA certificates are used.
# CLI flag: -memberlist.tls-ca-path
[tls_ca_path: <string> | default = ""]

# Override the expected name on the server certificate.
# CLI flag: -memberlist.tls-server-name
[tls_server_name: <string> | default = ""]

# Skip validating server certificate.
# CLI flag: -memberlist.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]

# Override the default cipher suite list (separated by commas). Allowed values:
# 
# Secure Ciphers:
# - TLS_RSA_WITH_AES_128_CBC_SHA
# - TLS_RSA_WITH_AES_256_CBC_SHA
# - TLS_RSA_WITH_AES_128_GCM_SHA256
# - TLS_RSA_WITH_AES_256_GCM_SHA384
# - TLS_AES_128_GCM_SHA256
# - TLS_AES_256_GCM_SHA384
# - TLS_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
# 
# Insecure Ciphers:
# - TLS_RSA_WITH_RC4_128_SHA
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# CLI flag: -memberlist.tls-cipher-suites
[tls_cipher_suites: <string> | default = ""]

# Override the default minimum TLS version. Allowed values: VersionTLS10,
# VersionTLS11, VersionTLS12, VersionTLS13
# CLI flag: -memberlist.tls-min-version
[tls_min_version: <string> | default = ""]

s3_storage_backend

The s3_backend block configures the connection to Amazon S3 object storage backend.

# The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
# https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
# S3-compatible service in hostname:port format.
# CLI flag: -storage.s3.endpoint
[endpoint: <string> | default = ""]

# S3 region. If unset, the client will issue a S3 GetBucketLocation API call to
# autodetect it.
# CLI flag: -storage.s3.region
[region: <string> | default = ""]

# S3 bucket name
# CLI flag: -storage.s3.bucket-name
[bucket_name: <string> | default = ""]

# S3 secret access key
# CLI flag: -storage.s3.secret-access-key
[secret_access_key: <string> | default = ""]

# S3 access key ID
# CLI flag: -storage.s3.access-key-id
[access_key_id: <string> | default = ""]

# If enabled, use http:// for the S3 endpoint instead of https://. This could be
# useful in local dev/test environments while using an S3-compatible backend
# storage, like Minio.
# CLI flag: -storage.s3.insecure
[insecure: <boolean> | default = false]

# The signature version to use for authenticating against S3. Supported values
# are: v4, v2.
# CLI flag: -storage.s3.signature-version
[signature_version: <string> | default = "v4"]

sse:
  # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
  # CLI flag: -storage.s3.sse.type
  [type: <string> | default = ""]

  # KMS Key ID used to encrypt objects in S3
  # CLI flag: -storage.s3.sse.kms-key-id
  [kms_key_id: <string> | default = ""]

  # KMS Encryption Context used for object encryption. It expects JSON formatted
  # string.
  # CLI flag: -storage.s3.sse.kms-encryption-context
  [kms_encryption_context: <string> | default = ""]

http:
  # The time an idle connection will remain idle before closing.
  # CLI flag: -storage.s3.http.idle-conn-timeout
  [idle_conn_timeout: <duration> | default = 1m30s]

  # The amount of time the client will wait for a servers response headers.
  # CLI flag: -storage.s3.http.response-header-timeout
  [response_header_timeout: <duration> | default = 2m]

  # If the client connects to S3 via HTTPS and this option is enabled, the
  # client will accept any certificate and hostname.
  # CLI flag: -storage.s3.http.insecure-skip-verify
  [insecure_skip_verify: <boolean> | default = false]

  # Maximum time to wait for a TLS handshake. 0 means no limit.
  # CLI flag: -storage.s3.tls-handshake-timeout
  [tls_handshake_timeout: <duration> | default = 10s]

  # The time to wait for a server's first response headers after fully writing
  # the request headers if the request has an Expect header. 0 to send the
  # request body immediately.
  # CLI flag: -storage.s3.expect-continue-timeout
  [expect_continue_timeout: <duration> | default = 1s]

  # Maximum number of idle (keep-alive) connections across all hosts. 0 means no
  # limit.
  # CLI flag: -storage.s3.max-idle-connections
  [max_idle_connections: <int> | default = 100]

  # Maximum number of idle (keep-alive) connections to keep per-host. If 0, a
  # built-in default value is used.
  # CLI flag: -storage.s3.max-idle-connections-per-host
  [max_idle_connections_per_host: <int> | default = 100]

  # Maximum number of connections per host. 0 means no limit.
  # CLI flag: -storage.s3.max-connections-per-host
  [max_connections_per_host: <int> | default = 0]

gcs_storage_backend

The gcs_backend block configures the connection to Google Cloud Storage object storage backend.

# GCS bucket name
# CLI flag: -storage.gcs.bucket-name
[bucket_name: <string> | default = ""]

# JSON either from a Google Developers Console client_credentials.json file, or
# a Google Developers service account key. Needs to be valid JSON, not a
# filesystem path. If empty, fallback to Google default logic:
# 1. A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS
# environment variable. For workload identity federation, refer to
# https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation on
# how to generate the JSON configuration file for on-prem/non-Google cloud
# platforms.
# 2. A JSON file in a location known to the gcloud command-line tool:
# $HOME/.config/gcloud/application_default_credentials.json.
# 3. On Google Compute Engine it fetches credentials from the metadata server.
# CLI flag: -storage.gcs.service-account
[service_account: <string> | default = ""]

azure_storage_backend

The azure_storage_backend block configures the connection to Azure object storage backend.

# Azure storage account name
# CLI flag: -storage.azure.account-name
[account_name: <string> | default = ""]

# Azure storage account key
# CLI flag: -storage.azure.account-key
[account_key: <string> | default = ""]

# Azure storage container name
# CLI flag: -storage.azure.container-name
[container_name: <string> | default = ""]

# Azure storage endpoint suffix without schema. The account name will be
# prefixed to this value to create the FQDN. If set to empty string, default
# endpoint suffix is used.
# CLI flag: -storage.azure.endpoint-suffix
[endpoint_suffix: <string> | default = ""]

# Number of retries for recoverable errors
# CLI flag: -storage.azure.max-retries
[max_retries: <int> | default = 20]

# User assigned identity. If empty, then System assigned identity is used.
# CLI flag: -storage.azure.user-assigned-id
[user_assigned_id: <string> | default = ""]

swift_storage_backend

The swift_storage_backend block configures the connection to OpenStack Object Storage (Swift) object storage backend.

# OpenStack Swift authentication API version. 0 to autodetect.
# CLI flag: -storage.swift.auth-version
[auth_version: <int> | default = 0]

# OpenStack Swift authentication URL
# CLI flag: -storage.swift.auth-url
[auth_url: <string> | default = ""]

# OpenStack Swift username.
# CLI flag: -storage.swift.username
[username: <string> | default = ""]

# OpenStack Swift user's domain name.
# CLI flag: -storage.swift.user-domain-name
[user_domain_name: <string> | default = ""]

# OpenStack Swift user's domain ID.
# CLI flag: -storage.swift.user-domain-id
[user_domain_id: <string> | default = ""]

# OpenStack Swift user ID.
# CLI flag: -storage.swift.user-id
[user_id: <string> | default = ""]

# OpenStack Swift API key.
# CLI flag: -storage.swift.password
[password: <string> | default = ""]

# OpenStack Swift user's domain ID.
# CLI flag: -storage.swift.domain-id
[domain_id: <string> | default = ""]

# OpenStack Swift user's domain name.
# CLI flag: -storage.swift.domain-name
[domain_name: <string> | default = ""]

# OpenStack Swift project ID (v2,v3 auth only).
# CLI flag: -storage.swift.project-id
[project_id: <string> | default = ""]

# OpenStack Swift project name (v2,v3 auth only).
# CLI flag: -storage.swift.project-name
[project_name: <string> | default = ""]

# ID of the OpenStack Swift project's domain (v3 auth only), only needed if it
# differs the from user domain.
# CLI flag: -storage.swift.project-domain-id
[project_domain_id: <string> | default = ""]

# Name of the OpenStack Swift project's domain (v3 auth only), only needed if it
# differs from the user domain.
# CLI flag: -storage.swift.project-domain-name
[project_domain_name: <string> | default = ""]

# OpenStack Swift Region to use (v2,v3 auth only).
# CLI flag: -storage.swift.region-name
[region_name: <string> | default = ""]

# Name of the OpenStack Swift container to put chunks in.
# CLI flag: -storage.swift.container-name
[container_name: <string> | default = ""]

# Max retries on requests error.
# CLI flag: -storage.swift.max-retries
[max_retries: <int> | default = 3]

# Time after which a connection attempt is aborted.
# CLI flag: -storage.swift.connect-timeout
[connect_timeout: <duration> | default = 10s]

# Time after which an idle request is aborted. The timeout watchdog is reset
# each time some data is received, so the timeout triggers after X time no data
# is received on a request.
# CLI flag: -storage.swift.request-timeout
[request_timeout: <duration> | default = 5s]

filesystem_storage_backend

The filesystem_storage_backend block configures the usage of local file system as object storage backend.

# Local filesystem storage directory.
# CLI flag: -storage.filesystem.dir
[dir: <string> | default = ""]

Scrape configs

The root block scrape_configs configure the list of scrape config used by the Agent to scrape and push profiles.

The scrape_config block configures a single Agent scrape config.

# The job name assigned to scraped profiles by default.
[job_name: <string> | default = ""]

# Optional HTTP URL parameters.
params:
  [ <string>: [<string>, ...] ]

# How frequently to scrape targets from this job.
[scrape_interval:  <duration> | default = 10s]

# Per-scrape timeout when scraping this job.
[scrape_timeout:  <duration> | default = 0s]

# Configures the protocol scheme used for requests.
[scheme: <string> | default = "http"]

# Configures profile types and their path to scrape for this job.
profiling_config:
  pprof_config:
     [ <string>: [<pprof_config>]
  [path_prefix: <string> | default = ""]

# List of target relabel configurations.
relabel_configs:
  [ - <relabel_config> ... ]

# List of labeled statically configured targets for this job.
static_configs:
  [ - <static_config> ... ]

# List of Kubernetes service discovery configurations.
kubernetes_sd_configs:
   [ - <kubernetes_sd_config> ... ]

# Sets the `Authorization` header on every scrape request with the
# configured username and password.
# password and password_file are mutually exclusive.
basic_auth:
  [ username: <string> ]
  [ password: <secret> ]
  [ password_file: <string> ]

# Sets the `Authorization` header on every scrape request with
# the configured credentials.
authorization:
  # Sets the authentication type of the request.
  [ type: <string> | default: Bearer ]
  # Sets the credentials of the request. It is mutually exclusive with
  # `credentials_file`.
  [ credentials: <secret> ]
  # Sets the credentials of the request with the credentials read from the
  # configured file. It is mutually exclusive with `credentials`.
  [ credentials_file: <filename> ]

# Optional OAuth 2.0 configuration.
# Cannot be used at the same time as basic_auth or authorization.
oauth2:
  [ <oauth2> ]

# Configure whether scrape requests follow HTTP 3xx redirects.
[ follow_redirects: <boolean> | default = true ]

# Whether to enable HTTP2.
[ enable_http2: <bool> | default: true ]

# Configures the scrape request's TLS settings.
tls_config:
  [ <tls_config> ]

# Optional proxy URL.
[ proxy_url: <string> ]

You can refer to the Prometheus documentation the following block:

pprof_config

The block pprof_config configure a single pprof scraping configuration.

# Whether to enable this profile type scraping.
[enabled: <bool | default: none>]

# Configures the path to scrape this profile type.
[path: <string | default: none>]

# Whether this profile type is a delta.
# A delta profile type means the profile data contains data only for the scraping period.
# A seconds URL parameters will be added to all delta profile type scraping to notify the endpoint
# the period of scraping.
[delta:  <bool | default: false>]