Menu
Enterprise

Grafana Enterprise Metrics can be configured using a YAML file - specified using the -config.file flag - or CLI flags. In case you combine both, CLI flags take precedence over the YAML config file.

The current configuration of any GEM component can be seen by visiting the /config HTTP path. Passwords are filtered out of this endpoint.

Reference

To specify which configuration file to load, pass the -config.file flag at the command line. The file is written in YAML format, defined by the scheme below. Brackets indicate that a parameter is optional.

Generic placeholders

  • <boolean>: a boolean that can take the values true or false
  • <int>: any integer matching the regular expression [1-9]+[0-9]*
  • <duration>: a duration matching the regular expression [0-9]+(ns|us|µs|ms|s|m|h|d|w|y) where y = 365 days
  • <string>: a regular string
  • <url>: a URL
  • <prefix>: a CLI flag prefix based on the context (look at the parent configuration block to see which CLI flags prefix should be used)
  • <relabel_config>: a Prometheus relabeling configuration.
  • <time>: a timestamp, with available formats: 2006-01-20 (midnight, local timezone), 2006-01-20T15:04 (local timezone), and RFC 3339 formats: 2006-01-20T15:04:05Z (UTC) or 2006-01-20T15:04:05+07:00 (explicit timezone)

Use environment variables in the configuration

You can use environment variable references in the config file to set values that need to be configurable during deployment by using the -config.expand-env flag. To do this, use:

${VAR}

Where VAR is the name of the environment variable.

Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.

To specify a default value, use:

${VAR:default_value}

Where default_value is the value to use if the environment variable is undefined.

Supported contents and default values of the config file

yaml
# Comma-separated list of components to include in the instantiated process. The
# default value 'all' includes all components that are required to form a
# functional Grafana GEM instance in single-binary mode. Use the '-modules'
# command line flag to get a list of available components, and to see which
# components are included with 'all'.
# CLI flag: -target
[target: <string> | default = "all"]

# When set to true, incoming HTTP requests must specify tenant ID in HTTP
# X-Scope-OrgId header. When set to false, tenant ID from -auth.no-auth-tenant
# is used instead.
# CLI flag: -auth.multitenancy-enabled
[multitenancy_enabled: <boolean> | default = true]

# (advanced) Tenant ID to use when multitenancy is disabled.
# CLI flag: -auth.no-auth-tenant
[no_auth_tenant: <string> | default = "anonymous"]

# (advanced) How long to wait between SIGTERM and shutdown. After receiving
# SIGTERM, GEM will report not-ready status via /ready endpoint.
# CLI flag: -shutdown-delay
[shutdown_delay: <duration> | default = 0s]

# (experimental) Maximum number of groups allowed per user by which specified
# distributor and ingester metrics can be further separated.
# CLI flag: -max-separate-metrics-groups-per-user
[max_separate_metrics_groups_per_user: <int> | default = 1000]

# (advanced) Set to true to enable all Go runtime metrics, such as go_sched_*
# and go_memstats_*.
# CLI flag: -enable-go-runtime-metrics
[enable_go_runtime_metrics: <boolean> | default = false]

api:
  # (advanced) Allows to skip label name validation via
  # X-Mimir-SkipLabelNameValidation header on the http write path. Use with
  # caution as it breaks PromQL. Allowing this for external clients allows any
  # client to send invalid label names. After enabling it, requests with a
  # specific HTTP header set to true will not have label names validated.
  # CLI flag: -api.skip-label-name-validation-header-enabled
  [skip_label_name_validation_header_enabled: <boolean> | default = false]

  # (deprecated) Enable GET requests to the /ingester/shutdown endpoint to
  # trigger an ingester shutdown. This is a potentially dangerous operation and
  # should only be enabled consciously.
  # CLI flag: -api.get-request-for-ingester-shutdown-enabled
  [get_request_for_ingester_shutdown_enabled: <boolean> | default = false]

  # (advanced) HTTP URL path under which the Alertmanager ui and api will be
  # served.
  # CLI flag: -http.alertmanager-http-prefix
  [alertmanager_http_prefix: <string> | default = "/alertmanager"]

  # (advanced) HTTP URL path under which the Prometheus api will be served.
  # CLI flag: -http.prometheus-http-prefix
  [prometheus_http_prefix: <string> | default = "/prometheus"]

# The server configures the HTTP and gRPC server of the launched service(s).
[server: <server>]

# The distributor configures the GEM distributor.
[distributor: <distributor>]

# The querier configures the GEM querier.
[querier: <querier>]

# The ingester_client configures how the GEM distributors connect to the
# ingesters.
[ingester_client: <ingester_client>]

# The ingester configures the GEM ingester.
[ingester: <ingester>]

# The flusher configures the WAL flusher target, used to manually run one-time
# flushes when scaling down ingesters.
[flusher: <flusher>]

# The limits configures default and per-tenant limits imposed by GEM services
# (ie. distributor, ingester, ...).
[limits: <limits>]

# The frontend_worker configures the worker - running within the GEM querier -
# picking up and executing queries enqueued by the query-frontend or
# query-scheduler.
[frontend_worker: <frontend_worker>]

# The frontend configures the GEM query-frontend.
[frontend: <frontend>]

ingest_storage:
  # True to enable the ingestion via object storage.
  # CLI flag: -ingest-storage.enabled
  [enabled: <boolean> | default = false]

  kafka:
    # The Kafka backend address.
    # CLI flag: -ingest-storage.kafka.address
    [address: <string> | default = ""]

    # The Kafka topic name.
    # CLI flag: -ingest-storage.kafka.topic
    [topic: <string> | default = ""]

    # The Kafka client ID.
    # CLI flag: -ingest-storage.kafka.client-id
    [client_id: <string> | default = ""]

    # The maximum time allowed to open a connection to a Kafka broker.
    # CLI flag: -ingest-storage.kafka.dial-timeout
    [dial_timeout: <duration> | default = 2s]

    # How long to wait for an incoming write request to be successfully
    # committed to the Kafka backend.
    # CLI flag: -ingest-storage.kafka.write-timeout
    [write_timeout: <duration> | default = 10s]

    # The number of Kafka clients used by producers. When the configured number
    # of clients is greater than 1, partitions are sharded among Kafka clients.
    # A higher number of clients may provide higher write throughput at the cost
    # of additional Metadata requests pressure to Kafka.
    # CLI flag: -ingest-storage.kafka.write-clients
    [write_clients: <int> | default = 1]

    # The consumer group used by the consumer to track the last consumed offset.
    # The consumer group must be different for each ingester. If the configured
    # consumer group contains the '<partition>' placeholder, it is replaced with
    # the actual partition ID owned by the ingester. When empty (recommended),
    # GEM uses the ingester instance ID to guarantee uniqueness.
    # CLI flag: -ingest-storage.kafka.consumer-group
    [consumer_group: <string> | default = ""]

    # How frequently a consumer should commit the consumed offset to Kafka. The
    # last committed offset is used at startup to continue the consumption from
    # where it was left.
    # CLI flag: -ingest-storage.kafka.consumer-group-offset-commit-interval
    [consumer_group_offset_commit_interval: <duration> | default = 1s]

    # How frequently to poll the last produced offset, used to enforce strong
    # read consistency.
    # CLI flag: -ingest-storage.kafka.last-produced-offset-poll-interval
    [last_produced_offset_poll_interval: <duration> | default = 1s]

    # How long to retry a failed request to get the last produced offset.
    # CLI flag: -ingest-storage.kafka.last-produced-offset-retry-timeout
    [last_produced_offset_retry_timeout: <duration> | default = 10s]

    # From which position to start consuming the partition at startup. Supported
    # options: last-offset, start, end, timestamp.
    # CLI flag: -ingest-storage.kafka.consume-from-position-at-startup
    [consume_from_position_at_startup: <string> | default = "last-offset"]

    # Milliseconds timestamp after which the consumption of the partition starts
    # at startup. Only applies when consume-from-position-at-startup is
    # timestamp
    # CLI flag: -ingest-storage.kafka.consume-from-timestamp-at-startup
    [consume_from_timestamp_at_startup: <int> | default = 0]

    # The best-effort maximum lag a consumer tries to achieve at startup. Set
    # both -ingest-storage.kafka.target-consumer-lag-at-startup and
    # -ingest-storage.kafka.max-consumer-lag-at-startup to 0 to disable waiting
    # for maximum consumer lag being honored at startup.
    # CLI flag: -ingest-storage.kafka.target-consumer-lag-at-startup
    [target_consumer_lag_at_startup: <duration> | default = 2s]

    # The guaranteed maximum lag before a consumer is considered to have caught
    # up reading from a partition at startup, becomes ACTIVE in the hash ring
    # and passes the readiness check. Set both
    # -ingest-storage.kafka.target-consumer-lag-at-startup and
    # -ingest-storage.kafka.max-consumer-lag-at-startup to 0 to disable waiting
    # for maximum consumer lag being honored at startup.
    # CLI flag: -ingest-storage.kafka.max-consumer-lag-at-startup
    [max_consumer_lag_at_startup: <duration> | default = 15s]

    # Enable auto-creation of Kafka topic if it doesn't exist.
    # CLI flag: -ingest-storage.kafka.auto-create-topic-enabled
    [auto_create_topic_enabled: <boolean> | default = true]

    # When auto-creation of Kafka topic is enabled and this value is positive,
    # Kafka's num.partitions configuration option is set on Kafka brokers with
    # this value when GEM component that uses Kafka starts. This configuration
    # option specifies the default number of partitions that the Kafka broker
    # uses for auto-created topics. Note that this is a Kafka-cluster wide
    # setting, and applies to any auto-created topic. If the setting of
    # num.partitions fails, GEM proceeds anyways, but auto-created topics could
    # have an incorrect number of partitions.
    # CLI flag: -ingest-storage.kafka.auto-create-topic-default-partitions
    [auto_create_topic_default_partitions: <int> | default = 0]

    # The maximum size of a Kafka record data that should be generated by the
    # producer. An incoming write request larger than this size is split into
    # multiple Kafka records. We strongly recommend to not change this setting
    # unless for testing purposes.
    # CLI flag: -ingest-storage.kafka.producer-max-record-size-bytes
    [producer_max_record_size_bytes: <int> | default = 15983616]

    # The maximum size of (uncompressed) buffered and unacknowledged produced
    # records sent to Kafka. The produce request fails once this limit is
    # reached. This limit is per Kafka client. 0 to disable the limit.
    # CLI flag: -ingest-storage.kafka.producer-max-buffered-bytes
    [producer_max_buffered_bytes: <int> | default = 1073741824]

    # The maximum allowed for a read requests processed by an ingester to wait
    # until strong read consistency is enforced. 0 to disable the timeout.
    # CLI flag: -ingest-storage.kafka.wait-strong-read-consistency-timeout
    [wait_strong_read_consistency_timeout: <duration> | default = 20s]

  migration:
    # When both this option and ingest storage are enabled, distributors write
    # to both Kafka and ingesters. A write request is considered successful only
    # when written to both backends.
    # CLI flag: -ingest-storage.migration.distributor-send-to-ingesters-enabled
    [distributor_send_to_ingesters_enabled: <boolean> | default = false]

# The blocks_storage configures the blocks storage.
[blocks_storage: <blocks_storage>]

# The compactor configures the compactor for the blocks storage.
[compactor: <compactor>]

# The store_gateway configures the store-gateway service used by the blocks
# storage.
[store_gateway: <store_gateway>]

tenant_federation:
  # If enabled on all services, queries can be federated across multiple
  # tenants. The tenant IDs involved need to be specified separated by a '|'
  # character in the 'X-Scope-OrgID' header.
  # CLI flag: -tenant-federation.enabled
  [enabled: <boolean> | default = true]

  # (experimental) The number of workers used for each tenant federated query.
  # This setting limits the maximum number of per-tenant queries executed at a
  # time for a tenant federated query.
  # CLI flag: -tenant-federation.max-concurrent
  [max_concurrent: <int> | default = 16]

  # The max number of tenant IDs that may be supplied for a federated query if
  # enabled. 0 to disable the limit.
  # CLI flag: -tenant-federation.max-tenants
  [max_tenants: <int> | default = 0]

activity_tracker:
  # File where ongoing activities are stored. If empty, activity tracking is
  # disabled.
  # CLI flag: -activity-tracker.filepath
  [filepath: <string> | default = "./metrics-activity.log"]

  # (advanced) Max number of concurrent activities that can be tracked. Used to
  # size the file in advance. Additional activities are ignored.
  # CLI flag: -activity-tracker.max-entries
  [max_entries: <int> | default = 1024]

vault:
  # (experimental) Enables fetching of keys and certificates from Vault
  # CLI flag: -vault.enabled
  [enabled: <boolean> | default = false]

  # (experimental) Location of the Vault server
  # CLI flag: -vault.url
  [url: <string> | default = ""]

  # (experimental) Location of secrets engine within Vault
  # CLI flag: -vault.mount-path
  [mount_path: <string> | default = ""]

  auth:
    # (experimental) Authentication type to use. Supported types are: approle,
    # kubernetes, userpass, token
    # CLI flag: -vault.auth.type
    [type: <string> | default = ""]

    approle:
      # (experimental) Role ID of the AppRole
      # CLI flag: -vault.auth.approle.role-id
      [role_id: <string> | default = ""]

      # (experimental) Secret ID issued against the AppRole
      # CLI flag: -vault.auth.approle.secret-id
      [secret_id: <string> | default = ""]

      # (experimental) Response wrapping token if the Secret ID is response
      # wrapped
      # CLI flag: -vault.auth.approle.wrapping-token
      [wrapping_token: <boolean> | default = false]

      # (experimental) Path if the Vault backend was mounted using a non-default
      # path
      # CLI flag: -vault.auth.approle.mount-path
      [mount_path: <string> | default = ""]

    kubernetes:
      # (experimental) The Kubernetes named role
      # CLI flag: -vault.auth.kubernetes.role-name
      [role_name: <string> | default = ""]

      # (experimental) The Service Account JWT
      # CLI flag: -vault.auth.kubernetes.service-account-token
      [service_account_token: <string> | default = ""]

      # (experimental) Path to where the Kubernetes service account token is
      # mounted. By default it lives at
      # /var/run/secrets/kubernetes.io/serviceaccount/token. Field will be used
      # if the service_account_token is not specified.
      # CLI flag: -vault.auth.kubernetes.service-account-token-path
      [service_account_token_path: <string> | default = ""]

      # (experimental) Path if the Vault backend was mounted using a non-default
      # path
      # CLI flag: -vault.auth.kubernetes.mount-path
      [mount_path: <string> | default = ""]

    userpass:
      # (experimental) The userpass auth method username
      # CLI flag: -vault.auth.userpass.username
      [username: <string> | default = ""]

      # (experimental) The userpass auth method password
      # CLI flag: -vault.auth.userpass.password
      [password: <string> | default = ""]

      # (experimental) Path if the Vault backend was mounted using a non-default
      # path
      # CLI flag: -vault.auth.userpass.mount-path
      [mount_path: <string> | default = ""]

    token:
      # (experimental) The token used to authenticate against Vault
      # CLI flag: -vault.auth.token
      [token: <string> | default = ""]

# The ruler configures the GEM ruler.
[ruler: <ruler>]

# The ruler_storage configures the GEM ruler storage backend.
[ruler_storage: <ruler_storage>]

# The alertmanager configures the GEM alertmanager.
[alertmanager: <alertmanager>]

# The alertmanager_storage configures the GEM alertmanager storage backend.
[alertmanager_storage: <alertmanager_storage>]

runtime_config:
  # (advanced) How often to check runtime config files.
  # CLI flag: -runtime-config.reload-period
  [period: <duration> | default = 10s]

  # Comma separated list of yaml files with the configuration that can be
  # updated at runtime. Runtime config files will be merged from left to right.
  # CLI flag: -runtime-config.file
  [file: <string> | default = ""]

# The memberlist configures the Gossip memberlist.
[memberlist: <memberlist>]

# The query_scheduler configures query scheduler module.
[query_scheduler: <query_scheduler>]

usage_stats:
  # Enable anonymous usage reporting.
  # CLI flag: -usage-stats.enabled
  [enabled: <boolean> | default = true]

  # Installation mode. Supported values: custom, helm, jsonnet.
  # CLI flag: -usage-stats.installation-mode
  [installation_mode: <string> | default = "custom"]

overrides_exporter:
  ring:
    # Enable the ring used by override-exporters to deduplicate exported limit
    # metrics.
    # CLI flag: -overrides-exporter.ring.enabled
    [enabled: <boolean> | default = false]

    # The key-value store used to share the hash ring across multiple instances.
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -overrides-exporter.ring.store
      [store: <string> | default = "memberlist"]

      # (advanced) The prefix for the keys in the store. Should end with a /.
      # CLI flag: -overrides-exporter.ring.prefix
      [prefix: <string> | default = "collectors/"]

      # The consul configures the consul client.
      # The CLI flags prefix for this block configuration is:
      # overrides-exporter.ring
      [consul: <consul>]

      # The etcd configures the etcd client.
      # The CLI flags prefix for this block configuration is:
      # overrides-exporter.ring
      [etcd: <etcd>]

      multi:
        # (advanced) Primary backend storage used by multi-client.
        # CLI flag: -overrides-exporter.ring.multi.primary
        [primary: <string> | default = ""]

        # (advanced) Secondary backend storage used by multi-client.
        # CLI flag: -overrides-exporter.ring.multi.secondary
        [secondary: <string> | default = ""]

        # (advanced) Mirror writes to secondary store.
        # CLI flag: -overrides-exporter.ring.multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # (advanced) Timeout for storing value to secondary store.
        # CLI flag: -overrides-exporter.ring.multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # (advanced) Period at which to heartbeat to the ring. 0 = disabled.
    # CLI flag: -overrides-exporter.ring.heartbeat-period
    [heartbeat_period: <duration> | default = 15s]

    # (advanced) The heartbeat timeout after which overrides-exporters are
    # considered unhealthy within the ring. 0 = never (timeout disabled).
    # CLI flag: -overrides-exporter.ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # (advanced) Instance ID to register in the ring.
    # CLI flag: -overrides-exporter.ring.instance-id
    [instance_id: <string> | default = "<hostname>"]

    # List of network interface names to look up when finding the instance IP
    # address.
    # CLI flag: -overrides-exporter.ring.instance-interface-names
    [instance_interface_names: <list of strings> | default = [<private network interfaces>]]

    # (advanced) Port to advertise in the ring (defaults to
    # -server.grpc-listen-port).
    # CLI flag: -overrides-exporter.ring.instance-port
    [instance_port: <int> | default = 0]

    # (advanced) IP address to advertise in the ring. Default is auto-detected.
    # CLI flag: -overrides-exporter.ring.instance-addr
    [instance_addr: <string> | default = ""]

    # (advanced) Enable using a IPv6 instance address. (default false)
    # CLI flag: -overrides-exporter.ring.instance-enable-ipv6
    [instance_enable_ipv6: <boolean> | default = false]

    # (advanced) Minimum time to wait for ring stability at startup, if set to
    # positive value. Set to 0 to disable.
    # CLI flag: -overrides-exporter.ring.wait-stability-min-duration
    [wait_stability_min_duration: <duration> | default = 0s]

    # (advanced) Maximum time to wait for ring stability at startup. If the
    # overrides-exporter ring keeps changing after this period of time, it will
    # start anyway.
    # CLI flag: -overrides-exporter.ring.wait-stability-max-duration
    [wait_stability_max_duration: <duration> | default = 5m]

  # Comma-separated list of metrics to include in the exporter. Allowed metric
  # names: ingestion_rate, ingestion_burst_size, max_global_series_per_user,
  # max_global_series_per_metric, max_global_exemplars_per_user,
  # max_fetched_chunks_per_query, max_fetched_series_per_query,
  # max_fetched_chunk_bytes_per_query, ruler_max_rules_per_rule_group,
  # ruler_max_rule_groups_per_tenant, max_global_metadata_per_user,
  # max_global_metadata_per_metric, request_rate, request_burst_size,
  # alertmanager_notification_rate_limit,
  # alertmanager_max_dispatcher_aggregation_groups,
  # alertmanager_max_alerts_count, alertmanager_max_alerts_size_bytes.
  # CLI flag: -overrides-exporter.enabled-metrics
  [enabled_metrics: <string> | default = "ingestion_rate,ingestion_burst_size,max_global_series_per_user,max_global_series_per_metric,max_global_exemplars_per_user,max_fetched_chunks_per_query,max_fetched_series_per_query,max_fetched_chunk_bytes_per_query,ruler_max_rules_per_rule_group,ruler_max_rule_groups_per_tenant"]

common:
  storage:
    # Backend storage to use. Supported backends are: s3, gcs, azure, swift,
    # filesystem.
    # CLI flag: -common.storage.backend
    [backend: <string> | default = "filesystem"]

    s3:
      # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
      # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of
      # an S3-compatible service in hostname:port format.
      # CLI flag: -common.storage.s3.endpoint
      [endpoint: <string> | default = ""]

      # S3 region. If unset, the client will issue a S3 GetBucketLocation API
      # call to autodetect it.
      # CLI flag: -common.storage.s3.region
      [region: <string> | default = ""]

      # S3 bucket name
      # CLI flag: -common.storage.s3.bucket-name
      [bucket_name: <string> | default = ""]

      # S3 secret access key
      # CLI flag: -common.storage.s3.secret-access-key
      [secret_access_key: <string> | default = ""]

      # S3 access key ID
      # CLI flag: -common.storage.s3.access-key-id
      [access_key_id: <string> | default = ""]

      # S3 session token
      # CLI flag: -common.storage.s3.session-token
      [session_token: <string> | default = ""]

      # (advanced) If enabled, use http:// for the S3 endpoint instead of
      # https://. This could be useful in local dev/test environments while
      # using an S3-compatible backend storage, like Minio.
      # CLI flag: -common.storage.s3.insecure
      [insecure: <boolean> | default = false]

      # (advanced) The signature version to use for authenticating against S3.
      # Supported values are: v4, v2.
      # CLI flag: -common.storage.s3.signature-version
      [signature_version: <string> | default = "v4"]

      # (advanced) Use a specific version of the S3 list object API. Supported
      # values are v1 or v2. Default is unset.
      # CLI flag: -common.storage.s3.list-objects-version
      [list_objects_version: <string> | default = ""]

      # (advanced) Bucket lookup style type, used to access bucket in
      # S3-compatible service. Default is auto. Supported values are: auto,
      # path, virtual-hosted.
      # CLI flag: -common.storage.s3.bucket-lookup-type
      [bucket_lookup_type: <string> | default = "auto"]

      # (experimental) When enabled, direct all AWS S3 requests to the
      # dual-stack IPv4/IPv6 endpoint for the configured region.
      # CLI flag: -common.storage.s3.dualstack-enabled
      [dualstack_enabled: <boolean> | default = true]

      # (experimental) The S3 storage class to use, not set by default. Details
      # can be found at https://aws.amazon.com/s3/storage-classes/. Supported
      # values are: STANDARD, REDUCED_REDUNDANCY, GLACIER, STANDARD_IA,
      # ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, OUTPOSTS
      # CLI flag: -common.storage.s3.storage-class
      [storage_class: <string> | default = ""]

      # (experimental) If enabled, it will use the default authentication
      # methods of the AWS SDK for go based on known environment variables and
      # known AWS config files.
      # CLI flag: -common.storage.s3.native-aws-auth-enabled
      [native_aws_auth_enabled: <boolean> | default = false]

      # (experimental) The minimum file size in bytes used for multipart
      # uploads. If 0, the value is optimally computed for each object.
      # CLI flag: -common.storage.s3.part-size
      [part_size: <int> | default = 0]

      # (experimental) If enabled, a Content-MD5 header is sent with S3 Put
      # Object requests. Consumes more resources to compute the MD5, but may
      # improve compatibility with object storage services that do not support
      # checksums.
      # CLI flag: -common.storage.s3.send-content-md5
      [send_content_md5: <boolean> | default = false]

      # Accessing S3 resources using temporary, secure credentials provided by
      # AWS Security Token Service.
      # CLI flag: -common.storage.s3.sts-endpoint
      [sts_endpoint: <string> | default = ""]

      # The s3_sse configures the S3 server-side encryption.
      # The CLI flags prefix for this block configuration is: common.storage
      [sse: <s3_sse>]

      http:
        # (advanced) The time an idle connection will remain idle before
        # closing.
        # CLI flag: -common.storage.s3.http.idle-conn-timeout
        [idle_conn_timeout: <duration> | default = 1m30s]

        # (advanced) The amount of time the client will wait for a servers
        # response headers.
        # CLI flag: -common.storage.s3.http.response-header-timeout
        [response_header_timeout: <duration> | default = 2m]

        # (advanced) If the client connects to S3 via HTTPS and this option is
        # enabled, the client will accept any certificate and hostname.
        # CLI flag: -common.storage.s3.http.insecure-skip-verify
        [insecure_skip_verify: <boolean> | default = false]

        # (advanced) Maximum time to wait for a TLS handshake. 0 means no limit.
        # CLI flag: -common.storage.s3.tls-handshake-timeout
        [tls_handshake_timeout: <duration> | default = 10s]

        # (advanced) The time to wait for a server's first response headers
        # after fully writing the request headers if the request has an Expect
        # header. 0 to send the request body immediately.
        # CLI flag: -common.storage.s3.expect-continue-timeout
        [expect_continue_timeout: <duration> | default = 1s]

        # (advanced) Maximum number of idle (keep-alive) connections across all
        # hosts. 0 means no limit.
        # CLI flag: -common.storage.s3.max-idle-connections
        [max_idle_connections: <int> | default = 100]

        # (advanced) Maximum number of idle (keep-alive) connections to keep
        # per-host. If 0, a built-in default value is used.
        # CLI flag: -common.storage.s3.max-idle-connections-per-host
        [max_idle_connections_per_host: <int> | default = 100]

        # (advanced) Maximum number of connections per host. 0 means no limit.
        # CLI flag: -common.storage.s3.max-connections-per-host
        [max_connections_per_host: <int> | default = 0]

        # (advanced) Path to the CA certificates to validate server certificate
        # against. If not set, the host's root CA certificates are used.
        # CLI flag: -common.storage.s3.http.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # (advanced) Path to the client certificate, which will be used for
        # authenticating with the server. Also requires the key path to be
        # configured.
        # CLI flag: -common.storage.s3.http.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # (advanced) Path to the key for the client certificate. Also requires
        # the client certificate to be configured.
        # CLI flag: -common.storage.s3.http.tls-key-path
        [tls_key_path: <string> | default = ""]

        # (advanced) Override the expected name on the server certificate.
        # CLI flag: -common.storage.s3.http.tls-server-name
        [tls_server_name: <string> | default = ""]

      trace:
        # (advanced) When enabled, low-level S3 HTTP operation information is
        # logged at the debug level.
        # CLI flag: -common.storage.s3.trace.enabled
        [enabled: <boolean> | default = false]

    gcs:
      # GCS bucket name
      # CLI flag: -common.storage.gcs.bucket-name
      [bucket_name: <string> | default = ""]

      # JSON either from a Google Developers Console client_credentials.json
      # file, or a Google Developers service account key. Needs to be valid
      # JSON, not a filesystem path. If empty, fallback to Google default logic:
      # 1. A JSON file whose path is specified by the
      # GOOGLE_APPLICATION_CREDENTIALS environment variable. For workload
      # identity federation, refer to
      # https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation
      # on how to generate the JSON configuration file for on-prem/non-Google
      # cloud platforms.
      # 2. A JSON file in a location known to the gcloud command-line tool:
      # $HOME/.config/gcloud/application_default_credentials.json.
      # 3. On Google Compute Engine it fetches credentials from the metadata
      # server.
      # CLI flag: -common.storage.gcs.service-account
      [service_account: <string> | default = ""]

    azure:
      # Azure storage account name
      # CLI flag: -common.storage.azure.account-name
      [account_name: <string> | default = ""]

      # Azure storage account key. If unset, Azure managed identities will be
      # used for authentication instead.
      # CLI flag: -common.storage.azure.account-key
      [account_key: <string> | default = ""]

      # If `connection-string` is set, the value of `endpoint-suffix` will not
      # be used. Use this method over `account-key` if you need to authenticate
      # via a SAS token. Or if you use the Azurite emulator.
      # CLI flag: -common.storage.azure.connection-string
      [connection_string: <string> | default = ""]

      # Azure storage container name
      # CLI flag: -common.storage.azure.container-name
      [container_name: <string> | default = ""]

      # Azure storage endpoint suffix without schema. The account name will be
      # prefixed to this value to create the FQDN. If set to empty string,
      # default endpoint suffix is used.
      # CLI flag: -common.storage.azure.endpoint-suffix
      [endpoint_suffix: <string> | default = ""]

      # (advanced) Number of retries for recoverable errors
      # CLI flag: -common.storage.azure.max-retries
      [max_retries: <int> | default = 20]

      # (advanced) User assigned managed identity. If empty, then System
      # assigned identity is used.
      # CLI flag: -common.storage.azure.user-assigned-id
      [user_assigned_id: <string> | default = ""]

    swift:
      # OpenStack Swift application credential id
      # CLI flag: -common.storage.swift.application-credential-id
      [application_credential_id: <string> | default = ""]

      # OpenStack Swift application credential name
      # CLI flag: -common.storage.swift.application-credential-name
      [application_credential_name: <string> | default = ""]

      # OpenStack Swift application credential secret
      # CLI flag: -common.storage.swift.application-credential-secret
      [application_credential_secret: <string> | default = ""]

      # OpenStack Swift authentication API version. 0 to autodetect.
      # CLI flag: -common.storage.swift.auth-version
      [auth_version: <int> | default = 0]

      # OpenStack Swift authentication URL
      # CLI flag: -common.storage.swift.auth-url
      [auth_url: <string> | default = ""]

      # OpenStack Swift username.
      # CLI flag: -common.storage.swift.username
      [username: <string> | default = ""]

      # OpenStack Swift user's domain name.
      # CLI flag: -common.storage.swift.user-domain-name
      [user_domain_name: <string> | default = ""]

      # OpenStack Swift user's domain ID.
      # CLI flag: -common.storage.swift.user-domain-id
      [user_domain_id: <string> | default = ""]

      # OpenStack Swift user ID.
      # CLI flag: -common.storage.swift.user-id
      [user_id: <string> | default = ""]

      # OpenStack Swift API key.
      # CLI flag: -common.storage.swift.password
      [password: <string> | default = ""]

      # OpenStack Swift user's domain ID.
      # CLI flag: -common.storage.swift.domain-id
      [domain_id: <string> | default = ""]

      # OpenStack Swift user's domain name.
      # CLI flag: -common.storage.swift.domain-name
      [domain_name: <string> | default = ""]

      # OpenStack Swift project ID (v2,v3 auth only).
      # CLI flag: -common.storage.swift.project-id
      [project_id: <string> | default = ""]

      # OpenStack Swift project name (v2,v3 auth only).
      # CLI flag: -common.storage.swift.project-name
      [project_name: <string> | default = ""]

      # ID of the OpenStack Swift project's domain (v3 auth only), only needed
      # if it differs the from user domain.
      # CLI flag: -common.storage.swift.project-domain-id
      [project_domain_id: <string> | default = ""]

      # Name of the OpenStack Swift project's domain (v3 auth only), only needed
      # if it differs from the user domain.
      # CLI flag: -common.storage.swift.project-domain-name
      [project_domain_name: <string> | default = ""]

      # OpenStack Swift Region to use (v2,v3 auth only).
      # CLI flag: -common.storage.swift.region-name
      [region_name: <string> | default = ""]

      # Name of the OpenStack Swift container to put chunks in.
      # CLI flag: -common.storage.swift.container-name
      [container_name: <string> | default = ""]

      # (advanced) Max retries on requests error.
      # CLI flag: -common.storage.swift.max-retries
      [max_retries: <int> | default = 3]

      # (advanced) Time after which a connection attempt is aborted.
      # CLI flag: -common.storage.swift.connect-timeout
      [connect_timeout: <duration> | default = 10s]

      # (advanced) Time after which an idle request is aborted. The timeout
      # watchdog is reset each time some data is received, so the timeout
      # triggers after X time no data is received on a request.
      # CLI flag: -common.storage.swift.request-timeout
      [request_timeout: <duration> | default = 5s]

    filesystem:
      # Local filesystem storage directory.
      # CLI flag: -common.storage.filesystem.dir
      [dir: <string> | default = ""]

# (experimental) Enables optimized marshaling of timeseries.
# CLI flag: -timeseries-unmarshal-caching-optimization-enabled
[timeseries_unmarshal_caching_optimization_enabled: <boolean> | default = true]

# The admin_api configures the admin api.
[admin_api: <admin_api>]

# The admin_client configures how the Admin API service connects to the storage
# backend.
[admin_client: <admin_client>]

# The auth configures the authentication type to use.
[auth: <auth>]

# This target is deprecated, use the `tokengen` target instead. In prior
# versions, `bootstrap` was used to configure the bootstrap target.
[bootstrap: <bootstrap>]

# Unique ID of this GEM cluster. If undefined the name in the license is used.
# CLI flag: -cluster-name
[cluster_name: <string> | default = ""]

# The datadog configures the datadog compatibility services.
[datadog: <datadog>]

# The federation configures the federation frontend component, which can be used
# to federate querier between multiple Grafana Enterprise Metrics clusters.
[federation: <federation>]

# The gateway_client configures the gateway proxy.
[gateway: <gateway>]

# The graphite configures the graphite compatibility services.
[graphite: <graphite>]

# The instrumentation configures the instrumentation module.
[instrumentation: <instrumentation>]

# The license configures the license validation module.
[license: <license>]

# The tokengen is used to configure the tokengen command.
[tokengen: <tokengen>]

admin_api

The admin_api configures the admin api.

yaml
# (advanced) Designated header to parse when searching for the grafana user ID
# of the user accessing the API.
# CLI flag: -admin.api.user-header-name
[user_header_name: <string> | default = "X-WEBAUTH-USER"]

leader_election:
  # (advanced) This flag enables leader election for the admin api.
  # CLI flag: -admin-api.leader-election.enabled
  [enabled: <boolean> | default = true]

  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -admin-api.leader-election.ring.store
      [store: <string> | default = "consul"]

      # (advanced) The prefix for the keys in the store. Should end with a /.
      # CLI flag: -admin-api.leader-election.ring.prefix
      [prefix: <string> | default = "leader-election/"]

      # The consul configures the consul client.
      # The CLI flags prefix for this block configuration is:
      # admin-api.leader-election.ring
      [consul: <consul>]

      # The etcd configures the etcd client.
      # The CLI flags prefix for this block configuration is:
      # admin-api.leader-election.ring
      [etcd: <etcd>]

      multi:
        # (advanced) Primary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.primary
        [primary: <string> | default = ""]

        # (advanced) Secondary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.secondary
        [secondary: <string> | default = ""]

        # (advanced) Mirror writes to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # (advanced) Timeout for storing value to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # (advanced) Period at which to heartbeat to the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-period
    [heartbeat_period: <duration> | default = 15s]

    # (advanced) The heartbeat timeout after which admin-api instances are
    # considered unhealthy within the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # (advanced) Period to wait after generating tokens to resolve collisions.
    # Required when using a gossip ring KV store.
    # CLI flag: -admin-api.leader-election.ring.tokens-observe-period
    [tokens_observe_period: <duration> | default = 1m]

    # (advanced) Instance ID to register in the ring.
    # CLI flag: -admin-api.leader-election.ring.instance-id
    [instance_id: <string> | default = "<hostname>"]

    # Name of network interface to read address from.
    # CLI flag: -admin-api.leader-election.ring.instance-interface-names
    [instance_interface_names: <list of strings> | default = [<private network interfaces>]]

    # (advanced) Port to advertize in the ring (defaults to
    # server.grpc-listen-port).
    # CLI flag: -admin-api.leader-election.ring.instance-port
    [instance_port: <int> | default = 0]

    # (advanced) IP address to advertize in the ring.
    # CLI flag: -admin-api.leader-election.ring.instance-addr
    [instance_addr: <string> | default = ""]

    # (advanced) Enable using a IPv6 instance address.
    # CLI flag: -admin-api.leader-election.ring.instance-enable-ipv6
    [instance_enable_ipv6: <boolean> | default = false]

  client_config:
    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-recv-msg-size
    [max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-send-msg-size
    [max_send_msg_size: <int> | default = 104857600]

    # (advanced) Use compression when sending messages. Supported values are:
    # 'gzip', 'snappy' and '' (disable compression)
    # CLI flag: -admin-api.leader-election.client.grpc-compression
    [grpc_compression: <string> | default = ""]

    # (advanced) Rate limit for gRPC client; 0 means disabled.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit
    [rate_limit: <float> | default = 0]

    # (advanced) Rate limit burst for gRPC client.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit-burst
    [rate_limit_burst: <int> | default = 0]

    # (advanced) Enable backoff and retry when we hit rate limits.
    # CLI flag: -admin-api.leader-election.client.backoff-on-ratelimits
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # (advanced) Minimum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-min-period
      [min_period: <duration> | default = 100ms]

      # (advanced) Maximum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-max-period
      [max_period: <duration> | default = 10s]

      # (advanced) Number of times to backoff and retry before failing.
      # CLI flag: -admin-api.leader-election.client.backoff-retries
      [max_retries: <int> | default = 10]

    # (experimental) Initial stream window size. Values less than the default
    # are not supported and are ignored. Setting this to a value other than the
    # default disables the BDP estimator.
    # CLI flag: -admin-api.leader-election.client.initial-stream-window-size
    [initial_stream_window_size: <int> | default = 63KiB1023B]

    # (experimental) Initial connection window size. Values less than the
    # default are not supported and are ignored. Setting this to a value other
    # than the default disables the BDP estimator.
    # CLI flag: -admin-api.leader-election.client.initial-connection-window-size
    [initial_connection_window_size: <int> | default = 63KiB1023B]

    # (advanced) Enable TLS in the gRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -admin-api.leader-election.client.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -admin-api.leader-election.client.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -admin-api.leader-election.client.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -admin-api.leader-election.client.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -admin-api.leader-election.client.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) The maximum amount of time to establish a connection. A value
    # of 0 means default gRPC client connect timeout and backoff.
    # CLI flag: -admin-api.leader-election.client.connect-timeout
    [connect_timeout: <duration> | default = 5s]

    # (advanced) Initial backoff delay after first connection failure. Only
    # relevant if ConnectTimeout > 0.
    # CLI flag: -admin-api.leader-election.client.connect-backoff-base-delay
    [connect_backoff_base_delay: <duration> | default = 1s]

    # (advanced) Maximum backoff delay when establishing a connection. Only
    # relevant if ConnectTimeout > 0.
    # CLI flag: -admin-api.leader-election.client.connect-backoff-max-delay
    [connect_backoff_max_delay: <duration> | default = 5s]

limits:
  # (advanced) Enable API based limits per-tenant.
  # CLI flag: -admin-api.limits.enabled
  [enabled: <boolean> | default = true]

  # (advanced) Period with which to refresh per-tenant limits.
  # CLI flag: -admin-api.limits.refresh-period
  [refresh_period: <duration> | default = 1m]

auditlogging:
  # (experimental) When set to true, audit logging is enabled.
  # CLI flag: -admin-api.auditlogging.enabled
  [enabled: <boolean> | default = false]

  # (advanced) When set to true, audit records will be generated for
  # non-mutating operations, such as GET.
  # CLI flag: -admin-api.auditlogging.non-mutating-enabled
  [non_mutating_enabled: <boolean> | default = false]

  # (advanced) Percentage of the total non-mutating API calls that shall result
  # in an audit record being generated (between 0.0 and 100.0)
  # CLI flag: -admin-api.auditlogging.sample-rate
  [sample_rate: <float> | default = 100]

  # (advanced) Whether to include the request body in the audit log.
  # CLI flag: -admin-api.auditlogging.log-request-body
  [log_request_body: <boolean> | default = true]

  # (advanced) Maximum size in bytes allowed for the body of any request on the
  # admin-api path. Only applies if `log-request-body` is `true`.
  # CLI flag: -admin-api.auditlogging.max-request-body-size-bytes
  [max_request_body_size_bytes: <int> | default = 10MiB]

gateway

The gateway_client configures the gateway proxy.

yaml
proxy:
  default:
    # (advanced) URL for the backend. Use the scheme dns:// for HTTP over gRPC
    # and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.default.url
    [url: <string> | default = ""]

    # (advanced) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.default.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (advanced) Enable TLS in the GRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -gateway.proxy.default.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.default.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.default.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -gateway.proxy.default.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.default.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.default.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -gateway.proxy.default.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.default.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.default.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.default.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.default.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.default.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.default.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

  admin_api:
    # (advanced) URL for the backend. Use the scheme dns:// for HTTP over gRPC
    # and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.admin-api.url
    [url: <string> | default = ""]

    # (advanced) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.admin-api.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (advanced) Enable TLS in the GRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -gateway.proxy.admin-api.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.admin-api.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.admin-api.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.admin-api.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.admin-api.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.admin-api.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.admin-api.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.admin-api.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.admin-api.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.admin-api.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # (advanced) Timeout for write requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.admin-api.write-timeout
    [write_timeout: <duration> | default = 30s]

    # (advanced) Timeout for read requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.admin-api.read-timeout
    [read_timeout: <duration> | default = 2m]

    # (advanced) Timeout for import requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.admin-api.import-timeout
    [import_timeout: <duration> | default = 30m]

    # (advanced) Timeout for export requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.admin-api.export-timeout
    [export_timeout: <duration> | default = 10m]

  alertmanager:
    # (advanced) URL for the backend. Use the scheme dns:// for HTTP over gRPC
    # and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.alertmanager.url
    [url: <string> | default = ""]

    # (advanced) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.alertmanager.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (advanced) Enable TLS in the GRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -gateway.proxy.alertmanager.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.alertmanager.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.alertmanager.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -gateway.proxy.alertmanager.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.alertmanager.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.alertmanager.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -gateway.proxy.alertmanager.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.alertmanager.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.alertmanager.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.alertmanager.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.alertmanager.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.alertmanager.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.alertmanager.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # (advanced) Timeout for write requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.alertmanager.write-timeout
    [write_timeout: <duration> | default = 30s]

    # (advanced) Timeout for read requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.alertmanager.read-timeout
    [read_timeout: <duration> | default = 2m]

    # (advanced) Timeout for import requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.alertmanager.import-timeout
    [import_timeout: <duration> | default = 30m]

    # (advanced) Timeout for export requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.alertmanager.export-timeout
    [export_timeout: <duration> | default = 10m]

  compactor:
    # (advanced) URL for the backend. Use the scheme dns:// for HTTP over gRPC
    # and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.compactor.url
    [url: <string> | default = ""]

    # (advanced) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.compactor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (advanced) Enable TLS in the GRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -gateway.proxy.compactor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.compactor.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.compactor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.compactor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.compactor.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.compactor.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.compactor.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.compactor.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.compactor.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.compactor.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # (advanced) Timeout for write requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.compactor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # (advanced) Timeout for read requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.compactor.read-timeout
    [read_timeout: <duration> | default = 2m]

    # (advanced) Timeout for import requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.compactor.import-timeout
    [import_timeout: <duration> | default = 30m]

    # (advanced) Timeout for export requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.compactor.export-timeout
    [export_timeout: <duration> | default = 10m]

  distributor:
    # (advanced) URL for the backend. Use the scheme dns:// for HTTP over gRPC
    # and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.distributor.url
    [url: <string> | default = ""]

    # (advanced) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.distributor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (advanced) Enable TLS in the GRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -gateway.proxy.distributor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.distributor.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.distributor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.distributor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.distributor.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.distributor.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.distributor.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.distributor.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.distributor.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.distributor.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # (advanced) Timeout for write requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.distributor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # (advanced) Timeout for read requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.distributor.read-timeout
    [read_timeout: <duration> | default = 2m]

    # (advanced) Timeout for import requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.distributor.import-timeout
    [import_timeout: <duration> | default = 30m]

    # (advanced) Timeout for export requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.distributor.export-timeout
    [export_timeout: <duration> | default = 10m]

  graphite_querier:
    # (advanced) URL for the backend. Use the scheme dns:// for HTTP over gRPC
    # and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.graphite-querier.url
    [url: <string> | default = ""]

    # (advanced) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.graphite-querier.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (advanced) Enable TLS in the GRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -gateway.proxy.graphite-querier.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.graphite-querier.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.graphite-querier.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -gateway.proxy.graphite-querier.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.graphite-querier.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.graphite-querier.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -gateway.proxy.graphite-querier.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.graphite-querier.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.graphite-querier.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.graphite-querier.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.graphite-querier.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.graphite-querier.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.graphite-querier.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # (advanced) Timeout for write requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.graphite-querier.write-timeout
    [write_timeout: <duration> | default = 30s]

    # (advanced) Timeout for read requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.graphite-querier.read-timeout
    [read_timeout: <duration> | default = 2m]

    # (advanced) Timeout for import requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.graphite-querier.import-timeout
    [import_timeout: <duration> | default = 30m]

    # (advanced) Timeout for export requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.graphite-querier.export-timeout
    [export_timeout: <duration> | default = 10m]

  graphite_write_proxy:
    # (advanced) URL for the backend. Use the scheme dns:// for HTTP over gRPC
    # and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.graphite-write-proxy.url
    [url: <string> | default = ""]

    # (advanced) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.graphite-write-proxy.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (advanced) Enable TLS in the GRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -gateway.proxy.graphite-write-proxy.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.graphite-write-proxy.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.graphite-write-proxy.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -gateway.proxy.graphite-write-proxy.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.graphite-write-proxy.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.graphite-write-proxy.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -gateway.proxy.graphite-write-proxy.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.graphite-write-proxy.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.graphite-write-proxy.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.graphite-write-proxy.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.graphite-write-proxy.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.graphite-write-proxy.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.graphite-write-proxy.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # (advanced) Timeout for write requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.graphite-write-proxy.write-timeout
    [write_timeout: <duration> | default = 30s]

    # (advanced) Timeout for read requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.graphite-write-proxy.read-timeout
    [read_timeout: <duration> | default = 2m]

    # (advanced) Timeout for import requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.graphite-write-proxy.import-timeout
    [import_timeout: <duration> | default = 30m]

    # (advanced) Timeout for export requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.graphite-write-proxy.export-timeout
    [export_timeout: <duration> | default = 10m]

  datadog_read_proxy:
    # (experimental) URL for the backend. Use the scheme dns:// for HTTP over
    # gRPC and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.datadog-read-proxy.url
    [url: <string> | default = ""]

    # (experimental) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.datadog-read-proxy.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (experimental) Enable TLS in the GRPC client. This flag needs to be
    # enabled when any other TLS flag is set. If set to false, insecure
    # connection to gRPC server will be used.
    # CLI flag: -gateway.proxy.datadog-read-proxy.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.datadog-read-proxy.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (experimental) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.datadog-read-proxy.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (experimental) Path to the key for the client certificate. Also requires
    # the client certificate to be configured.
    # CLI flag: -gateway.proxy.datadog-read-proxy.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (experimental) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.datadog-read-proxy.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (experimental) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.datadog-read-proxy.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (experimental) Skip validating server certificate.
    # CLI flag: -gateway.proxy.datadog-read-proxy.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.datadog-read-proxy.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.datadog-read-proxy.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.datadog-read-proxy.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.datadog-read-proxy.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.datadog-read-proxy.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.datadog-read-proxy.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # (experimental) Timeout for write requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.datadog-read-proxy.write-timeout
    [write_timeout: <duration> | default = 30s]

    # (experimental) Timeout for read requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.datadog-read-proxy.read-timeout
    [read_timeout: <duration> | default = 2m]

    # (advanced) Timeout for import requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.datadog-read-proxy.import-timeout
    [import_timeout: <duration> | default = 30m]

    # (advanced) Timeout for export requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.datadog-read-proxy.export-timeout
    [export_timeout: <duration> | default = 10m]

  datadog_write_proxy:
    # (experimental) URL for the backend. Use the scheme dns:// for HTTP over
    # gRPC and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.datadog-write-proxy.url
    [url: <string> | default = ""]

    # (experimental) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.datadog-write-proxy.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (experimental) Enable TLS in the GRPC client. This flag needs to be
    # enabled when any other TLS flag is set. If set to false, insecure
    # connection to gRPC server will be used.
    # CLI flag: -gateway.proxy.datadog-write-proxy.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.datadog-write-proxy.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (experimental) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.datadog-write-proxy.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (experimental) Path to the key for the client certificate. Also requires
    # the client certificate to be configured.
    # CLI flag: -gateway.proxy.datadog-write-proxy.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (experimental) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.datadog-write-proxy.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (experimental) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.datadog-write-proxy.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (experimental) Skip validating server certificate.
    # CLI flag: -gateway.proxy.datadog-write-proxy.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.datadog-write-proxy.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.datadog-write-proxy.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.datadog-write-proxy.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.datadog-write-proxy.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.datadog-write-proxy.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.datadog-write-proxy.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # (experimental) Timeout for write requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.datadog-write-proxy.write-timeout
    [write_timeout: <duration> | default = 30s]

    # (experimental) Timeout for read requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.datadog-write-proxy.read-timeout
    [read_timeout: <duration> | default = 2m]

    # (advanced) Timeout for import requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.datadog-write-proxy.import-timeout
    [import_timeout: <duration> | default = 30m]

    # (advanced) Timeout for export requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.datadog-write-proxy.export-timeout
    [export_timeout: <duration> | default = 10m]

  ingester:
    # (advanced) URL for the backend. Use the scheme dns:// for HTTP over gRPC
    # and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ingester.url
    [url: <string> | default = ""]

    # (advanced) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ingester.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (advanced) Enable TLS in the GRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -gateway.proxy.ingester.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.ingester.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.ingester.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ingester.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.ingester.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.ingester.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.ingester.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.ingester.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.ingester.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.ingester.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # (advanced) Timeout for write requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.ingester.write-timeout
    [write_timeout: <duration> | default = 30s]

    # (advanced) Timeout for read requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.ingester.read-timeout
    [read_timeout: <duration> | default = 2m]

    # (advanced) Timeout for import requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.ingester.import-timeout
    [import_timeout: <duration> | default = 30m]

    # (advanced) Timeout for export requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.ingester.export-timeout
    [export_timeout: <duration> | default = 10m]

  query_frontend:
    # (advanced) URL for the backend. Use the scheme dns:// for HTTP over gRPC
    # and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.query-frontend.url
    [url: <string> | default = ""]

    # (advanced) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.query-frontend.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (advanced) Enable TLS in the GRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -gateway.proxy.query-frontend.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.query-frontend.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.query-frontend.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.query-frontend.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.query-frontend.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.query-frontend.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.query-frontend.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.query-frontend.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # (advanced) Timeout for write requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.query-frontend.write-timeout
    [write_timeout: <duration> | default = 30s]

    # (advanced) Timeout for read requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.query-frontend.read-timeout
    [read_timeout: <duration> | default = 2m]

    # (advanced) Timeout for import requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.query-frontend.import-timeout
    [import_timeout: <duration> | default = 30m]

    # (advanced) Timeout for export requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.query-frontend.export-timeout
    [export_timeout: <duration> | default = 10m]

  ruler:
    # (advanced) URL for the backend. Use the scheme dns:// for HTTP over gRPC
    # and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ruler.url
    [url: <string> | default = ""]

    # (advanced) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ruler.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (advanced) Enable TLS in the GRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -gateway.proxy.ruler.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.ruler.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.ruler.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -gateway.proxy.ruler.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ruler.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ruler.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -gateway.proxy.ruler.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.ruler.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.ruler.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.ruler.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.ruler.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.ruler.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.ruler.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # (advanced) Timeout for write requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.ruler.write-timeout
    [write_timeout: <duration> | default = 30s]

    # (advanced) Timeout for read requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.ruler.read-timeout
    [read_timeout: <duration> | default = 2m]

    # (advanced) Timeout for import requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.ruler.import-timeout
    [import_timeout: <duration> | default = 30m]

    # (advanced) Timeout for export requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.ruler.export-timeout
    [export_timeout: <duration> | default = 10m]

  store_gateway:
    # (advanced) URL for the backend. Use the scheme dns:// for HTTP over gRPC
    # and the scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.store-gateway.url
    [url: <string> | default = ""]

    # (advanced) Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.store-gateway.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # (advanced) Enable TLS in the GRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -gateway.proxy.store-gateway.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Timeout when dialing backend. For proxying over GRPC, this will
    # be used only during the initial dial at startup. For proxying over HTTP
    # this is the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.store-gateway.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -gateway.proxy.store-gateway.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -gateway.proxy.store-gateway.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.store-gateway.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.store-gateway.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -gateway.proxy.store-gateway.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -gateway.proxy.store-gateway.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.store-gateway.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) gRPC load balancing policy. Supported values: round_robin,
    # bounded_load.
    # CLI flag: -gateway.proxy.store-gateway.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # (advanced) When the gRPC load balancing policy is set to "bounded_load",
    # the balancer will attempt to not send to each backend a number of inflight
    # requests higher than the average inflight requests across all backends
    # multiplied by the overloaded factor.
    # CLI flag: -gateway.proxy.store-gateway.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.store-gateway.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.store-gateway.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # (advanced) Timeout for write requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.store-gateway.write-timeout
    [write_timeout: <duration> | default = 30s]

    # (advanced) Timeout for read requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.store-gateway.read-timeout
    [read_timeout: <duration> | default = 2m]

    # (advanced) Timeout for import requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.store-gateway.import-timeout
    [import_timeout: <duration> | default = 30m]

    # (advanced) Timeout for export requests to the backend, set to <=0 to
    # disable.
    # CLI flag: -gateway.proxy.store-gateway.export-timeout
    [export_timeout: <duration> | default = 10m]

auth

The auth configures the authentication type to use.

yaml
# method for authenticating incoming HTTP requests, (trust, enterprise).
# CLI flag: -auth.type
[type: <string> | default = "enterprise"]

# (advanced) requires admin level auth for the /metrics endpoint.
# CLI flag: -auth.required-for-metrics
[required_for_metrics: <boolean> | default = false]

# (advanced) requires admin level auth for the /debug endpoints.
# CLI flag: -auth.required-for-debug
[required_for_debug: <boolean> | default = true]

override:
  # (advanced) Override admin token. If set, this string will always be accepted
  # as a token with admin level scope.
  # CLI flag: -auth.override.token
  [token: <string> | default = ""]

  # (advanced) If set, this file will be read at startup and the string from
  # that file will be used as a admin scoped token.
  # CLI flag: -auth.override.token-file
  [token_file: <string> | default = ""]

admin:
  # when set, the name of the used access policy will be passed to the backend
  # service as a header.
  # CLI flag: -auth.pass-access-policy-name
  [pass_access_policy_name: <boolean> | default = false]

  # when set, the name of the used token will be passed to the backend service
  # as a header.
  # CLI flag: -auth.pass-token-name
  [pass_token_name: <boolean> | default = false]

  # (advanced) how long auth responses should be cached
  # CLI flag: -auth.cache.ttl
  [cache_ttl: <duration> | default = 10m]

  cache_refresh:
    # (experimental) Whether asynchronous background refreshes are enabled.
    # CLI flag: -auth.cache.refresh.enabled
    [enabled: <boolean> | default = false]

    # (experimental) Number of workers for background asynchronous refresh.
    # CLI flag: -auth.cache.refresh.concurrency
    [concurrency: <int> | default = 2]

    # (experimental) Maximum number of pending background refreshes.
    # CLI flag: -auth.cache.refresh.buffer
    [buffer: <int> | default = 256]

    # (experimental) Remaining time to live of an item when background refreshes
    # may begin to occur.
    # CLI flag: -auth.cache.refresh.refresh-ttl
    [refresh_ttl: <duration> | default = 3m]

    # (experimental) Minimum time distance between retries if a refresh attempt
    # fails, 0 means that every sub-sequent get operation will result in a
    # retry.
    # CLI flag: -auth.cache.refresh.retry-interval
    [retry_interval: <duration> | default = 30s]

  oidc:
    # JWT token issuer URL (example "https://accounts.google.com")
    # CLI flag: -auth.admin.oidc.issuer-url
    [issuer_url: <string> | default = ""]

    # claim in the JWT token containing the access policy
    # CLI flag: -auth.admin.oidc.access-policy-claim
    [access_policy_claim: <string> | default = ""]

    # (advanced) regex to extract the access policy from the JWT token. The
    # first submatch of the provided regex expression will be used.
    # CLI flag: -auth.admin.oidc.access-policy-regex
    [access_policy_regex: <string> | default = ""]

    # optional audience to check in JWT token
    # CLI flag: -auth.admin.oidc.audience
    [audience: <string> | default = ""]

    # (advanced) name of the access policy to use when the token doesn't contain
    # an access policy
    # CLI flag: -auth.admin.oidc.default-access-policy
    [default_access_policy: <string> | default = ""]

    # (advanced) enable ADFS compatibility
    # CLI flag: -auth.admin.oidc.adfs-compatibility
    [adfs_compatibility: <boolean> | default = false]

admin_client

The admin_client configures how the Admin API service connects to the storage backend.

yaml
storage:
  # (advanced) Enable caching on the versioned client.
  # CLI flag: -admin.client.cache.enabled
  [enable_cache: <boolean> | default = true]

  cache:
    # Cache backend type. Supported values are: memcached, redis, inmemory.
    # CLI flag: -admin.client.cache.backend
    [backend: <string> | default = "inmemory"]

    # The memcached block configures the Memcached-based caching backend.
    # The CLI flags prefix for this block configuration is: admin.client.cache
    [memcached: <memcached>]

    # The redis block configures the Redis-based caching backend.
    # The CLI flags prefix for this block configuration is: admin.client.cache
    [redis: <redis>]

    # (advanced) How long an item should be cached before being evicted. Only
    # available for remote cache types (memcached, redis), for inmemory it is
    # capped at 1 minute.
    # CLI flag: -admin.client.cache.expiration
    [expiration: <duration> | default = 24h]

    # (advanced) How frequently to reload tokens from storage to keep the cache
    # warm. Default disabled.
    # CLI flag: -admin.client.cache.refresh-interval
    [refresh_interval: <duration> | default = 0s]

  # Backend storage to use. Supported backends are: s3, gcs, azure, swift,
  # filesystem.
  # CLI flag: -admin.client.backend
  [backend: <string> | default = "filesystem"]

  s3:
    # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
    # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
    # S3-compatible service in hostname:port format.
    # CLI flag: -admin.client.s3.endpoint
    [endpoint: <string> | default = ""]

    # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
    # to autodetect it.
    # CLI flag: -admin.client.s3.region
    [region: <string> | default = ""]

    # S3 bucket name
    # CLI flag: -admin.client.s3.bucket-name
    [bucket_name: <string> | default = ""]

    # S3 secret access key
    # CLI flag: -admin.client.s3.secret-access-key
    [secret_access_key: <string> | default = ""]

    # S3 access key ID
    # CLI flag: -admin.client.s3.access-key-id
    [access_key_id: <string> | default = ""]

    # S3 session token
    # CLI flag: -admin.client.s3.session-token
    [session_token: <string> | default = ""]

    # (advanced) If enabled, use http:// for the S3 endpoint instead of
    # https://. This could be useful in local dev/test environments while using
    # an S3-compatible backend storage, like Minio.
    # CLI flag: -admin.client.s3.insecure
    [insecure: <boolean> | default = false]

    # (advanced) The signature version to use for authenticating against S3.
    # Supported values are: v4, v2.
    # CLI flag: -admin.client.s3.signature-version
    [signature_version: <string> | default = "v4"]

    # (advanced) Use a specific version of the S3 list object API. Supported
    # values are v1 or v2. Default is unset.
    # CLI flag: -admin.client.s3.list-objects-version
    [list_objects_version: <string> | default = ""]

    # (advanced) Bucket lookup style type, used to access bucket in
    # S3-compatible service. Default is auto. Supported values are: auto, path,
    # virtual-hosted.
    # CLI flag: -admin.client.s3.bucket-lookup-type
    [bucket_lookup_type: <string> | default = "auto"]

    # (experimental) When enabled, direct all AWS S3 requests to the dual-stack
    # IPv4/IPv6 endpoint for the configured region.
    # CLI flag: -admin.client.s3.dualstack-enabled
    [dualstack_enabled: <boolean> | default = true]

    # (experimental) The S3 storage class to use, not set by default. Details
    # can be found at https://aws.amazon.com/s3/storage-classes/. Supported
    # values are: STANDARD, REDUCED_REDUNDANCY, GLACIER, STANDARD_IA,
    # ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, OUTPOSTS
    # CLI flag: -admin.client.s3.storage-class
    [storage_class: <string> | default = ""]

    # (experimental) If enabled, it will use the default authentication methods
    # of the AWS SDK for go based on known environment variables and known AWS
    # config files.
    # CLI flag: -admin.client.s3.native-aws-auth-enabled
    [native_aws_auth_enabled: <boolean> | default = false]

    # (experimental) The minimum file size in bytes used for multipart uploads.
    # If 0, the value is optimally computed for each object.
    # CLI flag: -admin.client.s3.part-size
    [part_size: <int> | default = 0]

    # (experimental) If enabled, a Content-MD5 header is sent with S3 Put Object
    # requests. Consumes more resources to compute the MD5, but may improve
    # compatibility with object storage services that do not support checksums.
    # CLI flag: -admin.client.s3.send-content-md5
    [send_content_md5: <boolean> | default = false]

    # Accessing S3 resources using temporary, secure credentials provided by AWS
    # Security Token Service.
    # CLI flag: -admin.client.s3.sts-endpoint
    [sts_endpoint: <string> | default = ""]

    # The s3_sse configures the S3 server-side encryption.
    # The CLI flags prefix for this block configuration is: admin.client
    [sse: <s3_sse>]

    http:
      # (advanced) The time an idle connection will remain idle before closing.
      # CLI flag: -admin.client.s3.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # (advanced) The amount of time the client will wait for a servers
      # response headers.
      # CLI flag: -admin.client.s3.http.response-header-timeout
      [response_header_timeout: <duration> | default = 2m]

      # (advanced) If the client connects to S3 via HTTPS and this option is
      # enabled, the client will accept any certificate and hostname.
      # CLI flag: -admin.client.s3.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

      # (advanced) Maximum time to wait for a TLS handshake. 0 means no limit.
      # CLI flag: -admin.client.s3.tls-handshake-timeout
      [tls_handshake_timeout: <duration> | default = 10s]

      # (advanced) The time to wait for a server's first response headers after
      # fully writing the request headers if the request has an Expect header. 0
      # to send the request body immediately.
      # CLI flag: -admin.client.s3.expect-continue-timeout
      [expect_continue_timeout: <duration> | default = 1s]

      # (advanced) Maximum number of idle (keep-alive) connections across all
      # hosts. 0 means no limit.
      # CLI flag: -admin.client.s3.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # (advanced) Maximum number of idle (keep-alive) connections to keep
      # per-host. If 0, a built-in default value is used.
      # CLI flag: -admin.client.s3.max-idle-connections-per-host
      [max_idle_connections_per_host: <int> | default = 100]

      # (advanced) Maximum number of connections per host. 0 means no limit.
      # CLI flag: -admin.client.s3.max-connections-per-host
      [max_connections_per_host: <int> | default = 0]

      # (advanced) Path to the CA certificates to validate server certificate
      # against. If not set, the host's root CA certificates are used.
      # CLI flag: -admin.client.s3.http.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # (advanced) Path to the client certificate, which will be used for
      # authenticating with the server. Also requires the key path to be
      # configured.
      # CLI flag: -admin.client.s3.http.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # (advanced) Path to the key for the client certificate. Also requires the
      # client certificate to be configured.
      # CLI flag: -admin.client.s3.http.tls-key-path
      [tls_key_path: <string> | default = ""]

      # (advanced) Override the expected name on the server certificate.
      # CLI flag: -admin.client.s3.http.tls-server-name
      [tls_server_name: <string> | default = ""]

    trace:
      # (advanced) When enabled, low-level S3 HTTP operation information is
      # logged at the debug level.
      # CLI flag: -admin.client.s3.trace.enabled
      [enabled: <boolean> | default = false]

  gcs:
    # GCS bucket name
    # CLI flag: -admin.client.gcs.bucket-name
    [bucket_name: <string> | default = ""]

    # JSON either from a Google Developers Console client_credentials.json file,
    # or a Google Developers service account key. Needs to be valid JSON, not a
    # filesystem path. If empty, fallback to Google default logic:
    # 1. A JSON file whose path is specified by the
    # GOOGLE_APPLICATION_CREDENTIALS environment variable. For workload identity
    # federation, refer to
    # https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation
    # on how to generate the JSON configuration file for on-prem/non-Google
    # cloud platforms.
    # 2. A JSON file in a location known to the gcloud command-line tool:
    # $HOME/.config/gcloud/application_default_credentials.json.
    # 3. On Google Compute Engine it fetches credentials from the metadata
    # server.
    # CLI flag: -admin.client.gcs.service-account
    [service_account: <string> | default = ""]

  azure:
    # Azure storage account name
    # CLI flag: -admin.client.azure.account-name
    [account_name: <string> | default = ""]

    # Azure storage account key. If unset, Azure managed identities will be used
    # for authentication instead.
    # CLI flag: -admin.client.azure.account-key
    [account_key: <string> | default = ""]

    # If `connection-string` is set, the value of `endpoint-suffix` will not be
    # used. Use this method over `account-key` if you need to authenticate via a
    # SAS token. Or if you use the Azurite emulator.
    # CLI flag: -admin.client.azure.connection-string
    [connection_string: <string> | default = ""]

    # Azure storage container name
    # CLI flag: -admin.client.azure.container-name
    [container_name: <string> | default = ""]

    # Azure storage endpoint suffix without schema. The account name will be
    # prefixed to this value to create the FQDN. If set to empty string, default
    # endpoint suffix is used.
    # CLI flag: -admin.client.azure.endpoint-suffix
    [endpoint_suffix: <string> | default = ""]

    # (advanced) Number of retries for recoverable errors
    # CLI flag: -admin.client.azure.max-retries
    [max_retries: <int> | default = 20]

    # (advanced) User assigned managed identity. If empty, then System assigned
    # identity is used.
    # CLI flag: -admin.client.azure.user-assigned-id
    [user_assigned_id: <string> | default = ""]

  swift:
    # OpenStack Swift application credential id
    # CLI flag: -admin.client.swift.application-credential-id
    [application_credential_id: <string> | default = ""]

    # OpenStack Swift application credential name
    # CLI flag: -admin.client.swift.application-credential-name
    [application_credential_name: <string> | default = ""]

    # OpenStack Swift application credential secret
    # CLI flag: -admin.client.swift.application-credential-secret
    [application_credential_secret: <string> | default = ""]

    # OpenStack Swift authentication API version. 0 to autodetect.
    # CLI flag: -admin.client.swift.auth-version
    [auth_version: <int> | default = 0]

    # OpenStack Swift authentication URL
    # CLI flag: -admin.client.swift.auth-url
    [auth_url: <string> | default = ""]

    # OpenStack Swift username.
    # CLI flag: -admin.client.swift.username
    [username: <string> | default = ""]

    # OpenStack Swift user's domain name.
    # CLI flag: -admin.client.swift.user-domain-name
    [user_domain_name: <string> | default = ""]

    # OpenStack Swift user's domain ID.
    # CLI flag: -admin.client.swift.user-domain-id
    [user_domain_id: <string> | default = ""]

    # OpenStack Swift user ID.
    # CLI flag: -admin.client.swift.user-id
    [user_id: <string> | default = ""]

    # OpenStack Swift API key.
    # CLI flag: -admin.client.swift.password
    [password: <string> | default = ""]

    # OpenStack Swift user's domain ID.
    # CLI flag: -admin.client.swift.domain-id
    [domain_id: <string> | default = ""]

    # OpenStack Swift user's domain name.
    # CLI flag: -admin.client.swift.domain-name
    [domain_name: <string> | default = ""]

    # OpenStack Swift project ID (v2,v3 auth only).
    # CLI flag: -admin.client.swift.project-id
    [project_id: <string> | default = ""]

    # OpenStack Swift project name (v2,v3 auth only).
    # CLI flag: -admin.client.swift.project-name
    [project_name: <string> | default = ""]

    # ID of the OpenStack Swift project's domain (v3 auth only), only needed if
    # it differs the from user domain.
    # CLI flag: -admin.client.swift.project-domain-id
    [project_domain_id: <string> | default = ""]

    # Name of the OpenStack Swift project's domain (v3 auth only), only needed
    # if it differs from the user domain.
    # CLI flag: -admin.client.swift.project-domain-name
    [project_domain_name: <string> | default = ""]

    # OpenStack Swift Region to use (v2,v3 auth only).
    # CLI flag: -admin.client.swift.region-name
    [region_name: <string> | default = ""]

    # Name of the OpenStack Swift container to put chunks in.
    # CLI flag: -admin.client.swift.container-name
    [container_name: <string> | default = ""]

    # (advanced) Max retries on requests error.
    # CLI flag: -admin.client.swift.max-retries
    [max_retries: <int> | default = 3]

    # (advanced) Time after which a connection attempt is aborted.
    # CLI flag: -admin.client.swift.connect-timeout
    [connect_timeout: <duration> | default = 10s]

    # (advanced) Time after which an idle request is aborted. The timeout
    # watchdog is reset each time some data is received, so the timeout triggers
    # after X time no data is received on a request.
    # CLI flag: -admin.client.swift.request-timeout
    [request_timeout: <duration> | default = 5s]

  filesystem:
    # Local filesystem storage directory.
    # CLI flag: -admin.client.filesystem.dir
    [dir: <string> | default = ""]

  # Prefix for all objects stored in the backend storage. For simplicity, it may
  # only contain digits and English alphabet letters.
  # CLI flag: -admin.client.storage-prefix
  [storage_prefix: <string> | default = ""]

  # Set a backend to use, (gcs, s3, azure). Deprecated, please use
  # '-admin.client.backend' instead.
  # CLI flag: -admin.client.backend-type
  [type: <string> | default = ""]

# (advanced) If set to true, the built-in __admin__ access policy will not be
# active.
# CLI flag: -admin.client.disable-default-admin-policy
[disable_default_admin_policy: <boolean> | default = false]

datadog

The datadog configures the datadog compatibility services.

yaml
read_api:
  timeouts:
    v1:
      # (experimental) Sets api/v1/query timeout, by default 30 seconds
      # CLI flag: -datadog.api.v1-query-timeout
      [query: <duration> | default = 30s]

      # (experimental) Sets api/v1/metrics timeout, by default 5 seconds
      # CLI flag: -datadog.api.v1-metrics-timeout
      [metrics: <duration> | default = 5s]

      # (experimental) Sets api/v1/hosts timeout, by default 5 seconds
      # CLI flag: -datadog.api.v1-hosts-timeout
      [hosts: <duration> | default = 5s]

      # (experimental) Sets api/v1/tag_keys timeout, by default 5 seconds
      # CLI flag: -datadog.api.v1-tag-keys-timeout
      [tag_keys: <duration> | default = 5s]

      # (experimental) Sets api/v1/tags timeout, by default 10 seconds
      # CLI flag: -datadog.api.v1-tags-timeout
      [tags: <duration> | default = 10s]

    v2:
      # (experimental) Sets api/v1/metrics/{metric}/all-tags timeout, by default
      # 5 seconds
      # CLI flag: -datadog.api.v2-metrics-all-tags-timeout
      [metrics_all_tags: <duration> | default = 5s]

write_api:
  timeouts:
    v1:
      # (experimental) Sets api/v1/series timeout, by default 5 seconds
      # CLI flag: -datadog.api.v1-series-timeout
      [series: <duration> | default = 5s]

      # (experimental) Sets api/v1/check_run timeout, by default 5 seconds
      # CLI flag: -datadog.api.v1-check-run-timeout
      [check_run: <duration> | default = 5s]

      # (experimental) Sets api/v1/sketches and api/beta/sketches timeout, by
      # default 5 seconds
      # CLI flag: -datadog.api.v1-sketches-timeout
      [sketches: <duration> | default = 5s]

    # (experimental) Sets /intake timeout, by default 5 seconds
    # CLI flag: -datadog.api.intake-timeout
    [intake: <duration> | default = 5s]

  # (experimental) How many goroutines to use when processing some large
  # requests. If set to zero, never applies parallelism
  # CLI flag: -datadog.write-process-concurrency
  [process_concurrency: <int> | default = 0]

  # (experimental) Number of series per request above which parallelism is used.
  # CLI flag: -datadog.write-process-concurrency-threshold
  [process_concurrency_threshold: <int> | default = 100]

remote_read:
  # (experimental) URL for queries from upstream Prometheus API.
  # CLI flag: -datadog.query-endpoint
  [endpoint: <string> | default = ""]

  # (experimental) Timeout for queries to upstream Prometheus API.
  # CLI flag: -datadog.query-timeout
  [timeout: <duration> | default = 1m]

  # (experimental) KeepAlive for queries to upstream Prometheus API.
  # CLI flag: -datadog.query-keep-alive
  [keep_alive: <duration> | default = 30s]

  # (experimental) Max idle conns for queries to upstream Prometheus API.
  # CLI flag: -datadog.query-max-idle-conns
  [max_idle_conns: <int> | default = 10]

  # (experimental) Max conns per host for queries to upstream Prometheus API.
  # CLI flag: -datadog.query-max-conns
  [max_conns: <int> | default = 100]

remote_write:
  # (experimental) URL for writes to upstream Prometheus remote write API
  # (including the /push suffix if needed).
  # CLI flag: -datadog.write-endpoint
  [endpoint: <string> | default = ""]

  # (experimental) Timeout for writes to upstream Prometheus remote write API.
  # CLI flag: -datadog.write-timeout
  [timeout: <duration> | default = 1s]

  # (experimental) KeepAlive for write to upstream Prometheus remote write API.
  # CLI flag: -datadog.write-keep-alive
  [keep_alive: <duration> | default = 30s]

  # (experimental) Max idle conns per host for writes to upstream Prometheus
  # remote write API.
  # CLI flag: -datadog.write-max-idle-conns
  [max_idle_conns: <int> | default = 10]

  # (experimental) Max open conns per host for writes to upstream Prometheus
  # remote write API.
  # CLI flag: -datadog.write-max-conns
  [max_conns: <int> | default = 100]

  # (experimental) If set to true sends requests with headers to skip label
  # validation.
  # CLI flag: -datadog.skip-label-validation
  [skip_label_validation: <boolean> | default = false]

memcached_client:
  # (experimental) Hostname for memcached service to use. If empty and if
  # addresses is unset, no memcached will be used.
  # CLI flag: -datadog.memcached.hostname
  [host: <string> | default = ""]

  # (experimental) SRV service used to discover memcache servers.
  # CLI flag: -datadog.memcached.service
  [service: <string> | default = "memcached"]

  # (experimental) Comma separated addresses list in DNS Service Discovery
  # format:
  # https://grafana.com/docs/mimir/latest/operators-guide/configuring/about-dns-service-discovery/
  # CLI flag: -datadog.memcached.addresses
  [addresses: <string> | default = ""]

  # (experimental) Maximum time to wait before giving up on memcached requests.
  # CLI flag: -datadog.memcached.timeout
  [timeout: <duration> | default = 100ms]

  # (experimental) Maximum number of idle connections in pool.
  # CLI flag: -datadog.memcached.max-idle-conns
  [max_idle_conns: <int> | default = 16]

  # (experimental) The maximum size of an item stored in memcached. Bigger items
  # are not stored. If set to 0, no maximum size is enforced.
  # CLI flag: -datadog.memcached.max-item-size
  [max_item_size: <int> | default = 0]

  # (experimental) Period with which to poll DNS for memcache servers.
  # CLI flag: -datadog.memcached.update-interval
  [update_interval: <duration> | default = 1m]

  # (experimental) Use consistent hashing to distribute to memcache servers.
  # CLI flag: -datadog.memcached.consistent-hash
  [consistent_hash: <boolean> | default = true]

  # (experimental) Trip circuit-breaker after this number of consecutive dial
  # failures (if zero then circuit-breaker is disabled).
  # CLI flag: -datadog.memcached.circuit-breaker-consecutive-failures
  [circuit_breaker_consecutive_failures: <int> | default = 10]

  # (experimental) Duration circuit-breaker remains open after tripping (if zero
  # then 60 seconds is used).
  # CLI flag: -datadog.memcached.circuit-breaker-timeout
  [circuit_breaker_timeout: <duration> | default = 10s]

  # (experimental) Reset circuit-breaker counts after this long (if zero then
  # never reset).
  # CLI flag: -datadog.memcached.circuit-breaker-interval
  [circuit_breaker_interval: <duration> | default = 10s]

host_tags:
  # (experimental) Expiration for cached values. Zero means no expiration.
  # Seconds precision will be used. Should be less than one month.
  # CLI flag: -datadog.ht-cache-expiration
  [expiration: <duration> | default = 10m]

  # (experimental) RetryDelay to retry cache invalidation if update fails after
  # storing. Zero means disabled. Arbitrary precision.
  # CLI flag: -datadog.ht-cache-invalidation-retry-delay
  [cache_invalidation_retry_delay: <duration> | default = 1m]

graphite

The graphite configures the graphite compatibility services.

yaml
# Whether the Graphite APIs are enabled.
# CLI flag: -graphite.enabled
[enabled: <boolean> | default = true]

querier:
  schemas:
    # (advanced) Defines for how long schemas shall be cached.
    # CLI flag: -graphite.querier.schemas.schema-ttl
    [schema_ttl: <duration> | default = 10s]

    # (advanced) Path to default storage-schemas.conf file.
    # CLI flag: -graphite.querier.schemas.default-storage-schemas-file
    [default_storage_schemas_file: <string> | default = "/etc/cortextank/storage-schemas.conf"]

    # (advanced) Path to default storage-aggregation.conf file.
    # CLI flag: -graphite.querier.schemas.default-storage-aggregations-file
    [default_storage_aggregations_file: <string> | default = "/etc/cortextank/storage-aggregation.conf"]

    # (advanced) Whether support for object store backed user overrides should
    # be enabled.
    # CLI flag: -graphite.querier.schemas.enable-user-overrides
    [enable_user_overrides: <boolean> | default = false]

    # Backend storage to use. Supported backends are: s3, gcs, azure, swift,
    # filesystem.
    # CLI flag: -graphite.querier.schemas.backend
    [backend: <string> | default = "filesystem"]

    s3:
      # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
      # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of
      # an S3-compatible service in hostname:port format.
      # CLI flag: -graphite.querier.schemas.s3.endpoint
      [endpoint: <string> | default = ""]

      # S3 region. If unset, the client will issue a S3 GetBucketLocation API
      # call to autodetect it.
      # CLI flag: -graphite.querier.schemas.s3.region
      [region: <string> | default = ""]

      # S3 bucket name
      # CLI flag: -graphite.querier.schemas.s3.bucket-name
      [bucket_name: <string> | default = ""]

      # S3 secret access key
      # CLI flag: -graphite.querier.schemas.s3.secret-access-key
      [secret_access_key: <string> | default = ""]

      # S3 access key ID
      # CLI flag: -graphite.querier.schemas.s3.access-key-id
      [access_key_id: <string> | default = ""]

      # S3 session token
      # CLI flag: -graphite.querier.schemas.s3.session-token
      [session_token: <string> | default = ""]

      # (advanced) If enabled, use http:// for the S3 endpoint instead of
      # https://. This could be useful in local dev/test environments while
      # using an S3-compatible backend storage, like Minio.
      # CLI flag: -graphite.querier.schemas.s3.insecure
      [insecure: <boolean> | default = false]

      # (advanced) The signature version to use for authenticating against S3.
      # Supported values are: v4, v2.
      # CLI flag: -graphite.querier.schemas.s3.signature-version
      [signature_version: <string> | default = "v4"]

      # (advanced) Use a specific version of the S3 list object API. Supported
      # values are v1 or v2. Default is unset.
      # CLI flag: -graphite.querier.schemas.s3.list-objects-version
      [list_objects_version: <string> | default = ""]

      # (advanced) Bucket lookup style type, used to access bucket in
      # S3-compatible service. Default is auto. Supported values are: auto,
      # path, virtual-hosted.
      # CLI flag: -graphite.querier.schemas.s3.bucket-lookup-type
      [bucket_lookup_type: <string> | default = "auto"]

      # (experimental) When enabled, direct all AWS S3 requests to the
      # dual-stack IPv4/IPv6 endpoint for the configured region.
      # CLI flag: -graphite.querier.schemas.s3.dualstack-enabled
      [dualstack_enabled: <boolean> | default = true]

      # (experimental) The S3 storage class to use, not set by default. Details
      # can be found at https://aws.amazon.com/s3/storage-classes/. Supported
      # values are: STANDARD, REDUCED_REDUNDANCY, GLACIER, STANDARD_IA,
      # ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, OUTPOSTS
      # CLI flag: -graphite.querier.schemas.s3.storage-class
      [storage_class: <string> | default = ""]

      # (experimental) If enabled, it will use the default authentication
      # methods of the AWS SDK for go based on known environment variables and
      # known AWS config files.
      # CLI flag: -graphite.querier.schemas.s3.native-aws-auth-enabled
      [native_aws_auth_enabled: <boolean> | default = false]

      # (experimental) The minimum file size in bytes used for multipart
      # uploads. If 0, the value is optimally computed for each object.
      # CLI flag: -graphite.querier.schemas.s3.part-size
      [part_size: <int> | default = 0]

      # (experimental) If enabled, a Content-MD5 header is sent with S3 Put
      # Object requests. Consumes more resources to compute the MD5, but may
      # improve compatibility with object storage services that do not support
      # checksums.
      # CLI flag: -graphite.querier.schemas.s3.send-content-md5
      [send_content_md5: <boolean> | default = false]

      # Accessing S3 resources using temporary, secure credentials provided by
      # AWS Security Token Service.
      # CLI flag: -graphite.querier.schemas.s3.sts-endpoint
      [sts_endpoint: <string> | default = ""]

      # The s3_sse configures the S3 server-side encryption.
      # The CLI flags prefix for this block configuration is:
      # graphite.querier.schemas
      [sse: <s3_sse>]

      http:
        # (advanced) The time an idle connection will remain idle before
        # closing.
        # CLI flag: -graphite.querier.schemas.s3.http.idle-conn-timeout
        [idle_conn_timeout: <duration> | default = 1m30s]

        # (advanced) The amount of time the client will wait for a servers
        # response headers.
        # CLI flag: -graphite.querier.schemas.s3.http.response-header-timeout
        [response_header_timeout: <duration> | default = 2m]

        # (advanced) If the client connects to S3 via HTTPS and this option is
        # enabled, the client will accept any certificate and hostname.
        # CLI flag: -graphite.querier.schemas.s3.http.insecure-skip-verify
        [insecure_skip_verify: <boolean> | default = false]

        # (advanced) Maximum time to wait for a TLS handshake. 0 means no limit.
        # CLI flag: -graphite.querier.schemas.s3.tls-handshake-timeout
        [tls_handshake_timeout: <duration> | default = 10s]

        # (advanced) The time to wait for a server's first response headers
        # after fully writing the request headers if the request has an Expect
        # header. 0 to send the request body immediately.
        # CLI flag: -graphite.querier.schemas.s3.expect-continue-timeout
        [expect_continue_timeout: <duration> | default = 1s]

        # (advanced) Maximum number of idle (keep-alive) connections across all
        # hosts. 0 means no limit.
        # CLI flag: -graphite.querier.schemas.s3.max-idle-connections
        [max_idle_connections: <int> | default = 100]

        # (advanced) Maximum number of idle (keep-alive) connections to keep
        # per-host. If 0, a built-in default value is used.
        # CLI flag: -graphite.querier.schemas.s3.max-idle-connections-per-host
        [max_idle_connections_per_host: <int> | default = 100]

        # (advanced) Maximum number of connections per host. 0 means no limit.
        # CLI flag: -graphite.querier.schemas.s3.max-connections-per-host
        [max_connections_per_host: <int> | default = 0]

        # (advanced) Path to the CA certificates to validate server certificate
        # against. If not set, the host's root CA certificates are used.
        # CLI flag: -graphite.querier.schemas.s3.http.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # (advanced) Path to the client certificate, which will be used for
        # authenticating with the server. Also requires the key path to be
        # configured.
        # CLI flag: -graphite.querier.schemas.s3.http.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # (advanced) Path to the key for the client certificate. Also requires
        # the client certificate to be configured.
        # CLI flag: -graphite.querier.schemas.s3.http.tls-key-path
        [tls_key_path: <string> | default = ""]

        # (advanced) Override the expected name on the server certificate.
        # CLI flag: -graphite.querier.schemas.s3.http.tls-server-name
        [tls_server_name: <string> | default = ""]

      trace:
        # (advanced) When enabled, low-level S3 HTTP operation information is
        # logged at the debug level.
        # CLI flag: -graphite.querier.schemas.s3.trace.enabled
        [enabled: <boolean> | default = false]

    gcs:
      # GCS bucket name
      # CLI flag: -graphite.querier.schemas.gcs.bucket-name
      [bucket_name: <string> | default = ""]

      # JSON either from a Google Developers Console client_credentials.json
      # file, or a Google Developers service account key. Needs to be valid
      # JSON, not a filesystem path. If empty, fallback to Google default logic:
      # 1. A JSON file whose path is specified by the
      # GOOGLE_APPLICATION_CREDENTIALS environment variable. For workload
      # identity federation, refer to
      # https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation
      # on how to generate the JSON configuration file for on-prem/non-Google
      # cloud platforms.
      # 2. A JSON file in a location known to the gcloud command-line tool:
      # $HOME/.config/gcloud/application_default_credentials.json.
      # 3. On Google Compute Engine it fetches credentials from the metadata
      # server.
      # CLI flag: -graphite.querier.schemas.gcs.service-account
      [service_account: <string> | default = ""]

    azure:
      # Azure storage account name
      # CLI flag: -graphite.querier.schemas.azure.account-name
      [account_name: <string> | default = ""]

      # Azure storage account key. If unset, Azure managed identities will be
      # used for authentication instead.
      # CLI flag: -graphite.querier.schemas.azure.account-key
      [account_key: <string> | default = ""]

      # If `connection-string` is set, the value of `endpoint-suffix` will not
      # be used. Use this method over `account-key` if you need to authenticate
      # via a SAS token. Or if you use the Azurite emulator.
      # CLI flag: -graphite.querier.schemas.azure.connection-string
      [connection_string: <string> | default = ""]

      # Azure storage container name
      # CLI flag: -graphite.querier.schemas.azure.container-name
      [container_name: <string> | default = ""]

      # Azure storage endpoint suffix without schema. The account name will be
      # prefixed to this value to create the FQDN. If set to empty string,
      # default endpoint suffix is used.
      # CLI flag: -graphite.querier.schemas.azure.endpoint-suffix
      [endpoint_suffix: <string> | default = ""]

      # (advanced) Number of retries for recoverable errors
      # CLI flag: -graphite.querier.schemas.azure.max-retries
      [max_retries: <int> | default = 20]

      # (advanced) User assigned managed identity. If empty, then System
      # assigned identity is used.
      # CLI flag: -graphite.querier.schemas.azure.user-assigned-id
      [user_assigned_id: <string> | default = ""]

    swift:
      # OpenStack Swift application credential id
      # CLI flag: -graphite.querier.schemas.swift.application-credential-id
      [application_credential_id: <string> | default = ""]

      # OpenStack Swift application credential name
      # CLI flag: -graphite.querier.schemas.swift.application-credential-name
      [application_credential_name: <string> | default = ""]

      # OpenStack Swift application credential secret
      # CLI flag: -graphite.querier.schemas.swift.application-credential-secret
      [application_credential_secret: <string> | default = ""]

      # OpenStack Swift authentication API version. 0 to autodetect.
      # CLI flag: -graphite.querier.schemas.swift.auth-version
      [auth_version: <int> | default = 0]

      # OpenStack Swift authentication URL
      # CLI flag: -graphite.querier.schemas.swift.auth-url
      [auth_url: <string> | default = ""]

      # OpenStack Swift username.
      # CLI flag: -graphite.querier.schemas.swift.username
      [username: <string> | default = ""]

      # OpenStack Swift user's domain name.
      # CLI flag: -graphite.querier.schemas.swift.user-domain-name
      [user_domain_name: <string> | default = ""]

      # OpenStack Swift user's domain ID.
      # CLI flag: -graphite.querier.schemas.swift.user-domain-id
      [user_domain_id: <string> | default = ""]

      # OpenStack Swift user ID.
      # CLI flag: -graphite.querier.schemas.swift.user-id
      [user_id: <string> | default = ""]

      # OpenStack Swift API key.
      # CLI flag: -graphite.querier.schemas.swift.password
      [password: <string> | default = ""]

      # OpenStack Swift user's domain ID.
      # CLI flag: -graphite.querier.schemas.swift.domain-id
      [domain_id: <string> | default = ""]

      # OpenStack Swift user's domain name.
      # CLI flag: -graphite.querier.schemas.swift.domain-name
      [domain_name: <string> | default = ""]

      # OpenStack Swift project ID (v2,v3 auth only).
      # CLI flag: -graphite.querier.schemas.swift.project-id
      [project_id: <string> | default = ""]

      # OpenStack Swift project name (v2,v3 auth only).
      # CLI flag: -graphite.querier.schemas.swift.project-name
      [project_name: <string> | default = ""]

      # ID of the OpenStack Swift project's domain (v3 auth only), only needed
      # if it differs the from user domain.
      # CLI flag: -graphite.querier.schemas.swift.project-domain-id
      [project_domain_id: <string> | default = ""]

      # Name of the OpenStack Swift project's domain (v3 auth only), only needed
      # if it differs from the user domain.
      # CLI flag: -graphite.querier.schemas.swift.project-domain-name
      [project_domain_name: <string> | default = ""]

      # OpenStack Swift Region to use (v2,v3 auth only).
      # CLI flag: -graphite.querier.schemas.swift.region-name
      [region_name: <string> | default = ""]

      # Name of the OpenStack Swift container to put chunks in.
      # CLI flag: -graphite.querier.schemas.swift.container-name
      [container_name: <string> | default = ""]

      # (advanced) Max retries on requests error.
      # CLI flag: -graphite.querier.schemas.swift.max-retries
      [max_retries: <int> | default = 3]

      # (advanced) Time after which a connection attempt is aborted.
      # CLI flag: -graphite.querier.schemas.swift.connect-timeout
      [connect_timeout: <duration> | default = 10s]

      # (advanced) Time after which an idle request is aborted. The timeout
      # watchdog is reset each time some data is received, so the timeout
      # triggers after X time no data is received on a request.
      # CLI flag: -graphite.querier.schemas.swift.request-timeout
      [request_timeout: <duration> | default = 5s]

    filesystem:
      # Local filesystem storage directory.
      # CLI flag: -graphite.querier.schemas.filesystem.dir
      [dir: <string> | default = ""]

    # Prefix for all objects stored in the backend storage. For simplicity, it
    # may only contain digits and English alphabet letters.
    # CLI flag: -graphite.querier.schemas.storage-prefix
    [storage_prefix: <string> | default = ""]

    # (advanced) Whether support for deduplicating schema config updates should
    # be enabled.
    # CLI flag: -graphite.querier.schemas.enable-deduplicator
    [enable_deduplicator: <boolean> | default = false]

    deduplicator:
      # (advanced) Maximum expected upload duration after which it's considered
      # failed and can be uploaded again.
      # CLI flag: -graphite.querier.schemas.deduplicator.timeout
      [timeout: <duration> | default = 15s]

      # (advanced) TTL for deduplicator entry in the cache.
      # CLI flag: -graphite.querier.schemas.deduplicator.ttl
      [ttl: <duration> | default = 12h]

      # (advanced) Time that the deduplicator waits between retries.
      # CLI flag: -graphite.querier.schemas.deduplicator.retry-delay
      [retry_delay: <duration> | default = 100ms]

      # (advanced) Max number of upload retries performed by the deduplicator
      # before failing.
      # CLI flag: -graphite.querier.schemas.deduplicator.max-retries
      [max_retries: <int> | default = 10]

      memcached_client:
        # Hostname for memcached service to use. If empty and if addresses is
        # unset, no memcached will be used.
        # CLI flag: -graphite.querier.schemas.deduplicator.memcached.hostname
        [host: <string> | default = ""]

        # (advanced) SRV service used to discover memcache servers.
        # CLI flag: -graphite.querier.schemas.deduplicator.memcached.service
        [service: <string> | default = "memcached"]

        # (experimental) Comma separated addresses list in DNS Service Discovery
        # format:
        # https://grafana.com/docs/mimir/latest/operators-guide/configuring/about-dns-service-discovery/
        # CLI flag: -graphite.querier.schemas.deduplicator.memcached.addresses
        [addresses: <string> | default = ""]

        # (advanced) Maximum time to wait before giving up on memcached
        # requests.
        # CLI flag: -graphite.querier.schemas.deduplicator.memcached.timeout
        [timeout: <duration> | default = 100ms]

        # (advanced) Maximum number of idle connections in pool.
        # CLI flag: -graphite.querier.schemas.deduplicator.memcached.max-idle-conns
        [max_idle_conns: <int> | default = 16]

        # (advanced) The maximum size of an item stored in memcached. Bigger
        # items are not stored. If set to 0, no maximum size is enforced.
        # CLI flag: -graphite.querier.schemas.deduplicator.memcached.max-item-size
        [max_item_size: <int> | default = 0]

        # (advanced) Period with which to poll DNS for memcache servers.
        # CLI flag: -graphite.querier.schemas.deduplicator.memcached.update-interval
        [update_interval: <duration> | default = 1m]

        # (advanced) Use consistent hashing to distribute to memcache servers.
        # CLI flag: -graphite.querier.schemas.deduplicator.memcached.consistent-hash
        [consistent_hash: <boolean> | default = true]

        # (advanced) Trip circuit-breaker after this number of consecutive dial
        # failures (if zero then circuit-breaker is disabled).
        # CLI flag: -graphite.querier.schemas.deduplicator.memcached.circuit-breaker-consecutive-failures
        [circuit_breaker_consecutive_failures: <int> | default = 10]

        # (advanced) Duration circuit-breaker remains open after tripping (if
        # zero then 60 seconds is used).
        # CLI flag: -graphite.querier.schemas.deduplicator.memcached.circuit-breaker-timeout
        [circuit_breaker_timeout: <duration> | default = 10s]

        # (advanced) Reset circuit-breaker counts after this long (if zero then
        # never reset).
        # CLI flag: -graphite.querier.schemas.deduplicator.memcached.circuit-breaker-interval
        [circuit_breaker_interval: <duration> | default = 10s]

  # (advanced) Period before an item is cachable, to prevent caching very recent
  # results.
  # CLI flag: -graphite.querier.cache-grace-period
  [cache_grace_period: <duration> | default = 5m]

  # (advanced) TTL for aggregation and metric name caches. Defaults to 10
  # minutes.
  # CLI flag: -graphite.querier.cache-ttl
  [cache_ttl: <duration> | default = 10m]

  # (experimental) TTL for mimir queries' strategy cache
  # CLI flag: -graphite.querier.query-strategy-cache-ttl
  [query_strategy_cache_ttl: <duration> | default = 24h]

  metric_name_cache:
    # Backend for metric names cache, if not empty. Supported values: [memcached
    # redis].
    # CLI flag: -graphite.querier.metric-name-cache.backend
    [backend: <string> | default = "memcached"]

    # The memcached block configures the Memcached-based caching backend.
    # The CLI flags prefix for this block configuration is:
    # graphite.querier.metric-name-cache
    [memcached: <memcached>]

    # The redis block configures the Redis-based caching backend.
    # The CLI flags prefix for this block configuration is:
    # graphite.querier.metric-name-cache
    [redis: <redis>]

  aggregation_cache:
    # Backend for aggregations cache, if not empty. Supported values: [memcached
    # redis].
    # CLI flag: -graphite.querier.aggregation-cache.backend
    [backend: <string> | default = "memcached"]

    # The memcached block configures the Memcached-based caching backend.
    # The CLI flags prefix for this block configuration is:
    # graphite.querier.aggregation-cache
    [memcached: <memcached>]

    # The redis block configures the Redis-based caching backend.
    # The CLI flags prefix for this block configuration is:
    # graphite.querier.aggregation-cache
    [redis: <redis>]

  # (advanced) Number of go routines to concurrently fetch and process data.
  # CLI flag: -graphite.querier.query-handling-concurrency
  [query_handling_concurrency: <int> | default = 32]

  # (experimental) Number of concurrent subqueries processed per request. A
  # negative value means no limit.
  # CLI flag: -graphite.querier.max-concurrent-sub-queries-per-request
  [max_concurrent_sub_queries_per_request: <int> | default = -1]

  # (advanced) Split queries by this interval and execute in parallel, 0
  # disables query splitting.
  # CLI flag: -graphite.querier.split-queries-by-interval
  [split_queries_by_interval: <duration> | default = 24h]

  # (advanced) Proxy bad requests to graphite
  # CLI flag: -graphite.querier.proxy-bad-requests
  [proxy_bad_requests: <boolean> | default = true]

  # Graphite http listener fallback address
  # CLI flag: -graphite.querier.graphite-fallback
  [graphite_fallback: <string> | default = "http://graphite:80"]

  # (experimental) Number of times to retry 502 responses from the Graphite
  # fallback
  # CLI flag: -graphite.querier.graphite-fallback-502-max-retries
  [graphite_fallback_502_max_retries: <int> | default = 3]

  # (advanced) How far into the past we perform index lookups for find calls
  # CLI flag: -graphite.querier.metrics-find-cutoff
  [metrics_find_cutoff: <string> | default = "32d"]

  # (advanced) Max number of data points a query may return, if number of data
  # points exceeds this limit we aggregate them down to the limit.
  # CLI flag: -graphite.querier.max-points-per-req-soft
  [max_points_per_req_soft: <int> | default = 1000000]

  # (advanced) If query results in more data points than this limit we directly
  # cancel it with an error message.
  # CLI flag: -graphite.querier.max-points-per-req-hard
  [max_points_per_req_hard: <int> | default = 20000000]

  remote_read:
    # Base URL for queries from upstream Prometheus API. The /api/v1 suffix will
    # be appended to this address. Defaults to http://localhost:80/prometheus.
    # CLI flag: -graphite.querier.query-address
    [query_address: <string> | default = "http://localhost:80/prometheus"]

    # (advanced) Timeout for queries to upstream Prometheus API.
    # CLI flag: -graphite.querier.query-timeout
    [query_timeout: <duration> | default = 30s]

    # (advanced) KeepAlive for queries to upstream Prometheus API.
    # CLI flag: -graphite.querier.query-keep-alive
    [query_keep_alive: <duration> | default = 30s]

    # (advanced) Max idle conns for queries to upstream Prometheus API.
    # CLI flag: -graphite.querier.query-max-idle-conns
    [query_max_idle_conns: <int> | default = 10]

    # (advanced) Max conns per host for queries to upstream Prometheus API.
    # CLI flag: -graphite.querier.query-max-conns
    [query_max_conns: <int> | default = 100]

    # (advanced) Client name to use when identifying requests in Prometheus API.
    # CLI flag: -graphite.querier.query-client-name
    [query_client_name: <string> | default = "graphite-querier"]

  # If set, remote queries will be sent to the machines corresponding to this
  # DNS service address.
  # CLI flag: -graphite.querier.querier-pool-service-address
  [querier_pool_service_address: <string> | default = ""]

  # (advanced) Number of go routines to concurrently send requests to a single
  # remote querier.
  # CLI flag: -graphite.querier.querier-pool-worker-concurrency
  [querier_pool_worker_concurrency: <int> | default = 32]

  # When a querier-pool-service-address is set, sets the proportion of queries
  # that will be sent to the remote pool. (Between 0.0 and 1.0).
  # CLI flag: -graphite.querier.querier-pool-rollout-fraction
  [querier_pool_rollout_fraction: <float> | default = 0]

  # Sets the proportion of queries that should attempt to process Graphite web
  # functions with CarbonAPI. (Between 0.0 and 1.0).
  # CLI flag: -graphite.querier.querier-carbonapi-rollout-fraction
  [querier_carbonAPI_rollout_fraction: <float> | default = 1]

  # Sets the proportion of CarbonAPI-executed queries that should also execute
  # MetricTank in order to compare results. (Between 0.0 and 1.0).
  # CLI flag: -graphite.querier.querier-carbonapi-mirrored-fraction
  [querier_carbonAPI_mirrored_fraction: <float> | default = 0]

  # (advanced) Period to wait before expiring a subquery asked over GRPC.
  # CLI flag: -graphite.querier.remote-subquery-timeout
  [remote_subquery_timeout: <duration> | default = 30s]

  # (advanced) The maximum number of read requests per second (globally for this
  # querier, not per-tenant) to allow before rate limiting. This is a hard
  # limit. The burst rate will be 2x this amount. Values <= 0 will disable this
  # rate limit.
  # CLI flag: -graphite.querier.rate-limit-qps
  [rate_limit_qps: <float> | default = 96]

  # (advanced) The maximum number of read requests per second per-tenant to
  # allow before rate limiting. This is a hard limit. The burst rate will be 2x
  # this amount. Values <= 0 will disable this rate limit.
  # CLI flag: -graphite.querier.tenant-rate-limit-qps
  [tenant_rate_limit_qps: <float> | default = 48]

  # (advanced) The maximum number of read requests per second per-tenant to
  # allow before rate limiting for hot paths (like find/). Values <= 0 will
  # disable this rate limit.
  # CLI flag: -graphite.querier.heavy-rate-limit-qps
  [heavy_rate_limit_qps: <float> | default = 10]

  # (advanced) If set, request rates will actually be limited, and the querier
  # will return http 429 when the limit is exceeded.
  # CLI flag: -graphite.querier.rate-limit-enabled
  [rate_limit_enabled: <boolean> | default = true]

  # (advanced) Largest duration allowed for queries. Queries covering larger
  # spans will return a 400 Bad Request error
  # CLI flag: -graphite.querier.max-query-length
  [max_query_length: <duration> | default = 175200h]

  # (experimental) Comma-separated list of tenants that should use the old
  # metrictank method for assuming the consolidation method.
  # CLI flag: -graphite.querier.legacy-implied-consolidator-tenants
  [legacy_implied_consolidator_tenants: <string> | default = ""]

  query_strategy:
    # (experimental) Whether to try to omit empty label values matchers (i.e.
    # non-existing labels) from prometheus fetch requests, and filter extra
    # series locally.
    # CLI flag: -graphite.querier.query-strategy.filter-empty-labels-locally
    [filter_empty_labels_locally: <boolean> | default = false]

    # (experimental) The strategy to use when allowing an empty label matcher to
    # be filtered locally. Supported values: non-empty-result, async-tests.
    # CLI flag: -graphite.querier.query-strategy.empty-labels-allow-list-strategy
    [filter_empty_labels_allow_list_strategy: <string> | default = "non-empty-result"]

    # (experimental) Sets the percentage of allowed wildcard matchers when
    # filtering empty labels locally. (Between 0.0 and 1.0)
    # CLI flag: -graphite.querier.query-strategy.max-allowed-wildcard-matchers-for-filter-empty-labels
    [max_allowed_empty_matchers_for_filter_empty_labels: <float> | default = 0.5]

    # (experimental) The maximum number of extra series allowed when omitting an
    # empty label matcher from a prometheus fetch request. When the number of
    # extra series fetched exceeds this threshold, the set of matchers is
    # deny-listed from having its empty label matchers omitted next time.
    # CLI flag: -graphite.querier.query-strategy.empty-labels-deny-list-threshold
    [filter_empty_labels_deny_list_threshold: <int> | default = 3000]

    # (experimental) Limits the QPS of the async tests done to try revoming
    # empty label matchers. Zero means no limit.
    # CLI flag: -graphite.querier.query-strategy.async-tests-max-qps
    [async_tests_max_qps: <float> | default = 0.5]

  # (experimental) If set, only the last sample within a raw interval of a
  # series is kept. This attempts to mimic Graphite's behavior of overwriting
  # samples of the raw series, instead of aggregating them together. Although
  # overwriting samples is not possible in Mimir, one can still write two
  # samples within the same raw interval that is configured in the schema.
  # CLI flag: -graphite.querier.deduplicate-samples-in-raw-interval
  [deduplicate_samples_in_raw_interval: <boolean> | default = false]

write_proxy:
  distributor_client:
    # GRPC listen address of cortex distributor(s). Must be a DNS address
    # (prefixed with dns:///) to enable client side load balancing.
    # CLI flag: -graphite.write-proxy.distributor-client.address
    [address: <string> | default = "dns:///:9095"]

    # GRPC connection timeout for cortex distributor(s)
    # CLI flag: -graphite.write-proxy.distributor-client.connect-timeout
    [connect_timeout: <duration> | default = 5s]

    # Set to true if distributor connection requires TLS.
    # CLI flag: -graphite.write-proxy.distributor-client.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -graphite.write-proxy.distributor-client.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -graphite.write-proxy.distributor-client.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -graphite.write-proxy.distributor-client.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -graphite.write-proxy.distributor-client.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -graphite.write-proxy.distributor-client.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -graphite.write-proxy.distributor-client.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -graphite.write-proxy.distributor-client.tls-min-version
    [tls_min_version: <string> | default = ""]

  remote_write:
    # URL for writes to upstream Prometheus remote write API (including the
    # /push suffix if needed).
    # CLI flag: -graphite.write-proxy.write-endpoint
    [endpoint: <string> | default = ""]

    # Timeout for writes to upstream Prometheus remote write API.
    # CLI flag: -graphite.write-proxy.write-timeout
    [timeout: <duration> | default = 1s]

    # KeepAlive for write to upstream Prometheus remote write API.
    # CLI flag: -graphite.write-proxy.write-keep-alive
    [keep_alive: <duration> | default = 30s]

    # Max idle conns per host for writes to upstream Prometheus remote write
    # API.
    # CLI flag: -graphite.write-proxy.write-max-idle-conns
    [max_idle_conns: <int> | default = 10]

    # Max open conns per host for writes to upstream Prometheus remote write
    # API.
    # CLI flag: -graphite.write-proxy.write-max-conns
    [max_conns: <int> | default = 100]

    # If set to true sends requests with headers to skip label validation.
    # CLI flag: -graphite.write-proxy.skip-label-validation
    [skip_label_validation: <boolean> | default = false]

  # By default the write proxy will mask upstream 400 requests by answering with
  # 200 http status codes. The reason for this is some old clients perform
  # infinite retries when they encounter a 400.
  # CLI flag: -graphite.write-proxy.mask-bad-requests
  [mask_bad_requests: <boolean> | default = true]

# Enable usage of the remote write api on the write path of graphite, instead of
# importing distributors code and accessing the ingesters and the block store.
# CLI flag: -graphite.write-proxy.remote-write-enabled
[remote_write_proxy_enabled: <boolean> | default = false]

instrumentation

The instrumentation configures the instrumentation module.

yaml
# (advanced) Enable self-monitoring metrics recorded under the system tenant.
# CLI flag: -instrumentation.enabled
[enabled: <boolean> | default = true]

# (advanced) How often to flush self-monitoring metrics to distributor
# CLI flag: -instrumentation.flush-period
[flush_period: <duration> | default = 15s]

# (advanced) Timeout writing self-monitoring metrics to distributor
# CLI flag: -instrumentation.write-timeout
[write_timeout: <duration> | default = 10s]

distributor_client:
  # GRPC listen address of cortex distributor(s). Must be a DNS address
  # (prefixed with dns:///) to enable client side load balancing.
  # CLI flag: -instrumentation.distributor-client.address
  [address: <string> | default = "dns:///:9095"]

  # (advanced) GRPC connection timeout for cortex distributor(s)
  # CLI flag: -instrumentation.distributor-client.connect-timeout
  [connect_timeout: <duration> | default = 5s]

  # (advanced) Set to true if distributor connection requires TLS.
  # CLI flag: -instrumentation.distributor-client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # (advanced) Path to the client certificate, which will be used for
  # authenticating with the server. Also requires the key path to be configured.
  # CLI flag: -instrumentation.distributor-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # (advanced) Path to the key for the client certificate. Also requires the
  # client certificate to be configured.
  # CLI flag: -instrumentation.distributor-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # (advanced) Path to the CA certificates to validate server certificate
  # against. If not set, the host's root CA certificates are used.
  # CLI flag: -instrumentation.distributor-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # (advanced) Override the expected name on the server certificate.
  # CLI flag: -instrumentation.distributor-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # (advanced) Skip validating server certificate.
  # CLI flag: -instrumentation.distributor-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # (advanced) Override the default cipher suite list (separated by commas).
  # Allowed values:
  # 
  # Secure Ciphers:
  # - TLS_AES_128_GCM_SHA256
  # - TLS_AES_256_GCM_SHA384
  # - TLS_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  # 
  # Insecure Ciphers:
  # - TLS_RSA_WITH_RC4_128_SHA
  # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA
  # - TLS_RSA_WITH_AES_256_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA256
  # - TLS_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  # CLI flag: -instrumentation.distributor-client.tls-cipher-suites
  [tls_cipher_suites: <string> | default = ""]

  # (advanced) Override the default minimum TLS version. Allowed values:
  # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
  # CLI flag: -instrumentation.distributor-client.tls-min-version
  [tls_min_version: <string> | default = ""]

node_collector:
  # (advanced) Mount point of the proc filesystem.
  # CLI flag: -instrumentation.node-collector.procfs-path
  [procfs_path: <string> | default = "/proc"]

  # (advanced) Mount point of the root filesystem.
  # CLI flag: -instrumentation.node-collector.rootfs-path
  [rootfs_path: <string> | default = "/"]

  # (advanced) Regex pattern of mount points to ignore for the filesystem
  # collector
  # CLI flag: -instrumentation.node-collector.filesystem-ignored-mount-points
  [filesystem_ignored_mount_points: <string> | default = "^/(dev|proc|sys|var/lib/docker/.+)($|/)"]

  # (advanced) Regex pattern of filesystem types to ignore for the filesystem
  # collector
  # CLI flag: -instrumentation.node-collector.filesystem-ignored-fs-types
  [filesystem_ignored_fs_types: <string> | default = "^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$"]

  # (advanced) Regex pattern of devices to ignore for the disktstats collector
  # CLI flag: -instrumentation.node-collector.diskstats-ignored-devices
  [diskstats_ignored_devices: <string> | default = "^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$"]

  # (advanced) Regexp of fields to return for vmstat collector
  # CLI flag: -instrumentation.node-collectorvmstat-fields
  [vmstat_fields: <string> | default = "^(oom_kill|pgpg|pswp|pg.*fault).*"]

bootstrap

This target is deprecated, use the tokengen target instead. In prior versions, bootstrap was used to configure the bootstrap target.

yaml
# Name of built in access policy.
# CLI flag: -bootstrap.policy-name
[policy_name: <string> | default = "admin-policy"]

# Write token to this instead of the standard out.
# CLI flag: -bootstrap.token-file
[token_file: <string> | default = ""]

tokengen

The tokengen is used to configure the tokengen command.

yaml
# (advanced) The name of the access policy to generate a token for. It defaults
# to the built-in admin policy.
# CLI flag: -tokengen.access-policy
[access_policy: <string> | default = "__admin__"]

# (advanced) If set, the generated token will be written to a file at the
# provided path in addition to being logged. Note that if the file already
# exists, it will not be overwritten, and tokengen will fail with an error.
# CLI flag: -tokengen.token-file
[token_file: <string> | default = ""]

license

The license configures the license validation module.

yaml
# Filepath to license jwt file.
# CLI flag: -license.path
[path: <string> | default = "./license.jwt"]

# (advanced) Interval to check for new or existing licenses.
# CLI flag: -license.sync-interval
[sync_interval: <duration> | default = 1h]

federation

The federation configures the federation frontend component, which can be used to federate querier between multiple Grafana Enterprise Metrics clusters.

yaml
# List of remote GEM clusters to federate to.
proxy_targets:
  -
    # Name contains the name of the proxy target, it will be used for the
    # __cluster__ label.
    [name: <string> | default = ""]

    # URL is the URL to the Prometheus API endpoints.
    [url: <string> | default = ""]

    # These optional Basic Auth parameters allow to override the client provided
    # credentials.
    basic_auth:
      # Basic Auth username
      [username: <string> | default = ""]

      # Basic Auth password
      [password: <string> | default = ""]

    # These optional Bearer Token parameters allow to override the client
    # provided credentials.
    bearer_token:
      # Bearer token user to forward to proxy targets.
      [user: <string> | default = ""]

      # Bearer token to forward to proxy targets.
      [token: <string> | default = ""]

    # TLS configuration for the target.
    tls:
      # (advanced) Path to the client certificate file, which will be used for
      # authenticating with the server. Also requires the key path to be
      # configured.
      [tls_cert_path: <string> | default = ""]

      # (advanced) Path to the key file for the client certificate. Also
      # requires the client certificate to be configured.
      [tls_key_path: <string> | default = ""]

      # (advanced) Path to the CA certificates file to validate server
      # certificate against. If not set, the host's root CA certificates are
      # used.
      [tls_ca_path: <string> | default = ""]

      # (advanced) Override the expected name on the server certificate.
      [tls_server_name: <string> | default = ""]

      # (advanced) Skip validating server certificate.
      [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for requests to this target. Must be greater than 0.
    [request_timeout: <duration> | default = 30s]

server

The server configures the HTTP and gRPC server of the launched service(s).

yaml
# (advanced) HTTP server listen network, default tcp
# CLI flag: -server.http-listen-network
[http_listen_network: <string> | default = "tcp"]

# HTTP server listen address.
# CLI flag: -server.http-listen-address
[http_listen_address: <string> | default = ""]

# HTTP server listen port.
# CLI flag: -server.http-listen-port
[http_listen_port: <int> | default = 8080]

# (advanced) Maximum number of simultaneous http connections, <=0 to disable
# CLI flag: -server.http-conn-limit
[http_listen_conn_limit: <int> | default = 0]

# (advanced) gRPC server listen network
# CLI flag: -server.grpc-listen-network
[grpc_listen_network: <string> | default = "tcp"]

# gRPC server listen address.
# CLI flag: -server.grpc-listen-address
[grpc_listen_address: <string> | default = ""]

# gRPC server listen port.
# CLI flag: -server.grpc-listen-port
[grpc_listen_port: <int> | default = 9095]

# (advanced) Maximum number of simultaneous grpc connections, <=0 to disable
# CLI flag: -server.grpc-conn-limit
[grpc_listen_conn_limit: <int> | default = 0]

# (experimental) Enables PROXY protocol.
# CLI flag: -server.proxy-protocol-enabled
[proxy_protocol_enabled: <boolean> | default = false]

# Comma-separated list of cipher suites to use. If blank, the default Go cipher
# suites is used.
# CLI flag: -server.tls-cipher-suites
[tls_cipher_suites: <string> | default = ""]

# Minimum TLS version to use. Allowed values: VersionTLS10, VersionTLS11,
# VersionTLS12, VersionTLS13. If blank, the Go TLS minimum version is used.
# CLI flag: -server.tls-min-version
[tls_min_version: <string> | default = ""]

http_tls_config:
  # Server TLS certificate. This configuration parameter is YAML only.
  [cert: <string> | default = ""]

  # Server TLS key. This configuration parameter is YAML only.
  [key: <string> | default = ""]

  # Root certificate authority used to verify client certificates. This
  # configuration parameter is YAML only.
  [client_ca: <string> | default = ""]

  # (advanced) HTTP server cert path.
  # CLI flag: -server.http-tls-cert-path
  [cert_file: <string> | default = ""]

  # (advanced) HTTP server key path.
  # CLI flag: -server.http-tls-key-path
  [key_file: <string> | default = ""]

  # (advanced) HTTP TLS Client Auth type.
  # CLI flag: -server.http-tls-client-auth
  [client_auth_type: <string> | default = ""]

  # (advanced) HTTP TLS Client CA path.
  # CLI flag: -server.http-tls-ca-path
  [client_ca_file: <string> | default = ""]

grpc_tls_config:
  # Server TLS certificate. This configuration parameter is YAML only.
  [cert: <string> | default = ""]

  # Server TLS key. This configuration parameter is YAML only.
  [key: <string> | default = ""]

  # Root certificate authority used to verify client certificates. This
  # configuration parameter is YAML only.
  [client_ca: <string> | default = ""]

  # (advanced) GRPC TLS server cert path.
  # CLI flag: -server.grpc-tls-cert-path
  [cert_file: <string> | default = ""]

  # (advanced) GRPC TLS server key path.
  # CLI flag: -server.grpc-tls-key-path
  [key_file: <string> | default = ""]

  # (advanced) GRPC TLS Client Auth type.
  # CLI flag: -server.grpc-tls-client-auth
  [client_auth_type: <string> | default = ""]

  # (advanced) GRPC TLS Client CA path.
  # CLI flag: -server.grpc-tls-ca-path
  [client_ca_file: <string> | default = ""]

# (advanced) Register the intrumentation handlers (/metrics etc).
# CLI flag: -server.register-instrumentation
[register_instrumentation: <boolean> | default = true]

# If set to true, gRPC statuses will be reported in instrumentation labels with
# their string representations. Otherwise, they will be reported as "error".
# CLI flag: -server.report-grpc-codes-in-instrumentation-label-enabled
[report_grpc_codes_in_instrumentation_label_enabled: <boolean> | default = true]

# (advanced) Timeout for graceful shutdowns
# CLI flag: -server.graceful-shutdown-timeout
[graceful_shutdown_timeout: <duration> | default = 30s]

# (advanced) Read timeout for entire HTTP request, including headers and body.
# CLI flag: -server.http-read-timeout
[http_server_read_timeout: <duration> | default = 30s]

# Read timeout for HTTP request headers. If set to 0, value of
# -server.http-read-timeout is used.
# CLI flag: -server.http-read-header-timeout
[http_server_read_header_timeout: <duration> | default = 0s]

# (advanced) Write timeout for HTTP server
# CLI flag: -server.http-write-timeout
[http_server_write_timeout: <duration> | default = 2m]

# (advanced) Idle timeout for HTTP server
# CLI flag: -server.http-idle-timeout
[http_server_idle_timeout: <duration> | default = 2m]

# Log closed connections that did not receive any response, most likely because
# client didn't send any request within timeout.
# CLI flag: -server.http-log-closed-connections-without-response-enabled
[http_log_closed_connections_without_response_enabled: <boolean> | default = false]

# (advanced) Limit on the size of a gRPC message this server can receive
# (bytes).
# CLI flag: -server.grpc-max-recv-msg-size-bytes
[grpc_server_max_recv_msg_size: <int> | default = 104857600]

# (advanced) Limit on the size of a gRPC message this server can send (bytes).
# CLI flag: -server.grpc-max-send-msg-size-bytes
[grpc_server_max_send_msg_size: <int> | default = 104857600]

# (advanced) Limit on the number of concurrent streams for gRPC calls per client
# connection (0 = unlimited)
# CLI flag: -server.grpc-max-concurrent-streams
[grpc_server_max_concurrent_streams: <int> | default = 100]

# (advanced) The duration after which an idle connection should be closed.
# Default: infinity
# CLI flag: -server.grpc.keepalive.max-connection-idle
[grpc_server_max_connection_idle: <duration> | default = 2562047h47m16.854775807s]

# (advanced) The duration for the maximum amount of time a connection may exist
# before it will be closed. Default: infinity
# CLI flag: -server.grpc.keepalive.max-connection-age
[grpc_server_max_connection_age: <duration> | default = 2562047h47m16.854775807s]

# (advanced) An additive period after max-connection-age after which the
# connection will be forcibly closed. Default: infinity
# CLI flag: -server.grpc.keepalive.max-connection-age-grace
[grpc_server_max_connection_age_grace: <duration> | default = 2562047h47m16.854775807s]

# (advanced) Duration after which a keepalive probe is sent in case of no
# activity over the connection., Default: 2h
# CLI flag: -server.grpc.keepalive.time
[grpc_server_keepalive_time: <duration> | default = 2h]

# (advanced) After having pinged for keepalive check, the duration after which
# an idle connection should be closed, Default: 20s
# CLI flag: -server.grpc.keepalive.timeout
[grpc_server_keepalive_timeout: <duration> | default = 20s]

# (advanced) Minimum amount of time a client should wait before sending a
# keepalive ping. If client sends keepalive ping more often, server will send
# GOAWAY and close the connection.
# CLI flag: -server.grpc.keepalive.min-time-between-pings
[grpc_server_min_time_between_pings: <duration> | default = 10s]

# (advanced) If true, server allows keepalive pings even when there are no
# active streams(RPCs). If false, and client sends ping when there are no active
# streams, server will send GOAWAY and close the connection.
# CLI flag: -server.grpc.keepalive.ping-without-stream-allowed
[grpc_server_ping_without_stream_allowed: <boolean> | default = true]

# (advanced) If non-zero, configures the amount of GRPC server workers used to
# serve the requests.
# CLI flag: -server.grpc.num-workers
[grpc_server_num_workers: <int> | default = 100]

# Output log messages in the given format. Valid formats: [logfmt, json]
# CLI flag: -log.format
[log_format: <string> | default = "logfmt"]

# Only log messages with the given severity or above. Valid levels: [debug,
# info, warn, error]
# CLI flag: -log.level
[log_level: <string> | default = "info"]

# (advanced) Optionally log the source IPs.
# CLI flag: -server.log-source-ips-enabled
[log_source_ips_enabled: <boolean> | default = false]

# Log all source IPs instead of only the originating one. Only used if
# server.log-source-ips-enabled is true
# CLI flag: -server.log-source-ips-full
[log_source_ips_full: <boolean> | default = false]

# (advanced) Header field storing the source IPs. Only used if
# server.log-source-ips-enabled is true. If not set the default Forwarded,
# X-Real-IP and X-Forwarded-For headers are used
# CLI flag: -server.log-source-ips-header
[log_source_ips_header: <string> | default = ""]

# (advanced) Regex for matching the source IPs. Only used if
# server.log-source-ips-enabled is true. If not set the default Forwarded,
# X-Real-IP and X-Forwarded-For headers are used
# CLI flag: -server.log-source-ips-regex
[log_source_ips_regex: <string> | default = ""]

# Optionally log request headers.
# CLI flag: -server.log-request-headers
[log_request_headers: <boolean> | default = false]

# (advanced) Optionally log requests at info level instead of debug level.
# Applies to request headers as well if server.log-request-headers is enabled.
# CLI flag: -server.log-request-at-info-level-enabled
[log_request_at_info_level_enabled: <boolean> | default = false]

# Comma separated list of headers to exclude from loggin. Only used if
# server.log-request-headers is true.
# CLI flag: -server.log-request-headers-exclude-list
[log_request_exclude_headers_list: <string> | default = ""]

# (advanced) Base path to serve all API routes from (e.g. /v1/)
# CLI flag: -server.path-prefix
[http_path_prefix: <string> | default = ""]

distributor

The distributor configures the GEM distributor.

yaml
pool:
  # (advanced) How frequently to clean up clients for ingesters that have gone
  # away.
  # CLI flag: -distributor.client-cleanup-period
  [client_cleanup_period: <duration> | default = 15s]

  # (advanced) Run a health check on each ingester client during periodic
  # cleanup.
  # CLI flag: -distributor.health-check-ingesters
  [health_check_ingesters: <boolean> | default = true]

retry_after_header:
  # (advanced) Enables inclusion of the Retry-After header in the response: true
  # includes it for client retry guidance, false omits it.
  # CLI flag: -distributor.retry-after-header.enabled
  [enabled: <boolean> | default = true]

  # (advanced) Minimum duration of the Retry-After HTTP header in responses to
  # 429/5xx errors. Must be greater than or equal to 1s. Backoff is calculated
  # as MinBackoff*2^(RetryAttempt-1) seconds with random jitter of 50% in either
  # direction. RetryAttempt is the value of the Retry-Attempt HTTP header.
  # CLI flag: -distributor.retry-after-header.min-backoff
  [min_backoff: <duration> | default = 6s]

  # (advanced) Minimum duration of the Retry-After HTTP header in responses to
  # 429/5xx errors. Must be greater than or equal to 1s. Backoff is calculated
  # as MinBackoff*2^(RetryAttempt-1) seconds with random jitter of 50% in either
  # direction. RetryAttempt is the value of the Retry-Attempt HTTP header.
  # CLI flag: -distributor.retry-after-header.max-backoff
  [max_backoff: <duration> | default = 1m36s]

ha_tracker:
  # Enable the distributors HA tracker so that it can accept samples from
  # Prometheus HA replicas gracefully (requires labels).
  # CLI flag: -distributor.ha-tracker.enable
  [enable_ha_tracker: <boolean> | default = false]

  # (advanced) Update the timestamp in the KV store for a given cluster/replica
  # only after this amount of time has passed since the current stored
  # timestamp.
  # CLI flag: -distributor.ha-tracker.update-timeout
  [ha_tracker_update_timeout: <duration> | default = 15s]

  # (advanced) Maximum jitter applied to the update timeout, in order to spread
  # the HA heartbeats over time.
  # CLI flag: -distributor.ha-tracker.update-timeout-jitter-max
  [ha_tracker_update_timeout_jitter_max: <duration> | default = 5s]

  # (advanced) If we don't receive any samples from the accepted replica for a
  # cluster in this amount of time we will failover to the next replica we
  # receive a sample from. This value must be greater than the update timeout
  # CLI flag: -distributor.ha-tracker.failover-timeout
  [ha_tracker_failover_timeout: <duration> | default = 30s]

  # Backend storage to use for the ring. Please be aware that memberlist is not
  # supported by the HA tracker since gossip propagation is too slow for HA
  # purposes.
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -distributor.ha-tracker.store
    [store: <string> | default = "consul"]

    # (advanced) The prefix for the keys in the store. Should end with a /.
    # CLI flag: -distributor.ha-tracker.prefix
    [prefix: <string> | default = "ha-tracker/"]

    # The consul configures the consul client.
    # The CLI flags prefix for this block configuration is:
    # distributor.ha-tracker
    [consul: <consul>]

    # The etcd configures the etcd client.
    # The CLI flags prefix for this block configuration is:
    # distributor.ha-tracker
    [etcd: <etcd>]

    multi:
      # (advanced) Primary backend storage used by multi-client.
      # CLI flag: -distributor.ha-tracker.multi.primary
      [primary: <string> | default = ""]

      # (advanced) Secondary backend storage used by multi-client.
      # CLI flag: -distributor.ha-tracker.multi.secondary
      [secondary: <string> | default = ""]

      # (advanced) Mirror writes to secondary store.
      # CLI flag: -distributor.ha-tracker.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # (advanced) Timeout for storing value to secondary store.
      # CLI flag: -distributor.ha-tracker.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

# (advanced) Max message size in bytes that the distributors will accept for
# incoming push requests to the remote write API. If exceeded, the request will
# be rejected.
# CLI flag: -distributor.max-recv-msg-size
[max_recv_msg_size: <int> | default = 104857600]

# (experimental) Maximum OTLP request size in bytes that the distributors
# accept. Requests exceeding this limit are rejected.
# CLI flag: -distributor.max-otlp-request-size
[max_otlp_request_size: <int> | default = 104857600]

# (experimental) Max size of the pooled buffers used for marshaling write
# requests. If 0, no max size is enforced.
# CLI flag: -distributor.max-request-pool-buffer-size
[max_request_pool_buffer_size: <int> | default = 0]

# (advanced) Timeout for downstream ingesters.
# CLI flag: -distributor.remote-timeout
[remote_timeout: <duration> | default = 2s]

ring:
  # The key-value store used to share the hash ring across multiple instances.
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -distributor.ring.store
    [store: <string> | default = "memberlist"]

    # (advanced) The prefix for the keys in the store. Should end with a /.
    # CLI flag: -distributor.ring.prefix
    [prefix: <string> | default = "collectors/"]

    # The consul configures the consul client.
    # The CLI flags prefix for this block configuration is: distributor.ring
    [consul: <consul>]

    # The etcd configures the etcd client.
    # The CLI flags prefix for this block configuration is: distributor.ring
    [etcd: <etcd>]

    multi:
      # (advanced) Primary backend storage used by multi-client.
      # CLI flag: -distributor.ring.multi.primary
      [primary: <string> | default = ""]

      # (advanced) Secondary backend storage used by multi-client.
      # CLI flag: -distributor.ring.multi.secondary
      [secondary: <string> | default = ""]

      # (advanced) Mirror writes to secondary store.
      # CLI flag: -distributor.ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # (advanced) Timeout for storing value to secondary store.
      # CLI flag: -distributor.ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # (advanced) Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -distributor.ring.heartbeat-period
  [heartbeat_period: <duration> | default = 15s]

  # (advanced) The heartbeat timeout after which distributors are considered
  # unhealthy within the ring. 0 = never (timeout disabled).
  # CLI flag: -distributor.ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # (advanced) Instance ID to register in the ring.
  # CLI flag: -distributor.ring.instance-id
  [instance_id: <string> | default = "<hostname>"]

  # List of network interface names to look up when finding the instance IP
  # address.
  # CLI flag: -distributor.ring.instance-interface-names
  [instance_interface_names: <list of strings> | default = [<private network interfaces>]]

  # (advanced) Port to advertise in the ring (defaults to
  # -server.grpc-listen-port).
  # CLI flag: -distributor.ring.instance-port
  [instance_port: <int> | default = 0]

  # (advanced) IP address to advertise in the ring. Default is auto-detected.
  # CLI flag: -distributor.ring.instance-addr
  [instance_addr: <string> | default = ""]

  # (advanced) Enable using a IPv6 instance address. (default false)
  # CLI flag: -distributor.ring.instance-enable-ipv6
  [instance_enable_ipv6: <boolean> | default = false]

instance_limits:
  # (advanced) Max ingestion rate (samples/sec) that this distributor will
  # accept. This limit is per-distributor, not per-tenant. Additional push
  # requests will be rejected. Current ingestion rate is computed as
  # exponentially weighted moving average, updated every second. 0 = unlimited.
  # CLI flag: -distributor.instance-limits.max-ingestion-rate
  [max_ingestion_rate: <float> | default = 0]

  # (advanced) Max inflight push requests that this distributor can handle. This
  # limit is per-distributor, not per-tenant. Additional requests will be
  # rejected. 0 = unlimited.
  # CLI flag: -distributor.instance-limits.max-inflight-push-requests
  [max_inflight_push_requests: <int> | default = 2000]

  # (advanced) The sum of the request sizes in bytes of inflight push requests
  # that this distributor can handle. This limit is per-distributor, not
  # per-tenant. Additional requests will be rejected. 0 = unlimited.
  # CLI flag: -distributor.instance-limits.max-inflight-push-requests-bytes
  [max_inflight_push_requests_bytes: <int> | default = 0]

# (experimental) Enable pooling of buffers used for marshaling write requests.
# CLI flag: -distributor.write-requests-buffer-pooling-enabled
[write_requests_buffer_pooling_enabled: <boolean> | default = true]

# (advanced) Number of pre-allocated workers used to forward push requests to
# the ingesters. If 0, no workers will be used and a new goroutine will be
# spawned for each ingester push request. If not enough workers available, new
# goroutine will be spawned. (Note: this is a performance optimization, not a
# limiting feature.)
# CLI flag: -distributor.reusable-ingester-push-workers
[reusable_ingester_push_workers: <int> | default = 2000]

# (experimental) When enabled, OTLP write requests are directly translated to
# GEM equivalents, for optimum performance.
# CLI flag: -distributor.direct-otlp-translation-enabled
[direct_otlp_translation_enabled: <boolean> | default = true]

ingester

The ingester configures the GEM ingester.

yaml
ring:
  # The key-value store used to share the hash ring across multiple instances.
  # This option needs be set on ingesters, distributors, queriers, and rulers
  # when running in microservices mode.
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -ingester.ring.store
    [store: <string> | default = "memberlist"]

    # (advanced) The prefix for the keys in the store. Should end with a /.
    # CLI flag: -ingester.ring.prefix
    [prefix: <string> | default = "collectors/"]

    # The consul configures the consul client.
    # The CLI flags prefix for this block configuration is: ingester.ring
    [consul: <consul>]

    # The etcd configures the etcd client.
    # The CLI flags prefix for this block configuration is: ingester.ring
    [etcd: <etcd>]

    multi:
      # (advanced) Primary backend storage used by multi-client.
      # CLI flag: -ingester.ring.multi.primary
      [primary: <string> | default = ""]

      # (advanced) Secondary backend storage used by multi-client.
      # CLI flag: -ingester.ring.multi.secondary
      [secondary: <string> | default = ""]

      # (advanced) Mirror writes to secondary store.
      # CLI flag: -ingester.ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # (advanced) Timeout for storing value to secondary store.
      # CLI flag: -ingester.ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # (advanced) Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -ingester.ring.heartbeat-period
  [heartbeat_period: <duration> | default = 15s]

  # (advanced) The heartbeat timeout after which ingesters are skipped for
  # reads/writes. 0 = never (timeout disabled). This option needs be set on
  # ingesters, distributors, queriers, and rulers when running in microservices
  # mode.
  # CLI flag: -ingester.ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # Number of ingesters that each time series is replicated to. This option
  # needs be set on ingesters, distributors, queriers, and rulers when running
  # in microservices mode.
  # CLI flag: -ingester.ring.replication-factor
  [replication_factor: <int> | default = 3]

  # True to enable the zone-awareness and replicate ingested samples across
  # different availability zones. This option needs be set on ingesters,
  # distributors, queriers, and rulers when running in microservices mode.
  # CLI flag: -ingester.ring.zone-awareness-enabled
  [zone_awareness_enabled: <boolean> | default = false]

  # (advanced) Comma-separated list of zones to exclude from the ring. Instances
  # in excluded zones will be filtered out from the ring. This option needs be
  # set on ingesters, distributors, queriers, and rulers when running in
  # microservices mode.
  # CLI flag: -ingester.ring.excluded-zones
  [excluded_zones: <string> | default = ""]

  # File path where tokens are stored. If empty, tokens are not stored at
  # shutdown and restored at startup. Must be empty if
  # -ingester.ring.token-generation-strategy is set to "spread-minimizing".
  # CLI flag: -ingester.ring.tokens-file-path
  [tokens_file_path: <string> | default = ""]

  # (advanced) Number of tokens for each ingester.
  # CLI flag: -ingester.ring.num-tokens
  [num_tokens: <int> | default = 128]

  # (advanced) Instance ID to register in the ring.
  # CLI flag: -ingester.ring.instance-id
  [instance_id: <string> | default = "<hostname>"]

  # (advanced) List of network interface names to look up when finding the
  # instance IP address.
  # CLI flag: -ingester.ring.instance-interface-names
  [instance_interface_names: <list of strings> | default = [<private network interfaces>]]

  # (advanced) Port to advertise in the ring (defaults to
  # -server.grpc-listen-port).
  # CLI flag: -ingester.ring.instance-port
  [instance_port: <int> | default = 0]

  # (advanced) IP address to advertise in the ring. Default is auto-detected.
  # CLI flag: -ingester.ring.instance-addr
  [instance_addr: <string> | default = ""]

  # (advanced) Enable using a IPv6 instance address. (default false)
  # CLI flag: -ingester.ring.instance-enable-ipv6
  [instance_enable_ipv6: <boolean> | default = false]

  # (advanced) The availability zone where this instance is running.
  # CLI flag: -ingester.ring.instance-availability-zone
  [instance_availability_zone: <string> | default = ""]

  # (advanced) Unregister from the ring upon clean shutdown. It can be useful to
  # disable for rolling restarts with consistent naming.
  # CLI flag: -ingester.ring.unregister-on-shutdown
  [unregister_on_shutdown: <boolean> | default = true]

  # (advanced) Observe tokens after generating to resolve collisions. Useful
  # when using gossiping ring.
  # CLI flag: -ingester.ring.observe-period
  [observe_period: <duration> | default = 0s]

  # (advanced) Minimum duration to wait after the internal readiness checks have
  # passed but before succeeding the readiness endpoint. This is used to
  # slowdown deployment controllers (eg. Kubernetes) after an instance is ready
  # and before they proceed with a rolling update, to give the rest of the
  # cluster instances enough time to receive ring updates.
  # CLI flag: -ingester.ring.min-ready-duration
  [min_ready_duration: <duration> | default = 15s]

  # (advanced) Duration to sleep for before exiting, to ensure metrics are
  # scraped.
  # CLI flag: -ingester.ring.final-sleep
  [final_sleep: <duration> | default = 0s]

  # (advanced) Specifies the strategy used for generating tokens for ingesters.
  # Supported values are: random,spread-minimizing.
  # CLI flag: -ingester.ring.token-generation-strategy
  [token_generation_strategy: <string> | default = "random"]

  # (advanced) True to allow this ingester registering tokens in the ring only
  # after all previous ingesters (with ID lower than the current one) have
  # already been registered. This configuration option is supported only when
  # the token generation strategy is set to "spread-minimizing".
  # CLI flag: -ingester.ring.spread-minimizing-join-ring-in-order
  [spread_minimizing_join_ring_in_order: <boolean> | default = false]

  # (advanced) Comma-separated list of zones in which spread minimizing strategy
  # is used for token generation. This value must include all zones in which
  # ingesters are deployed, and must not change over time. This configuration is
  # used only when "token-generation-strategy" is set to "spread-minimizing".
  # CLI flag: -ingester.ring.spread-minimizing-zones
  [spread_minimizing_zones: <string> | default = ""]

partition_ring:
  # The key-value store used to share the hash ring across multiple instances.
  # This option needs be set on ingesters, distributors, queriers, and rulers
  # when running in microservices mode.
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -ingester.partition-ring.store
    [store: <string> | default = "memberlist"]

    # (advanced) The prefix for the keys in the store. Should end with a /.
    # CLI flag: -ingester.partition-ring.prefix
    [prefix: <string> | default = "collectors/"]

    # The consul configures the consul client.
    # The CLI flags prefix for this block configuration is:
    # ingester.partition-ring
    [consul: <consul>]

    # The etcd configures the etcd client.
    # The CLI flags prefix for this block configuration is:
    # ingester.partition-ring
    [etcd: <etcd>]

    multi:
      # (advanced) Primary backend storage used by multi-client.
      # CLI flag: -ingester.partition-ring.multi.primary
      [primary: <string> | default = ""]

      # (advanced) Secondary backend storage used by multi-client.
      # CLI flag: -ingester.partition-ring.multi.secondary
      [secondary: <string> | default = ""]

      # (advanced) Mirror writes to secondary store.
      # CLI flag: -ingester.partition-ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # (advanced) Timeout for storing value to secondary store.
      # CLI flag: -ingester.partition-ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # Minimum number of owners to wait before a PENDING partition gets switched to
  # ACTIVE.
  # CLI flag: -ingester.partition-ring.min-partition-owners-count
  [min_partition_owners_count: <int> | default = 1]

  # How long the minimum number of owners are enforced before a PENDING
  # partition gets switched to ACTIVE.
  # CLI flag: -ingester.partition-ring.min-partition-owners-duration
  [min_partition_owners_duration: <duration> | default = 10s]

  # How long to wait before an INACTIVE partition is eligible for deletion. The
  # partition is deleted only if it has been in INACTIVE state for at least the
  # configured duration and it has no owners registered. A value of 0 disables
  # partitions deletion.
  # CLI flag: -ingester.partition-ring.delete-inactive-partition-after
  [delete_inactive_partition_after: <duration> | default = 13h]

# (advanced) Period at which metadata we have not seen will remain in memory
# before being deleted.
# CLI flag: -ingester.metadata-retain-period
[metadata_retain_period: <duration> | default = 10m]

# (advanced) Period with which to update the per-tenant ingestion rates.
# CLI flag: -ingester.rate-update-period
[rate_update_period: <duration> | default = 15s]

# (advanced) Enable tracking of active series and export them as metrics.
# CLI flag: -ingester.active-series-metrics-enabled
[active_series_metrics_enabled: <boolean> | default = true]

# (advanced) How often to update active series metrics.
# CLI flag: -ingester.active-series-metrics-update-period
[active_series_metrics_update_period: <duration> | default = 1m]

# (advanced) After what time a series is considered to be inactive.
# CLI flag: -ingester.active-series-metrics-idle-timeout
[active_series_metrics_idle_timeout: <duration> | default = 20m]

# (experimental) Period with which to update the per-tenant TSDB configuration.
# CLI flag: -ingester.tsdb-config-update-period
[tsdb_config_update_period: <duration> | default = 15s]

instance_limits:
  # (advanced) Max ingestion rate (samples/sec) that ingester will accept. This
  # limit is per-ingester, not per-tenant. Additional push requests will be
  # rejected. Current ingestion rate is computed as exponentially weighted
  # moving average, updated every second. 0 = unlimited.
  # CLI flag: -ingester.instance-limits.max-ingestion-rate
  [max_ingestion_rate: <float> | default = 0]

  # (advanced) Max tenants that this ingester can hold. Requests from additional
  # tenants will be rejected. 0 = unlimited.
  # CLI flag: -ingester.instance-limits.max-tenants
  [max_tenants: <int> | default = 0]

  # (advanced) Max series that this ingester can hold (across all tenants).
  # Requests to create additional series will be rejected. 0 = unlimited.
  # CLI flag: -ingester.instance-limits.max-series
  [max_series: <int> | default = 0]

  # (advanced) Max inflight push requests that this ingester can handle (across
  # all tenants). Additional requests will be rejected. 0 = unlimited.
  # CLI flag: -ingester.instance-limits.max-inflight-push-requests
  [max_inflight_push_requests: <int> | default = 30000]

  # (advanced) The sum of the request sizes in bytes of inflight push requests
  # that this ingester can handle. This limit is per-ingester, not per-tenant.
  # Additional requests will be rejected. 0 = unlimited.
  # CLI flag: -ingester.instance-limits.max-inflight-push-requests-bytes
  [max_inflight_push_requests_bytes: <int> | default = 0]

# (advanced) Comma-separated list of metric names, for which the
# -ingester.max-global-series-per-metric limit will be ignored. Does not affect
# the -ingester.max-global-series-per-user limit.
# CLI flag: -ingester.ignore-series-limit-for-metric-names
[ignore_series_limit_for_metric_names: <string> | default = ""]

# (experimental) CPU utilization limit, as CPU cores, for CPU/memory utilization
# based read request limiting. Use 0 to disable it.
# CLI flag: -ingester.read-path-cpu-utilization-limit
[read_path_cpu_utilization_limit: <float> | default = 0]

# (experimental) Memory limit, in bytes, for CPU/memory utilization based read
# request limiting. Use 0 to disable it.
# CLI flag: -ingester.read-path-memory-utilization-limit
[read_path_memory_utilization_limit: <int> | default = 0]

# (experimental) Enable logging of utilization based limiter CPU samples.
# CLI flag: -ingester.log-utilization-based-limiter-cpu-samples
[log_utilization_based_limiter_cpu_samples: <boolean> | default = false]

# (advanced) Each error will be logged once in this many times. Use 0 to log all
# of them.
# CLI flag: -ingester.error-sample-rate
[error_sample_rate: <int> | default = 10]

# (experimental) When enabled, only series currently owned by ingester according
# to the ring are used when checking user per-tenant series limit.
# CLI flag: -ingester.use-ingester-owned-series-for-limits
[use_ingester_owned_series_for_limits: <boolean> | default = false]

# (experimental) This option enables tracking of ingester-owned series based on
# ring state, even if -ingester.use-ingester-owned-series-for-limits is
# disabled.
# CLI flag: -ingester.track-ingester-owned-series
[track_ingester_owned_series: <boolean> | default = false]

# (experimental) How often to check for ring changes and possibly recompute
# owned series as a result of detected change.
# CLI flag: -ingester.owned-series-update-interval
[owned_series_update_interval: <duration> | default = 15s]

push_circuit_breaker:
  # (experimental) Enable circuit breaking when making requests to ingesters
  # CLI flag: -ingester.push-circuit-breaker.enabled
  [enabled: <boolean> | default = false]

  # (experimental) Max percentage of requests that can fail over period before
  # the circuit breaker opens
  # CLI flag: -ingester.push-circuit-breaker.failure-threshold-percentage
  [failure_threshold_percentage: <int> | default = 10]

  # (experimental) How many requests must have been executed in period for the
  # circuit breaker to be eligible to open for the rate of failures
  # CLI flag: -ingester.push-circuit-breaker.failure-execution-threshold
  [failure_execution_threshold: <int> | default = 100]

  # (experimental) Moving window of time that the percentage of failed requests
  # is computed over
  # CLI flag: -ingester.push-circuit-breaker.thresholding-period
  [thresholding_period: <duration> | default = 1m]

  # (experimental) How long the circuit breaker will stay in the open state
  # before allowing some requests
  # CLI flag: -ingester.push-circuit-breaker.cooldown-period
  [cooldown_period: <duration> | default = 10s]

  # (experimental) How long the circuit breaker should wait between an
  # activation request and becoming effectively active. During that time both
  # failures and successes will not be counted.
  # CLI flag: -ingester.push-circuit-breaker.initial-delay
  [initial_delay: <duration> | default = 0s]

  # (experimental) The maximum duration of an ingester's request before it
  # triggers a timeout. This configuration is used for circuit breakers only,
  # and its timeouts aren't reported as errors.
  # CLI flag: -ingester.push-circuit-breaker.request-timeout
  [request_timeout: <duration> | default = 2s]

read_circuit_breaker:
  # (experimental) Enable circuit breaking when making requests to ingesters
  # CLI flag: -ingester.read-circuit-breaker.enabled
  [enabled: <boolean> | default = false]

  # (experimental) Max percentage of requests that can fail over period before
  # the circuit breaker opens
  # CLI flag: -ingester.read-circuit-breaker.failure-threshold-percentage
  [failure_threshold_percentage: <int> | default = 10]

  # (experimental) How many requests must have been executed in period for the
  # circuit breaker to be eligible to open for the rate of failures
  # CLI flag: -ingester.read-circuit-breaker.failure-execution-threshold
  [failure_execution_threshold: <int> | default = 100]

  # (experimental) Moving window of time that the percentage of failed requests
  # is computed over
  # CLI flag: -ingester.read-circuit-breaker.thresholding-period
  [thresholding_period: <duration> | default = 1m]

  # (experimental) How long the circuit breaker will stay in the open state
  # before allowing some requests
  # CLI flag: -ingester.read-circuit-breaker.cooldown-period
  [cooldown_period: <duration> | default = 10s]

  # (experimental) How long the circuit breaker should wait between an
  # activation request and becoming effectively active. During that time both
  # failures and successes will not be counted.
  # CLI flag: -ingester.read-circuit-breaker.initial-delay
  [initial_delay: <duration> | default = 0s]

  # (experimental) The maximum duration of an ingester's request before it
  # triggers a timeout. This configuration is used for circuit breakers only,
  # and its timeouts aren't reported as errors.
  # CLI flag: -ingester.read-circuit-breaker.request-timeout
  [request_timeout: <duration> | default = 30s]

querier

The querier configures the GEM querier.

yaml
# (advanced) The time after which a metric should be queried from storage and
# not just ingesters. 0 means all queries are sent to store. If this option is
# enabled, the time range of the query sent to the store-gateway will be
# manipulated to ensure the query end is not more recent than 'now -
# query-store-after'.
# CLI flag: -querier.query-store-after
[query_store_after: <duration> | default = 12h]

store_gateway_client:
  # (advanced) Enable TLS for gRPC client connecting to store-gateway.
  # CLI flag: -querier.store-gateway-client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # (advanced) Path to the client certificate, which will be used for
  # authenticating with the server. Also requires the key path to be configured.
  # CLI flag: -querier.store-gateway-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # (advanced) Path to the key for the client certificate. Also requires the
  # client certificate to be configured.
  # CLI flag: -querier.store-gateway-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # (advanced) Path to the CA certificates to validate server certificate
  # against. If not set, the host's root CA certificates are used.
  # CLI flag: -querier.store-gateway-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # (advanced) Override the expected name on the server certificate.
  # CLI flag: -querier.store-gateway-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # (advanced) Skip validating server certificate.
  # CLI flag: -querier.store-gateway-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # (advanced) Override the default cipher suite list (separated by commas).
  # Allowed values:
  # 
  # Secure Ciphers:
  # - TLS_AES_128_GCM_SHA256
  # - TLS_AES_256_GCM_SHA384
  # - TLS_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  # 
  # Insecure Ciphers:
  # - TLS_RSA_WITH_RC4_128_SHA
  # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA
  # - TLS_RSA_WITH_AES_256_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA256
  # - TLS_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  # CLI flag: -querier.store-gateway-client.tls-cipher-suites
  [tls_cipher_suites: <string> | default = ""]

  # (advanced) Override the default minimum TLS version. Allowed values:
  # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
  # CLI flag: -querier.store-gateway-client.tls-min-version
  [tls_min_version: <string> | default = ""]

# (advanced) Fetch in-memory series from the minimum set of required ingesters,
# selecting only ingesters which may have received series since
# -querier.query-ingesters-within. If this setting is false or
# -querier.query-ingesters-within is '0', queriers always query all ingesters
# (ingesters shuffle sharding on read path is disabled).
# CLI flag: -querier.shuffle-sharding-ingesters-enabled
[shuffle_sharding_ingesters_enabled: <boolean> | default = true]

# (advanced) Number of series to buffer per ingester when streaming chunks from
# ingesters.
# CLI flag: -querier.streaming-chunks-per-ingester-buffer-size
[streaming_chunks_per_ingester_series_buffer_size: <int> | default = 256]

# (advanced) Number of series to buffer per store-gateway when streaming chunks
# from store-gateways.
# CLI flag: -querier.streaming-chunks-per-store-gateway-buffer-size
[streaming_chunks_per_store_gateway_series_buffer_size: <int> | default = 256]

# (advanced) If true, when querying ingesters, only the minimum required
# ingesters required to reach quorum will be queried initially, with other
# ingesters queried only if needed due to failures from the initial set of
# ingesters. Enabling this option reduces resource consumption for the happy
# path at the cost of increased latency for the unhappy path.
# CLI flag: -querier.minimize-ingester-requests
[minimize_ingester_requests: <boolean> | default = true]

# (advanced) Delay before initiating requests to further ingesters when request
# minimization is enabled and the initially selected set of ingesters have not
# all responded. Ignored if -querier.minimize-ingester-requests is not enabled.
# CLI flag: -querier.minimize-ingester-requests-hedging-delay
[minimize_ingester_requests_hedging_delay: <duration> | default = 3s]

# (experimental) Query engine to use, either 'prometheus' or 'mimir'
# CLI flag: -querier.query-engine
[query_engine: <string> | default = "prometheus"]

# (experimental) If set to true and the GEM query engine is in use, fall back to
# using the Prometheus query engine for any queries not supported by the GEM
# query engine.
# CLI flag: -querier.enable-query-engine-fallback
[enable_query_engine_fallback: <boolean> | default = true]

# The number of workers running in each querier process. This setting limits the
# maximum number of concurrent queries in each querier. The minimum value is
# four; lower values are ignored and set to the minimum
# CLI flag: -querier.max-concurrent
[max_concurrent: <int> | default = 20]

# The timeout for a query. This config option should be set on query-frontend
# too when query sharding is enabled. This also applies to queries evaluated by
# the ruler (internally or remotely).
# CLI flag: -querier.timeout
[timeout: <duration> | default = 2m]

# Maximum number of samples a single query can load into memory. This config
# option should be set on query-frontend too when query sharding is enabled.
# CLI flag: -querier.max-samples
[max_samples: <int> | default = 50000000]

# (advanced) The default evaluation interval or step size for subqueries. This
# config option should be set on query-frontend too when query sharding is
# enabled.
# CLI flag: -querier.default-evaluation-interval
[default_evaluation_interval: <duration> | default = 1m]

# (advanced) Time since the last sample after which a time series is considered
# stale and ignored by expression evaluations. This config option should be set
# on query-frontend too when query sharding is enabled.
# CLI flag: -querier.lookback-delta
[lookback_delta: <duration> | default = 5m]

# (experimental) Enable experimental PromQL functions. This config option should
# be set on query-frontend too when query sharding is enabled.
# CLI flag: -querier.promql-experimental-functions-enabled
[promql_experimental_functions_enabled: <boolean> | default = false]

mimir_query_engine:
  # (experimental) Enable support for aggregation operations in Mimir's query
  # engine. Only applies if the GEM query engine is in use.
  # CLI flag: -querier.mimir-query-engine.enable-aggregation-operations
  [enable_aggregation_operations: <boolean> | default = true]

  # (experimental) Enable support for binary operations in Mimir's query engine.
  # Only applies if the GEM query engine is in use.
  # CLI flag: -querier.mimir-query-engine.enable-binary-operations
  [enable_binary_operations: <boolean> | default = true]

  # (experimental) Enable support for offset modifier in Mimir's query engine.
  # Only applies if the GEM query engine is in use.
  # CLI flag: -querier.mimir-query-engine.enable-offset-modifier
  [enable_offset_modifier: <boolean> | default = true]

  # (experimental) Enable support for ..._over_time functions in Mimir's query
  # engine. Only applies if the GEM query engine is in use.
  # CLI flag: -querier.mimir-query-engine.enable-over-time-functions
  [enable_over_time_functions: <boolean> | default = true]

  # (experimental) Enable support for scalars in Mimir's query engine. Only
  # applies if the GEM query engine is in use.
  # CLI flag: -querier.mimir-query-engine.enable-scalars
  [enable_scalars: <boolean> | default = true]

  # (experimental) Enable support for unary negation in Mimir's query engine.
  # Only applies if the GEM query engine is in use.
  # CLI flag: -querier.mimir-query-engine.enable-unary-negation
  [enable_unary_negation: <boolean> | default = true]

query_scheduler

The query_scheduler configures query scheduler module.

yaml
# Maximum number of outstanding requests per tenant per query-scheduler.
# In-flight requests above this limit will fail with HTTP response status code
# 429.
# CLI flag: -query-scheduler.max-outstanding-requests-per-tenant
[max_outstanding_requests_per_tenant: <int> | default = 100]

# (experimental) When enabled, the query scheduler primarily prioritizes
# dequeuing fairly from queue components and secondarily prioritizes dequeuing
# fairly across tenants. When disabled, the query scheduler primarily
# prioritizes tenant fairness. You must enable the
# `query-scheduler.use-multi-algorithm-query-queue` setting to use this flag.
# CLI flag: -query-scheduler.prioritize-query-components
[prioritize_query_components: <boolean> | default = false]

# (experimental) If a querier disconnects without sending notification about
# graceful shutdown, the query-scheduler will keep the querier in the tenant's
# shard until the forget delay has passed. This feature is useful to reduce the
# blast radius when shuffle-sharding is enabled.
# CLI flag: -query-scheduler.querier-forget-delay
[querier_forget_delay: <duration> | default = 0s]

# This configures the gRPC client used to report errors back to the
# query-frontend.
grpc_client_config:
  # (advanced) gRPC client max receive message size (bytes).
  # CLI flag: -query-scheduler.grpc-client-config.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # (advanced) gRPC client max send message size (bytes).
  # CLI flag: -query-scheduler.grpc-client-config.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 104857600]

  # (advanced) Use compression when sending messages. Supported values are:
  # 'gzip', 'snappy' and '' (disable compression)
  # CLI flag: -query-scheduler.grpc-client-config.grpc-compression
  [grpc_compression: <string> | default = ""]

  # (advanced) Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -query-scheduler.grpc-client-config.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # (advanced) Rate limit burst for gRPC client.
  # CLI flag: -query-scheduler.grpc-client-config.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # (advanced) Enable backoff and retry when we hit rate limits.
  # CLI flag: -query-scheduler.grpc-client-config.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # (advanced) Minimum delay when backing off.
    # CLI flag: -query-scheduler.grpc-client-config.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # (advanced) Maximum delay when backing off.
    # CLI flag: -query-scheduler.grpc-client-config.backoff-max-period
    [max_period: <duration> | default = 10s]

    # (advanced) Number of times to backoff and retry before failing.
    # CLI flag: -query-scheduler.grpc-client-config.backoff-retries
    [max_retries: <int> | default = 10]

  # (experimental) Initial stream window size. Values less than the default are
  # not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -query-scheduler.grpc-client-config.initial-stream-window-size
  [initial_stream_window_size: <int> | default = 63KiB1023B]

  # (experimental) Initial connection window size. Values less than the default
  # are not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -query-scheduler.grpc-client-config.initial-connection-window-size
  [initial_connection_window_size: <int> | default = 63KiB1023B]

  # (advanced) Enable TLS in the gRPC client. This flag needs to be enabled when
  # any other TLS flag is set. If set to false, insecure connection to gRPC
  # server will be used.
  # CLI flag: -query-scheduler.grpc-client-config.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # (advanced) Path to the client certificate, which will be used for
  # authenticating with the server. Also requires the key path to be configured.
  # CLI flag: -query-scheduler.grpc-client-config.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # (advanced) Path to the key for the client certificate. Also requires the
  # client certificate to be configured.
  # CLI flag: -query-scheduler.grpc-client-config.tls-key-path
  [tls_key_path: <string> | default = ""]

  # (advanced) Path to the CA certificates to validate server certificate
  # against. If not set, the host's root CA certificates are used.
  # CLI flag: -query-scheduler.grpc-client-config.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # (advanced) Override the expected name on the server certificate.
  # CLI flag: -query-scheduler.grpc-client-config.tls-server-name
  [tls_server_name: <string> | default = ""]

  # (advanced) Skip validating server certificate.
  # CLI flag: -query-scheduler.grpc-client-config.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # (advanced) Override the default cipher suite list (separated by commas).
  # Allowed values:
  # 
  # Secure Ciphers:
  # - TLS_AES_128_GCM_SHA256
  # - TLS_AES_256_GCM_SHA384
  # - TLS_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  # 
  # Insecure Ciphers:
  # - TLS_RSA_WITH_RC4_128_SHA
  # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA
  # - TLS_RSA_WITH_AES_256_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA256
  # - TLS_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  # CLI flag: -query-scheduler.grpc-client-config.tls-cipher-suites
  [tls_cipher_suites: <string> | default = ""]

  # (advanced) Override the default minimum TLS version. Allowed values:
  # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
  # CLI flag: -query-scheduler.grpc-client-config.tls-min-version
  [tls_min_version: <string> | default = ""]

  # (advanced) The maximum amount of time to establish a connection. A value of
  # 0 means default gRPC client connect timeout and backoff.
  # CLI flag: -query-scheduler.grpc-client-config.connect-timeout
  [connect_timeout: <duration> | default = 5s]

  # (advanced) Initial backoff delay after first connection failure. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -query-scheduler.grpc-client-config.connect-backoff-base-delay
  [connect_backoff_base_delay: <duration> | default = 1s]

  # (advanced) Maximum backoff delay when establishing a connection. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -query-scheduler.grpc-client-config.connect-backoff-max-delay
  [connect_backoff_max_delay: <duration> | default = 5s]

# (experimental) Service discovery mode that query-frontends and queriers use to
# find query-scheduler instances. When query-scheduler ring-based service
# discovery is enabled, this option needs be set on query-schedulers,
# query-frontends and queriers. Supported values are: dns, ring.
# CLI flag: -query-scheduler.service-discovery-mode
[service_discovery_mode: <string> | default = "dns"]

# The hash ring configuration. The query-schedulers hash ring is used for
# service discovery.
ring:
  # The key-value store used to share the hash ring across multiple instances.
  # When query-scheduler ring-based service discovery is enabled, this option
  # needs be set on query-schedulers, query-frontends and queriers.
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -query-scheduler.ring.store
    [store: <string> | default = "memberlist"]

    # (advanced) The prefix for the keys in the store. Should end with a /.
    # CLI flag: -query-scheduler.ring.prefix
    [prefix: <string> | default = "collectors/"]

    # The consul configures the consul client.
    # The CLI flags prefix for this block configuration is: query-scheduler.ring
    [consul: <consul>]

    # The etcd configures the etcd client.
    # The CLI flags prefix for this block configuration is: query-scheduler.ring
    [etcd: <etcd>]

    multi:
      # (advanced) Primary backend storage used by multi-client.
      # CLI flag: -query-scheduler.ring.multi.primary
      [primary: <string> | default = ""]

      # (advanced) Secondary backend storage used by multi-client.
      # CLI flag: -query-scheduler.ring.multi.secondary
      [secondary: <string> | default = ""]

      # (advanced) Mirror writes to secondary store.
      # CLI flag: -query-scheduler.ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # (advanced) Timeout for storing value to secondary store.
      # CLI flag: -query-scheduler.ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # (advanced) Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -query-scheduler.ring.heartbeat-period
  [heartbeat_period: <duration> | default = 15s]

  # (advanced) The heartbeat timeout after which query-schedulers are considered
  # unhealthy within the ring. When query-scheduler ring-based service discovery
  # is enabled, this option needs be set on query-schedulers, query-frontends
  # and queriers.
  # CLI flag: -query-scheduler.ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # (advanced) Instance ID to register in the ring.
  # CLI flag: -query-scheduler.ring.instance-id
  [instance_id: <string> | default = "<hostname>"]

  # List of network interface names to look up when finding the instance IP
  # address.
  # CLI flag: -query-scheduler.ring.instance-interface-names
  [instance_interface_names: <list of strings> | default = [<private network interfaces>]]

  # (advanced) Port to advertise in the ring (defaults to
  # -server.grpc-listen-port).
  # CLI flag: -query-scheduler.ring.instance-port
  [instance_port: <int> | default = 0]

  # (advanced) IP address to advertise in the ring. Default is auto-detected.
  # CLI flag: -query-scheduler.ring.instance-addr
  [instance_addr: <string> | default = ""]

  # (advanced) Enable using a IPv6 instance address. (default false)
  # CLI flag: -query-scheduler.ring.instance-enable-ipv6
  [instance_enable_ipv6: <boolean> | default = false]

# The maximum number of query-scheduler instances to use, regardless how many
# replicas are running. This option can be set only when
# -query-scheduler.service-discovery-mode is set to 'ring'. 0 to use all
# available query-scheduler instances.
# CLI flag: -query-scheduler.max-used-instances
[max_used_instances: <int> | default = 0]

frontend

The frontend configures the GEM query-frontend.

yaml
# Log queries that are slower than the specified duration. Set to 0 to disable.
# Set to < 0 to enable on all queries.
# CLI flag: -query-frontend.log-queries-longer-than
[log_queries_longer_than: <duration> | default = 0s]

# (advanced) Comma-separated list of request header names to include in query
# logs. Applies to both query stats and slow queries logs.
# CLI flag: -query-frontend.log-query-request-headers
[log_query_request_headers: <string> | default = ""]

# (advanced) Max body size for downstream prometheus.
# CLI flag: -query-frontend.max-body-size
[max_body_size: <int> | default = 10485760]

# (advanced) False to disable query statistics tracking. When enabled, a message
# with some statistics is logged for every query.
# CLI flag: -query-frontend.query-stats-enabled
[query_stats_enabled: <boolean> | default = true]

# (experimental) Timeout for writing active series responses. 0 means the value
# from `-server.http-write-timeout` is used.
# CLI flag: -query-frontend.active-series-write-timeout
[active_series_write_timeout: <duration> | default = 5m]

# (advanced) Maximum number of outstanding requests per tenant per frontend;
# requests beyond this error with HTTP 429.
# CLI flag: -querier.max-outstanding-requests-per-tenant
[max_outstanding_per_tenant: <int> | default = 100]

# (experimental) If a querier disconnects without sending notification about
# graceful shutdown, the query-frontend will keep the querier in the tenant's
# shard until the forget delay has passed. This feature is useful to reduce the
# blast radius when shuffle-sharding is enabled.
# CLI flag: -query-frontend.querier-forget-delay
[querier_forget_delay: <duration> | default = 0s]

# Address of the query-scheduler component, in host:port format. The host should
# resolve to all query-scheduler instances. This option should be set only when
# query-scheduler component is in use and
# -query-scheduler.service-discovery-mode is set to 'dns'.
# CLI flag: -query-frontend.scheduler-address
[scheduler_address: <string> | default = ""]

# (advanced) How often to resolve the scheduler-address, in order to look for
# new query-scheduler instances.
# CLI flag: -query-frontend.scheduler-dns-lookup-period
[scheduler_dns_lookup_period: <duration> | default = 10s]

# (advanced) Number of concurrent workers forwarding queries to single
# query-scheduler.
# CLI flag: -query-frontend.scheduler-worker-concurrency
[scheduler_worker_concurrency: <int> | default = 5]

# Configures the gRPC client used to communicate between the query-frontends and
# the query-schedulers.
grpc_client_config:
  # (advanced) gRPC client max receive message size (bytes).
  # CLI flag: -query-frontend.grpc-client-config.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # (advanced) gRPC client max send message size (bytes).
  # CLI flag: -query-frontend.grpc-client-config.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 104857600]

  # (advanced) Use compression when sending messages. Supported values are:
  # 'gzip', 'snappy' and '' (disable compression)
  # CLI flag: -query-frontend.grpc-client-config.grpc-compression
  [grpc_compression: <string> | default = ""]

  # (advanced) Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -query-frontend.grpc-client-config.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # (advanced) Rate limit burst for gRPC client.
  # CLI flag: -query-frontend.grpc-client-config.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # (advanced) Enable backoff and retry when we hit rate limits.
  # CLI flag: -query-frontend.grpc-client-config.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # (advanced) Minimum delay when backing off.
    # CLI flag: -query-frontend.grpc-client-config.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # (advanced) Maximum delay when backing off.
    # CLI flag: -query-frontend.grpc-client-config.backoff-max-period
    [max_period: <duration> | default = 10s]

    # (advanced) Number of times to backoff and retry before failing.
    # CLI flag: -query-frontend.grpc-client-config.backoff-retries
    [max_retries: <int> | default = 10]

  # (experimental) Initial stream window size. Values less than the default are
  # not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -query-frontend.grpc-client-config.initial-stream-window-size
  [initial_stream_window_size: <int> | default = 63KiB1023B]

  # (experimental) Initial connection window size. Values less than the default
  # are not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -query-frontend.grpc-client-config.initial-connection-window-size
  [initial_connection_window_size: <int> | default = 63KiB1023B]

  # (advanced) Enable TLS in the gRPC client. This flag needs to be enabled when
  # any other TLS flag is set. If set to false, insecure connection to gRPC
  # server will be used.
  # CLI flag: -query-frontend.grpc-client-config.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # (advanced) Path to the client certificate, which will be used for
  # authenticating with the server. Also requires the key path to be configured.
  # CLI flag: -query-frontend.grpc-client-config.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # (advanced) Path to the key for the client certificate. Also requires the
  # client certificate to be configured.
  # CLI flag: -query-frontend.grpc-client-config.tls-key-path
  [tls_key_path: <string> | default = ""]

  # (advanced) Path to the CA certificates to validate server certificate
  # against. If not set, the host's root CA certificates are used.
  # CLI flag: -query-frontend.grpc-client-config.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # (advanced) Override the expected name on the server certificate.
  # CLI flag: -query-frontend.grpc-client-config.tls-server-name
  [tls_server_name: <string> | default = ""]

  # (advanced) Skip validating server certificate.
  # CLI flag: -query-frontend.grpc-client-config.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # (advanced) Override the default cipher suite list (separated by commas).
  # Allowed values:
  # 
  # Secure Ciphers:
  # - TLS_AES_128_GCM_SHA256
  # - TLS_AES_256_GCM_SHA384
  # - TLS_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  # 
  # Insecure Ciphers:
  # - TLS_RSA_WITH_RC4_128_SHA
  # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA
  # - TLS_RSA_WITH_AES_256_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA256
  # - TLS_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  # CLI flag: -query-frontend.grpc-client-config.tls-cipher-suites
  [tls_cipher_suites: <string> | default = ""]

  # (advanced) Override the default minimum TLS version. Allowed values:
  # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
  # CLI flag: -query-frontend.grpc-client-config.tls-min-version
  [tls_min_version: <string> | default = ""]

  # (advanced) The maximum amount of time to establish a connection. A value of
  # 0 means default gRPC client connect timeout and backoff.
  # CLI flag: -query-frontend.grpc-client-config.connect-timeout
  [connect_timeout: <duration> | default = 5s]

  # (advanced) Initial backoff delay after first connection failure. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -query-frontend.grpc-client-config.connect-backoff-base-delay
  [connect_backoff_base_delay: <duration> | default = 1s]

  # (advanced) Maximum backoff delay when establishing a connection. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -query-frontend.grpc-client-config.connect-backoff-max-delay
  [connect_backoff_max_delay: <duration> | default = 5s]

# (advanced) List of network interface names to look up when finding the
# instance IP address. This address is sent to query-scheduler and querier,
# which uses it to send the query response back to query-frontend.
# CLI flag: -query-frontend.instance-interface-names
[instance_interface_names: <list of strings> | default = [<private network interfaces>]]

# (advanced) Enable using a IPv6 instance address (default false).
# CLI flag: -query-frontend.instance-enable-ipv6
[instance_enable_ipv6: <boolean> | default = false]

# (advanced) IP address to advertise to the querier (via scheduler) (default is
# auto-detected from network interfaces).
# CLI flag: -query-frontend.instance-addr
[address: <string> | default = ""]

# (advanced) Port to advertise to querier (via scheduler) (defaults to
# server.grpc-listen-port).
# CLI flag: -query-frontend.instance-port
[port: <int> | default = 0]

# (advanced) Split range queries by an interval and execute in parallel. You
# should use a multiple of 24 hours to optimize querying blocks. 0 to disable
# it.
# CLI flag: -query-frontend.split-queries-by-interval
[split_queries_by_interval: <duration> | default = 24h]

results_cache:
  # Backend for query-frontend results cache, if not empty. Supported values:
  # memcached, redis.
  # CLI flag: -query-frontend.results-cache.backend
  [backend: <string> | default = ""]

  # The memcached block configures the Memcached-based caching backend.
  # The CLI flags prefix for this block configuration is:
  # query-frontend.results-cache
  [memcached: <memcached>]

  # The redis block configures the Redis-based caching backend.
  # The CLI flags prefix for this block configuration is:
  # query-frontend.results-cache
  [redis: <redis>]

  # Enable cache compression, if not empty. Supported values are: snappy.
  # CLI flag: -query-frontend.results-cache.compression
  [compression: <string> | default = ""]

# Cache query results.
# CLI flag: -query-frontend.cache-results
[cache_results: <boolean> | default = false]

# (advanced) Maximum number of retries for a single request; beyond this, the
# downstream error is returned.
# CLI flag: -query-frontend.max-retries-per-request
[max_retries: <int> | default = 5]

# (advanced) Maximum time to wait for the query-frontend to become ready before
# rejecting requests received before the frontend was ready. 0 to disable (i.e.
# fail immediately if a request is received while the frontend is still starting
# up)
# CLI flag: -query-frontend.not-running-timeout
[not_running_timeout: <duration> | default = 2s]

# True to enable query sharding.
# CLI flag: -query-frontend.parallelize-shardable-queries
[parallelize_shardable_queries: <boolean> | default = false]

# (experimental) True to enable pruning dead code (eg. expressions that cannot
# produce any results) and simplifying expressions (eg. expressions that can be
# evaluated immediately) in queries.
# CLI flag: -query-frontend.prune-queries
[prune_queries: <boolean> | default = false]

# (advanced) How many series a single sharded partial query should load at most.
# This is not a strict requirement guaranteed to be honoured by query sharding,
# but a hint given to the query sharding when the query execution is initially
# planned. 0 to disable cardinality-based hints.
# CLI flag: -query-frontend.query-sharding-target-series-per-shard
[query_sharding_target_series_per_shard: <int> | default = 0]

# (experimental) True to enable sharding of active series queries.
# CLI flag: -query-frontend.shard-active-series-queries
[shard_active_series_queries: <boolean> | default = false]

# (experimental) Set to true to use the zero-allocation response decoder for
# active series queries.
# CLI flag: -query-frontend.use-active-series-decoder
[use_active_series_decoder: <boolean> | default = false]

# Format to use when retrieving query results from queriers. Supported values:
# json, protobuf
# CLI flag: -query-frontend.query-result-response-format
[query_result_response_format: <string> | default = "protobuf"]

# (advanced) URL of downstream Prometheus.
# CLI flag: -query-frontend.downstream-url
[downstream_url: <string> | default = ""]

ruler

The ruler configures the GEM ruler.

yaml
# URL of alerts return path.
# CLI flag: -ruler.external.url
[external_url: <url> | default = ]

# Configures the gRPC client used to communicate between ruler instances.
ruler_client:
  # (advanced) gRPC client max receive message size (bytes).
  # CLI flag: -ruler.client.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # (advanced) gRPC client max send message size (bytes).
  # CLI flag: -ruler.client.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 104857600]

  # (advanced) Use compression when sending messages. Supported values are:
  # 'gzip', 'snappy' and '' (disable compression)
  # CLI flag: -ruler.client.grpc-compression
  [grpc_compression: <string> | default = ""]

  # (advanced) Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -ruler.client.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # (advanced) Rate limit burst for gRPC client.
  # CLI flag: -ruler.client.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # (advanced) Enable backoff and retry when we hit rate limits.
  # CLI flag: -ruler.client.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # (advanced) Minimum delay when backing off.
    # CLI flag: -ruler.client.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # (advanced) Maximum delay when backing off.
    # CLI flag: -ruler.client.backoff-max-period
    [max_period: <duration> | default = 10s]

    # (advanced) Number of times to backoff and retry before failing.
    # CLI flag: -ruler.client.backoff-retries
    [max_retries: <int> | default = 10]

  # (experimental) Initial stream window size. Values less than the default are
  # not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -ruler.client.initial-stream-window-size
  [initial_stream_window_size: <int> | default = 63KiB1023B]

  # (experimental) Initial connection window size. Values less than the default
  # are not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -ruler.client.initial-connection-window-size
  [initial_connection_window_size: <int> | default = 63KiB1023B]

  # (advanced) Enable TLS in the gRPC client. This flag needs to be enabled when
  # any other TLS flag is set. If set to false, insecure connection to gRPC
  # server will be used.
  # CLI flag: -ruler.client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # (advanced) Path to the client certificate, which will be used for
  # authenticating with the server. Also requires the key path to be configured.
  # CLI flag: -ruler.client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # (advanced) Path to the key for the client certificate. Also requires the
  # client certificate to be configured.
  # CLI flag: -ruler.client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # (advanced) Path to the CA certificates to validate server certificate
  # against. If not set, the host's root CA certificates are used.
  # CLI flag: -ruler.client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # (advanced) Override the expected name on the server certificate.
  # CLI flag: -ruler.client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # (advanced) Skip validating server certificate.
  # CLI flag: -ruler.client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # (advanced) Override the default cipher suite list (separated by commas).
  # Allowed values:
  # 
  # Secure Ciphers:
  # - TLS_AES_128_GCM_SHA256
  # - TLS_AES_256_GCM_SHA384
  # - TLS_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  # 
  # Insecure Ciphers:
  # - TLS_RSA_WITH_RC4_128_SHA
  # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA
  # - TLS_RSA_WITH_AES_256_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA256
  # - TLS_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  # CLI flag: -ruler.client.tls-cipher-suites
  [tls_cipher_suites: <string> | default = ""]

  # (advanced) Override the default minimum TLS version. Allowed values:
  # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
  # CLI flag: -ruler.client.tls-min-version
  [tls_min_version: <string> | default = ""]

  # (advanced) The maximum amount of time to establish a connection. A value of
  # 0 means default gRPC client connect timeout and backoff.
  # CLI flag: -ruler.client.connect-timeout
  [connect_timeout: <duration> | default = 5s]

  # (advanced) Initial backoff delay after first connection failure. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -ruler.client.connect-backoff-base-delay
  [connect_backoff_base_delay: <duration> | default = 1s]

  # (advanced) Maximum backoff delay when establishing a connection. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -ruler.client.connect-backoff-max-delay
  [connect_backoff_max_delay: <duration> | default = 5s]

# (advanced) How frequently to evaluate rules
# CLI flag: -ruler.evaluation-interval
[evaluation_interval: <duration> | default = 1m]

# (advanced) How frequently the configured rule groups are re-synced from the
# object storage.
# CLI flag: -ruler.poll-interval
[poll_interval: <duration> | default = 10m]

# Directory to store temporary rule files loaded by the Prometheus rule
# managers. This directory is not required to be persisted between restarts.
# CLI flag: -ruler.rule-path
[rule_path: <string> | default = "./data-ruler/"]

# Comma-separated list of URL(s) of the Alertmanager(s) to send notifications
# to. Each URL is treated as a separate group. Multiple Alertmanagers in HA per
# group can be supported by using DNS service discovery format, comprehensive of
# the scheme. Basic auth is supported as part of the URL.
# CLI flag: -ruler.alertmanager-url
[alertmanager_url: <string> | default = ""]

# (advanced) How long to wait between refreshing DNS resolutions of Alertmanager
# hosts.
# CLI flag: -ruler.alertmanager-refresh-interval
[alertmanager_refresh_interval: <duration> | default = 1m]

# (advanced) Capacity of the queue for notifications to be sent to the
# Alertmanager.
# CLI flag: -ruler.notification-queue-capacity
[notification_queue_capacity: <int> | default = 10000]

# (advanced) HTTP timeout duration when sending notifications to the
# Alertmanager.
# CLI flag: -ruler.notification-timeout
[notification_timeout: <duration> | default = 10s]

alertmanager_client:
  # (advanced) Enable TLS for gRPC client connecting to alertmanager.
  # CLI flag: -ruler.alertmanager-client.tls-enabled
  [tls_enabled: <boolean> | default = true]

  # (advanced) Path to the client certificate, which will be used for
  # authenticating with the server. Also requires the key path to be configured.
  # CLI flag: -ruler.alertmanager-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # (advanced) Path to the key for the client certificate. Also requires the
  # client certificate to be configured.
  # CLI flag: -ruler.alertmanager-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # (advanced) Path to the CA certificates to validate server certificate
  # against. If not set, the host's root CA certificates are used.
  # CLI flag: -ruler.alertmanager-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # (advanced) Override the expected name on the server certificate.
  # CLI flag: -ruler.alertmanager-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # (advanced) Skip validating server certificate.
  # CLI flag: -ruler.alertmanager-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # (advanced) Override the default cipher suite list (separated by commas).
  # Allowed values:
  # 
  # Secure Ciphers:
  # - TLS_AES_128_GCM_SHA256
  # - TLS_AES_256_GCM_SHA384
  # - TLS_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  # 
  # Insecure Ciphers:
  # - TLS_RSA_WITH_RC4_128_SHA
  # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA
  # - TLS_RSA_WITH_AES_256_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA256
  # - TLS_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  # CLI flag: -ruler.alertmanager-client.tls-cipher-suites
  [tls_cipher_suites: <string> | default = ""]

  # (advanced) Override the default minimum TLS version. Allowed values:
  # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
  # CLI flag: -ruler.alertmanager-client.tls-min-version
  [tls_min_version: <string> | default = ""]

  # HTTP Basic authentication username. It overrides the username set in the URL
  # (if any).
  # CLI flag: -ruler.alertmanager-client.basic-auth-username
  [basic_auth_username: <string> | default = ""]

  # HTTP Basic authentication password. It overrides the password set in the URL
  # (if any).
  # CLI flag: -ruler.alertmanager-client.basic-auth-password
  [basic_auth_password: <string> | default = ""]

# (advanced) Max time to tolerate outage for restoring "for" state of alert.
# CLI flag: -ruler.for-outage-tolerance
[for_outage_tolerance: <duration> | default = 1h]

# (advanced) This grace period controls which alerts the ruler restores after a
# restart. Alerts with "for" duration lower than this grace period are not
# restored after a ruler restart. This means that if the alerts have been firing
# before the ruler restarted, they will now go to pending state and then to
# firing again after their "for" duration expires. Alerts with "for" duration
# greater than or equal to this grace period that have been pending before the
# ruler restart will remain in pending state for at least this grace period.
# Alerts with "for" duration greater than or equal to this grace period that
# have been firing before the ruler restart will continue to be firing after the
# restart.
# CLI flag: -ruler.for-grace-period
[for_grace_period: <duration> | default = 2m]

# (advanced) Minimum amount of time to wait before resending an alert to
# Alertmanager.
# CLI flag: -ruler.resend-delay
[resend_delay: <duration> | default = 1m]

ring:
  # The key-value store used to share the hash ring across multiple instances.
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -ruler.ring.store
    [store: <string> | default = "memberlist"]

    # (advanced) The prefix for the keys in the store. Should end with a /.
    # CLI flag: -ruler.ring.prefix
    [prefix: <string> | default = "rulers/"]

    # The consul configures the consul client.
    # The CLI flags prefix for this block configuration is: ruler.ring
    [consul: <consul>]

    # The etcd configures the etcd client.
    # The CLI flags prefix for this block configuration is: ruler.ring
    [etcd: <etcd>]

    multi:
      # (advanced) Primary backend storage used by multi-client.
      # CLI flag: -ruler.ring.multi.primary
      [primary: <string> | default = ""]

      # (advanced) Secondary backend storage used by multi-client.
      # CLI flag: -ruler.ring.multi.secondary
      [secondary: <string> | default = ""]

      # (advanced) Mirror writes to secondary store.
      # CLI flag: -ruler.ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # (advanced) Timeout for storing value to secondary store.
      # CLI flag: -ruler.ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # (advanced) Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -ruler.ring.heartbeat-period
  [heartbeat_period: <duration> | default = 15s]

  # (advanced) The heartbeat timeout after which rulers are considered unhealthy
  # within the ring. 0 = never (timeout disabled).
  # CLI flag: -ruler.ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # (advanced) Instance ID to register in the ring.
  # CLI flag: -ruler.ring.instance-id
  [instance_id: <string> | default = "<hostname>"]

  # List of network interface names to look up when finding the instance IP
  # address.
  # CLI flag: -ruler.ring.instance-interface-names
  [instance_interface_names: <list of strings> | default = [<private network interfaces>]]

  # (advanced) Port to advertise in the ring (defaults to
  # -server.grpc-listen-port).
  # CLI flag: -ruler.ring.instance-port
  [instance_port: <int> | default = 0]

  # (advanced) IP address to advertise in the ring. Default is auto-detected.
  # CLI flag: -ruler.ring.instance-addr
  [instance_addr: <string> | default = ""]

  # (advanced) Enable using a IPv6 instance address. (default false)
  # CLI flag: -ruler.ring.instance-enable-ipv6
  [instance_enable_ipv6: <boolean> | default = false]

  # (advanced) Number of tokens for each ruler.
  # CLI flag: -ruler.ring.num-tokens
  [num_tokens: <int> | default = 128]

# Enable the ruler config API.
# CLI flag: -ruler.enable-api
[enable_api: <boolean> | default = true]

# (advanced) Comma separated list of tenants whose rules this ruler can
# evaluate. If specified, only these tenants will be handled by ruler, otherwise
# this ruler can process rules from all tenants. Subject to sharding.
# CLI flag: -ruler.enabled-tenants
[enabled_tenants: <string> | default = ""]

# (advanced) Comma separated list of tenants whose rules this ruler cannot
# evaluate. If specified, a ruler that would normally pick the specified
# tenant(s) for processing will ignore them instead. Subject to sharding.
# CLI flag: -ruler.disabled-tenants
[disabled_tenants: <string> | default = ""]

# (advanced) Report the wall time for ruler queries to complete as a per-tenant
# metric and as an info level log message.
# CLI flag: -ruler.query-stats-enabled
[query_stats_enabled: <boolean> | default = false]

query_frontend:
  # GRPC listen address of the query-frontend(s). Must be a DNS address
  # (prefixed with dns:///) to enable client side load balancing.
  # CLI flag: -ruler.query-frontend.address
  [address: <string> | default = ""]

  # Configures the gRPC client used to communicate between the rulers and
  # query-frontends.
  grpc_client_config:
    # (advanced) gRPC client max receive message size (bytes).
    # CLI flag: -ruler.query-frontend.grpc-client-config.grpc-max-recv-msg-size
    [max_recv_msg_size: <int> | default = 104857600]

    # (advanced) gRPC client max send message size (bytes).
    # CLI flag: -ruler.query-frontend.grpc-client-config.grpc-max-send-msg-size
    [max_send_msg_size: <int> | default = 104857600]

    # (advanced) Use compression when sending messages. Supported values are:
    # 'gzip', 'snappy' and '' (disable compression)
    # CLI flag: -ruler.query-frontend.grpc-client-config.grpc-compression
    [grpc_compression: <string> | default = ""]

    # (advanced) Rate limit for gRPC client; 0 means disabled.
    # CLI flag: -ruler.query-frontend.grpc-client-config.grpc-client-rate-limit
    [rate_limit: <float> | default = 0]

    # (advanced) Rate limit burst for gRPC client.
    # CLI flag: -ruler.query-frontend.grpc-client-config.grpc-client-rate-limit-burst
    [rate_limit_burst: <int> | default = 0]

    # (advanced) Enable backoff and retry when we hit rate limits.
    # CLI flag: -ruler.query-frontend.grpc-client-config.backoff-on-ratelimits
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # (advanced) Minimum delay when backing off.
      # CLI flag: -ruler.query-frontend.grpc-client-config.backoff-min-period
      [min_period: <duration> | default = 100ms]

      # (advanced) Maximum delay when backing off.
      # CLI flag: -ruler.query-frontend.grpc-client-config.backoff-max-period
      [max_period: <duration> | default = 10s]

      # (advanced) Number of times to backoff and retry before failing.
      # CLI flag: -ruler.query-frontend.grpc-client-config.backoff-retries
      [max_retries: <int> | default = 10]

    # (experimental) Initial stream window size. Values less than the default
    # are not supported and are ignored. Setting this to a value other than the
    # default disables the BDP estimator.
    # CLI flag: -ruler.query-frontend.grpc-client-config.initial-stream-window-size
    [initial_stream_window_size: <int> | default = 63KiB1023B]

    # (experimental) Initial connection window size. Values less than the
    # default are not supported and are ignored. Setting this to a value other
    # than the default disables the BDP estimator.
    # CLI flag: -ruler.query-frontend.grpc-client-config.initial-connection-window-size
    [initial_connection_window_size: <int> | default = 63KiB1023B]

    # (advanced) Enable TLS in the gRPC client. This flag needs to be enabled
    # when any other TLS flag is set. If set to false, insecure connection to
    # gRPC server will be used.
    # CLI flag: -ruler.query-frontend.grpc-client-config.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -ruler.query-frontend.grpc-client-config.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -ruler.query-frontend.grpc-client-config.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -ruler.query-frontend.grpc-client-config.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -ruler.query-frontend.grpc-client-config.tls-server-name
    [tls_server_name: <string> | default = ""]

    # (advanced) Skip validating server certificate.
    # CLI flag: -ruler.query-frontend.grpc-client-config.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # (advanced) Override the default cipher suite list (separated by commas).
    # Allowed values:
    # 
    # Secure Ciphers:
    # - TLS_AES_128_GCM_SHA256
    # - TLS_AES_256_GCM_SHA384
    # - TLS_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    # 
    # Insecure Ciphers:
    # - TLS_RSA_WITH_RC4_128_SHA
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA
    # - TLS_RSA_WITH_AES_256_CBC_SHA
    # - TLS_RSA_WITH_AES_128_CBC_SHA256
    # - TLS_RSA_WITH_AES_128_GCM_SHA256
    # - TLS_RSA_WITH_AES_256_GCM_SHA384
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # CLI flag: -ruler.query-frontend.grpc-client-config.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # (advanced) Override the default minimum TLS version. Allowed values:
    # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -ruler.query-frontend.grpc-client-config.tls-min-version
    [tls_min_version: <string> | default = ""]

    # (advanced) The maximum amount of time to establish a connection. A value
    # of 0 means default gRPC client connect timeout and backoff.
    # CLI flag: -ruler.query-frontend.grpc-client-config.connect-timeout
    [connect_timeout: <duration> | default = 5s]

    # (advanced) Initial backoff delay after first connection failure. Only
    # relevant if ConnectTimeout > 0.
    # CLI flag: -ruler.query-frontend.grpc-client-config.connect-backoff-base-delay
    [connect_backoff_base_delay: <duration> | default = 1s]

    # (advanced) Maximum backoff delay when establishing a connection. Only
    # relevant if ConnectTimeout > 0.
    # CLI flag: -ruler.query-frontend.grpc-client-config.connect-backoff-max-delay
    [connect_backoff_max_delay: <duration> | default = 5s]

  # Format to use when retrieving query results from query-frontends. Supported
  # values: json, protobuf
  # CLI flag: -ruler.query-frontend.query-result-response-format
  [query_result_response_format: <string> | default = "protobuf"]

  # Enterprise authorization token to be used on remote rule evaluation.
  # CLI flag: -ruler.query-frontend.auth-token
  [auth_token: <string> | default = ""]

tenant_federation:
  # Enable rule groups to query against multiple tenants. The tenant IDs
  # involved need to be in the rule group's 'source_tenants' field. If this flag
  # is set to 'false' when there are federated rule groups that already exist,
  # then these rules groups will be skipped during evaluations.
  # CLI flag: -ruler.tenant-federation.enabled
  [enabled: <boolean> | default = false]

# (experimental) Interval between sending queued rule sync requests to ruler
# replicas.
# CLI flag: -ruler.outbound-sync-queue-poll-interval
[outbound_sync_queue_poll_interval: <duration> | default = 10s]

# (experimental) Interval between applying queued incoming rule sync requests.
# CLI flag: -ruler.inbound-sync-queue-poll-interval
[inbound_sync_queue_poll_interval: <duration> | default = 10s]

# (experimental) Number of rules rules that don't have dependencies that we
# allow to be evaluated concurrently across all tenants. 0 to disable.
# CLI flag: -ruler.max-independent-rule-evaluation-concurrency
[max_independent_rule_evaluation_concurrency: <int> | default = 0]

# (experimental) Minimum threshold of the interval to last rule group runtime
# duration to allow a rule to be evaluated concurrency. By default, the rule
# group runtime duration must exceed 50.0% of the evaluation interval.
# CLI flag: -ruler.independent-rule-evaluation-concurrency-min-duration-percentage
[independent_rule_evaluation_concurrency_min_duration_percentage: <float> | default = 50]

# (experimental) Writes the results of rule evaluation to ingesters or ingest
# storage when enabled. Use this option for testing purposes. To disable, set to
# false.
# CLI flag: -ruler.rule-evaluation-write-enabled
[rule_evaluation_write_enabled: <boolean> | default = true]

remote_write:
  # Directory to store WAL (for Ruler Remote Write).
  # CLI flag: -ruler.remote-write.wal-dir
  [wal_dir: <string> | default = "wal"]

  # Enable remote write rules for the Ruler.
  # CLI flag: -ruler.remote-write.enabled
  [enabled: <boolean> | default = false]

  # Frequency for truncating WAL
  # CLI flag: -ruler.remote-write.wal-truncate-frequency
  [wal_truncate_frequency: <duration> | default = 1h]

  # Minimum time to stay in WAL
  # CLI flag: -ruler.remote-write.min-wal-time
  [min_wal_time: <duration> | default = 5m]

  # Maximum time to stay in WAL
  # CLI flag: -ruler.remote-write.max-wal-time
  [max_wal_time: <duration> | default = 4h]

ruler_storage

The ruler_storage configures the GEM ruler storage backend.

yaml
# Backend storage to use. Supported backends are: s3, gcs, azure, swift,
# filesystem, local.
# CLI flag: -ruler-storage.backend
[backend: <string> | default = "filesystem"]

s3:
  # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
  # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
  # S3-compatible service in hostname:port format.
  # CLI flag: -ruler-storage.s3.endpoint
  [endpoint: <string> | default = ""]

  # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
  # to autodetect it.
  # CLI flag: -ruler-storage.s3.region
  [region: <string> | default = ""]

  # S3 bucket name
  # CLI flag: -ruler-storage.s3.bucket-name
  [bucket_name: <string> | default = ""]

  # S3 secret access key
  # CLI flag: -ruler-storage.s3.secret-access-key
  [secret_access_key: <string> | default = ""]

  # S3 access key ID
  # CLI flag: -ruler-storage.s3.access-key-id
  [access_key_id: <string> | default = ""]

  # S3 session token
  # CLI flag: -ruler-storage.s3.session-token
  [session_token: <string> | default = ""]

  # (advanced) If enabled, use http:// for the S3 endpoint instead of https://.
  # This could be useful in local dev/test environments while using an
  # S3-compatible backend storage, like Minio.
  # CLI flag: -ruler-storage.s3.insecure
  [insecure: <boolean> | default = false]

  # (advanced) The signature version to use for authenticating against S3.
  # Supported values are: v4, v2.
  # CLI flag: -ruler-storage.s3.signature-version
  [signature_version: <string> | default = "v4"]

  # (advanced) Use a specific version of the S3 list object API. Supported
  # values are v1 or v2. Default is unset.
  # CLI flag: -ruler-storage.s3.list-objects-version
  [list_objects_version: <string> | default = ""]

  # (advanced) Bucket lookup style type, used to access bucket in S3-compatible
  # service. Default is auto. Supported values are: auto, path, virtual-hosted.
  # CLI flag: -ruler-storage.s3.bucket-lookup-type
  [bucket_lookup_type: <string> | default = "auto"]

  # (experimental) When enabled, direct all AWS S3 requests to the dual-stack
  # IPv4/IPv6 endpoint for the configured region.
  # CLI flag: -ruler-storage.s3.dualstack-enabled
  [dualstack_enabled: <boolean> | default = true]

  # (experimental) The S3 storage class to use, not set by default. Details can
  # be found at https://aws.amazon.com/s3/storage-classes/. Supported values
  # are: STANDARD, REDUCED_REDUNDANCY, GLACIER, STANDARD_IA, ONEZONE_IA,
  # INTELLIGENT_TIERING, DEEP_ARCHIVE, OUTPOSTS
  # CLI flag: -ruler-storage.s3.storage-class
  [storage_class: <string> | default = ""]

  # (experimental) If enabled, it will use the default authentication methods of
  # the AWS SDK for go based on known environment variables and known AWS config
  # files.
  # CLI flag: -ruler-storage.s3.native-aws-auth-enabled
  [native_aws_auth_enabled: <boolean> | default = false]

  # (experimental) The minimum file size in bytes used for multipart uploads. If
  # 0, the value is optimally computed for each object.
  # CLI flag: -ruler-storage.s3.part-size
  [part_size: <int> | default = 0]

  # (experimental) If enabled, a Content-MD5 header is sent with S3 Put Object
  # requests. Consumes more resources to compute the MD5, but may improve
  # compatibility with object storage services that do not support checksums.
  # CLI flag: -ruler-storage.s3.send-content-md5
  [send_content_md5: <boolean> | default = false]

  # Accessing S3 resources using temporary, secure credentials provided by AWS
  # Security Token Service.
  # CLI flag: -ruler-storage.s3.sts-endpoint
  [sts_endpoint: <string> | default = ""]

  # The s3_sse configures the S3 server-side encryption.
  # The CLI flags prefix for this block configuration is: ruler-storage
  [sse: <s3_sse>]

  http:
    # (advanced) The time an idle connection will remain idle before closing.
    # CLI flag: -ruler-storage.s3.http.idle-conn-timeout
    [idle_conn_timeout: <duration> | default = 1m30s]

    # (advanced) The amount of time the client will wait for a servers response
    # headers.
    # CLI flag: -ruler-storage.s3.http.response-header-timeout
    [response_header_timeout: <duration> | default = 2m]

    # (advanced) If the client connects to S3 via HTTPS and this option is
    # enabled, the client will accept any certificate and hostname.
    # CLI flag: -ruler-storage.s3.http.insecure-skip-verify
    [insecure_skip_verify: <boolean> | default = false]

    # (advanced) Maximum time to wait for a TLS handshake. 0 means no limit.
    # CLI flag: -ruler-storage.s3.tls-handshake-timeout
    [tls_handshake_timeout: <duration> | default = 10s]

    # (advanced) The time to wait for a server's first response headers after
    # fully writing the request headers if the request has an Expect header. 0
    # to send the request body immediately.
    # CLI flag: -ruler-storage.s3.expect-continue-timeout
    [expect_continue_timeout: <duration> | default = 1s]

    # (advanced) Maximum number of idle (keep-alive) connections across all
    # hosts. 0 means no limit.
    # CLI flag: -ruler-storage.s3.max-idle-connections
    [max_idle_connections: <int> | default = 100]

    # (advanced) Maximum number of idle (keep-alive) connections to keep
    # per-host. If 0, a built-in default value is used.
    # CLI flag: -ruler-storage.s3.max-idle-connections-per-host
    [max_idle_connections_per_host: <int> | default = 100]

    # (advanced) Maximum number of connections per host. 0 means no limit.
    # CLI flag: -ruler-storage.s3.max-connections-per-host
    [max_connections_per_host: <int> | default = 0]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -ruler-storage.s3.http.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -ruler-storage.s3.http.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -ruler-storage.s3.http.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -ruler-storage.s3.http.tls-server-name
    [tls_server_name: <string> | default = ""]

  trace:
    # (advanced) When enabled, low-level S3 HTTP operation information is logged
    # at the debug level.
    # CLI flag: -ruler-storage.s3.trace.enabled
    [enabled: <boolean> | default = false]

gcs:
  # GCS bucket name
  # CLI flag: -ruler-storage.gcs.bucket-name
  [bucket_name: <string> | default = ""]

  # JSON either from a Google Developers Console client_credentials.json file,
  # or a Google Developers service account key. Needs to be valid JSON, not a
  # filesystem path. If empty, fallback to Google default logic:
  # 1. A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS
  # environment variable. For workload identity federation, refer to
  # https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation
  # on how to generate the JSON configuration file for on-prem/non-Google cloud
  # platforms.
  # 2. A JSON file in a location known to the gcloud command-line tool:
  # $HOME/.config/gcloud/application_default_credentials.json.
  # 3. On Google Compute Engine it fetches credentials from the metadata server.
  # CLI flag: -ruler-storage.gcs.service-account
  [service_account: <string> | default = ""]

azure:
  # Azure storage account name
  # CLI flag: -ruler-storage.azure.account-name
  [account_name: <string> | default = ""]

  # Azure storage account key. If unset, Azure managed identities will be used
  # for authentication instead.
  # CLI flag: -ruler-storage.azure.account-key
  [account_key: <string> | default = ""]

  # If `connection-string` is set, the value of `endpoint-suffix` will not be
  # used. Use this method over `account-key` if you need to authenticate via a
  # SAS token. Or if you use the Azurite emulator.
  # CLI flag: -ruler-storage.azure.connection-string
  [connection_string: <string> | default = ""]

  # Azure storage container name
  # CLI flag: -ruler-storage.azure.container-name
  [container_name: <string> | default = ""]

  # Azure storage endpoint suffix without schema. The account name will be
  # prefixed to this value to create the FQDN. If set to empty string, default
  # endpoint suffix is used.
  # CLI flag: -ruler-storage.azure.endpoint-suffix
  [endpoint_suffix: <string> | default = ""]

  # (advanced) Number of retries for recoverable errors
  # CLI flag: -ruler-storage.azure.max-retries
  [max_retries: <int> | default = 20]

  # (advanced) User assigned managed identity. If empty, then System assigned
  # identity is used.
  # CLI flag: -ruler-storage.azure.user-assigned-id
  [user_assigned_id: <string> | default = ""]

swift:
  # OpenStack Swift application credential id
  # CLI flag: -ruler-storage.swift.application-credential-id
  [application_credential_id: <string> | default = ""]

  # OpenStack Swift application credential name
  # CLI flag: -ruler-storage.swift.application-credential-name
  [application_credential_name: <string> | default = ""]

  # OpenStack Swift application credential secret
  # CLI flag: -ruler-storage.swift.application-credential-secret
  [application_credential_secret: <string> | default = ""]

  # OpenStack Swift authentication API version. 0 to autodetect.
  # CLI flag: -ruler-storage.swift.auth-version
  [auth_version: <int> | default = 0]

  # OpenStack Swift authentication URL
  # CLI flag: -ruler-storage.swift.auth-url
  [auth_url: <string> | default = ""]

  # OpenStack Swift username.
  # CLI flag: -ruler-storage.swift.username
  [username: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -ruler-storage.swift.user-domain-name
  [user_domain_name: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -ruler-storage.swift.user-domain-id
  [user_domain_id: <string> | default = ""]

  # OpenStack Swift user ID.
  # CLI flag: -ruler-storage.swift.user-id
  [user_id: <string> | default = ""]

  # OpenStack Swift API key.
  # CLI flag: -ruler-storage.swift.password
  [password: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -ruler-storage.swift.domain-id
  [domain_id: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -ruler-storage.swift.domain-name
  [domain_name: <string> | default = ""]

  # OpenStack Swift project ID (v2,v3 auth only).
  # CLI flag: -ruler-storage.swift.project-id
  [project_id: <string> | default = ""]

  # OpenStack Swift project name (v2,v3 auth only).
  # CLI flag: -ruler-storage.swift.project-name
  [project_name: <string> | default = ""]

  # ID of the OpenStack Swift project's domain (v3 auth only), only needed if it
  # differs the from user domain.
  # CLI flag: -ruler-storage.swift.project-domain-id
  [project_domain_id: <string> | default = ""]

  # Name of the OpenStack Swift project's domain (v3 auth only), only needed if
  # it differs from the user domain.
  # CLI flag: -ruler-storage.swift.project-domain-name
  [project_domain_name: <string> | default = ""]

  # OpenStack Swift Region to use (v2,v3 auth only).
  # CLI flag: -ruler-storage.swift.region-name
  [region_name: <string> | default = ""]

  # Name of the OpenStack Swift container to put chunks in.
  # CLI flag: -ruler-storage.swift.container-name
  [container_name: <string> | default = ""]

  # (advanced) Max retries on requests error.
  # CLI flag: -ruler-storage.swift.max-retries
  [max_retries: <int> | default = 3]

  # (advanced) Time after which a connection attempt is aborted.
  # CLI flag: -ruler-storage.swift.connect-timeout
  [connect_timeout: <duration> | default = 10s]

  # (advanced) Time after which an idle request is aborted. The timeout watchdog
  # is reset each time some data is received, so the timeout triggers after X
  # time no data is received on a request.
  # CLI flag: -ruler-storage.swift.request-timeout
  [request_timeout: <duration> | default = 5s]

filesystem:
  # Local filesystem storage directory.
  # CLI flag: -ruler-storage.filesystem.dir
  [dir: <string> | default = "ruler"]

# Prefix for all objects stored in the backend storage. For simplicity, it may
# only contain digits and English alphabet letters.
# CLI flag: -ruler-storage.storage-prefix
[storage_prefix: <string> | default = ""]

local:
  # Directory to scan for rules
  # CLI flag: -ruler-storage.local.directory
  [directory: <string> | default = ""]

cache:
  # Backend for ruler storage cache, if not empty. The cache is supported for
  # any storage backend except "local". Supported values: memcached, redis.
  # CLI flag: -ruler-storage.cache.backend
  [backend: <string> | default = ""]

  # The memcached block configures the Memcached-based caching backend.
  # The CLI flags prefix for this block configuration is: ruler-storage.cache
  [memcached: <memcached>]

  # The redis block configures the Redis-based caching backend.
  # The CLI flags prefix for this block configuration is: ruler-storage.cache
  [redis: <redis>]

alertmanager

The alertmanager configures the GEM alertmanager.

yaml
# Directory to store Alertmanager state and temporarily configuration files. The
# content of this directory is not required to be persisted between restarts
# unless Alertmanager replication has been disabled.
# CLI flag: -alertmanager.storage.path
[data_dir: <string> | default = "./data-alertmanager/"]

# (advanced) How long should we store stateful data (notification logs and
# silences). For notification log entries, refers to how long should we keep
# entries before they expire and are deleted. For silences, refers to how long
# should tenants view silences after they expire and are deleted.
# CLI flag: -alertmanager.storage.retention
[retention: <duration> | default = 120h]

# The URL under which Alertmanager is externally reachable (eg. could be
# different than -http.alertmanager-http-prefix in case Alertmanager is served
# via a reverse proxy). This setting is used both to configure the internal
# requests router and to generate links in alert templates. If the external URL
# has a path portion, it will be used to prefix all HTTP endpoints served by
# Alertmanager, both the UI and API.
# CLI flag: -alertmanager.web.external-url
[external_url: <url> | default = http://localhost:8080/alertmanager]

# (advanced) How frequently to poll Alertmanager configs.
# CLI flag: -alertmanager.configs.poll-interval
[poll_interval: <duration> | default = 15s]

# (advanced) Maximum size (bytes) of an accepted HTTP request body.
# CLI flag: -alertmanager.max-recv-msg-size
[max_recv_msg_size: <int> | default = 104857600]

sharding_ring:
  # The key-value store used to share the hash ring across multiple instances.
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -alertmanager.sharding-ring.store
    [store: <string> | default = "memberlist"]

    # (advanced) The prefix for the keys in the store. Should end with a /.
    # CLI flag: -alertmanager.sharding-ring.prefix
    [prefix: <string> | default = "alertmanagers/"]

    # The consul configures the consul client.
    # The CLI flags prefix for this block configuration is:
    # alertmanager.sharding-ring
    [consul: <consul>]

    # The etcd configures the etcd client.
    # The CLI flags prefix for this block configuration is:
    # alertmanager.sharding-ring
    [etcd: <etcd>]

    multi:
      # (advanced) Primary backend storage used by multi-client.
      # CLI flag: -alertmanager.sharding-ring.multi.primary
      [primary: <string> | default = ""]

      # (advanced) Secondary backend storage used by multi-client.
      # CLI flag: -alertmanager.sharding-ring.multi.secondary
      [secondary: <string> | default = ""]

      # (advanced) Mirror writes to secondary store.
      # CLI flag: -alertmanager.sharding-ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # (advanced) Timeout for storing value to secondary store.
      # CLI flag: -alertmanager.sharding-ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # (advanced) Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -alertmanager.sharding-ring.heartbeat-period
  [heartbeat_period: <duration> | default = 15s]

  # (advanced) The heartbeat timeout after which alertmanagers are considered
  # unhealthy within the ring. 0 = never (timeout disabled).
  # CLI flag: -alertmanager.sharding-ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # (advanced) Instance ID to register in the ring.
  # CLI flag: -alertmanager.sharding-ring.instance-id
  [instance_id: <string> | default = "<hostname>"]

  # List of network interface names to look up when finding the instance IP
  # address.
  # CLI flag: -alertmanager.sharding-ring.instance-interface-names
  [instance_interface_names: <list of strings> | default = [<private network interfaces>]]

  # (advanced) Port to advertise in the ring (defaults to
  # -server.grpc-listen-port).
  # CLI flag: -alertmanager.sharding-ring.instance-port
  [instance_port: <int> | default = 0]

  # (advanced) IP address to advertise in the ring. Default is auto-detected.
  # CLI flag: -alertmanager.sharding-ring.instance-addr
  [instance_addr: <string> | default = ""]

  # (advanced) Enable using a IPv6 instance address. (default false)
  # CLI flag: -alertmanager.sharding-ring.instance-enable-ipv6
  [instance_enable_ipv6: <boolean> | default = false]

  # (advanced) The replication factor to use when sharding the alertmanager.
  # CLI flag: -alertmanager.sharding-ring.replication-factor
  [replication_factor: <int> | default = 3]

  # (advanced) True to enable zone-awareness and replicate alerts across
  # different availability zones.
  # CLI flag: -alertmanager.sharding-ring.zone-awareness-enabled
  [zone_awareness_enabled: <boolean> | default = false]

  # (advanced) The availability zone where this instance is running. Required if
  # zone-awareness is enabled.
  # CLI flag: -alertmanager.sharding-ring.instance-availability-zone
  [instance_availability_zone: <string> | default = ""]

# Filename of fallback config to use if none specified for instance.
# CLI flag: -alertmanager.configs.fallback
[fallback_config_file: <string> | default = ""]

# (advanced) Time to wait between peers to send notifications.
# CLI flag: -alertmanager.peer-timeout
[peer_timeout: <duration> | default = 15s]

# (advanced) Enable the alertmanager config API.
# CLI flag: -alertmanager.enable-api
[enable_api: <boolean> | default = true]

# (experimental) Enable routes to support the migration and operation of the
# Grafana Alertmanager.
# CLI flag: -alertmanager.grafana-alertmanager-compatibility-enabled
[grafana_alertmanager_compatibility_enabled: <boolean> | default = false]

# (advanced) Maximum number of concurrent GET requests allowed per tenant. The
# zero value (and negative values) result in a limit of GOMAXPROCS or 8,
# whichever is larger. Status code 503 is served for GET requests that would
# exceed the concurrency limit.
# CLI flag: -alertmanager.max-concurrent-get-requests-per-tenant
[max_concurrent_get_requests_per_tenant: <int> | default = 0]

alertmanager_client:
  # (advanced) Timeout for downstream alertmanagers.
  # CLI flag: -alertmanager.alertmanager-client.remote-timeout
  [remote_timeout: <duration> | default = 2s]

  # (advanced) gRPC client max receive message size (bytes).
  # CLI flag: -alertmanager.alertmanager-client.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # (advanced) gRPC client max send message size (bytes).
  # CLI flag: -alertmanager.alertmanager-client.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 104857600]

  # (advanced) Use compression when sending messages. Supported values are:
  # 'gzip', 'snappy' and '' (disable compression)
  # CLI flag: -alertmanager.alertmanager-client.grpc-compression
  [grpc_compression: <string> | default = ""]

  # (advanced) Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -alertmanager.alertmanager-client.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # (advanced) Rate limit burst for gRPC client.
  # CLI flag: -alertmanager.alertmanager-client.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # (advanced) Enable backoff and retry when we hit rate limits.
  # CLI flag: -alertmanager.alertmanager-client.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # (advanced) Minimum delay when backing off.
    # CLI flag: -alertmanager.alertmanager-client.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # (advanced) Maximum delay when backing off.
    # CLI flag: -alertmanager.alertmanager-client.backoff-max-period
    [max_period: <duration> | default = 10s]

    # (advanced) Number of times to backoff and retry before failing.
    # CLI flag: -alertmanager.alertmanager-client.backoff-retries
    [max_retries: <int> | default = 10]

  # (experimental) Initial stream window size. Values less than the default are
  # not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -alertmanager.alertmanager-client.initial-stream-window-size
  [initial_stream_window_size: <int> | default = 63KiB1023B]

  # (experimental) Initial connection window size. Values less than the default
  # are not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -alertmanager.alertmanager-client.initial-connection-window-size
  [initial_connection_window_size: <int> | default = 63KiB1023B]

  # (advanced) Enable TLS in the gRPC client. This flag needs to be enabled when
  # any other TLS flag is set. If set to false, insecure connection to gRPC
  # server will be used.
  # CLI flag: -alertmanager.alertmanager-client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # (advanced) Path to the client certificate, which will be used for
  # authenticating with the server. Also requires the key path to be configured.
  # CLI flag: -alertmanager.alertmanager-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # (advanced) Path to the key for the client certificate. Also requires the
  # client certificate to be configured.
  # CLI flag: -alertmanager.alertmanager-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # (advanced) Path to the CA certificates to validate server certificate
  # against. If not set, the host's root CA certificates are used.
  # CLI flag: -alertmanager.alertmanager-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # (advanced) Override the expected name on the server certificate.
  # CLI flag: -alertmanager.alertmanager-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # (advanced) Skip validating server certificate.
  # CLI flag: -alertmanager.alertmanager-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # (advanced) Override the default cipher suite list (separated by commas).
  # Allowed values:
  # 
  # Secure Ciphers:
  # - TLS_AES_128_GCM_SHA256
  # - TLS_AES_256_GCM_SHA384
  # - TLS_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  # 
  # Insecure Ciphers:
  # - TLS_RSA_WITH_RC4_128_SHA
  # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA
  # - TLS_RSA_WITH_AES_256_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA256
  # - TLS_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  # CLI flag: -alertmanager.alertmanager-client.tls-cipher-suites
  [tls_cipher_suites: <string> | default = ""]

  # (advanced) Override the default minimum TLS version. Allowed values:
  # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
  # CLI flag: -alertmanager.alertmanager-client.tls-min-version
  [tls_min_version: <string> | default = ""]

  # (advanced) The maximum amount of time to establish a connection. A value of
  # 0 means default gRPC client connect timeout and backoff.
  # CLI flag: -alertmanager.alertmanager-client.connect-timeout
  [connect_timeout: <duration> | default = 5s]

  # (advanced) Initial backoff delay after first connection failure. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -alertmanager.alertmanager-client.connect-backoff-base-delay
  [connect_backoff_base_delay: <duration> | default = 1s]

  # (advanced) Maximum backoff delay when establishing a connection. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -alertmanager.alertmanager-client.connect-backoff-max-delay
  [connect_backoff_max_delay: <duration> | default = 5s]

# (advanced) The interval between persisting the current alertmanager state
# (notification log and silences) to object storage. This is only used when
# sharding is enabled. This state is read when all replicas for a shard can not
# be contacted. In this scenario, having persisted the state more frequently
# will result in potentially fewer lost silences, and fewer duplicate
# notifications.
# CLI flag: -alertmanager.persist-interval
[persist_interval: <duration> | default = 15m]

# (advanced) Enables periodic cleanup of alertmanager stateful data
# (notification logs and silences) from object storage. When enabled, data is
# removed for any tenant that does not have a configuration.
# CLI flag: -alertmanager.enable-state-cleanup
[enable_state_cleanup: <boolean> | default = true]

# (experimental) Enable UTF-8 strict mode. Allows UTF-8 characters in the
# matchers for routes and inhibition rules, in silences, and in the labels for
# alerts. It is recommended that all tenants run the `migrate-utf8` command in
# mimirtool before enabling this mode. Otherwise, some tenant configurations
# might fail to load. To identify tenants with incompatible configurations,
# search GEM server logs for lines containing `Alertmanager is moving to a new
# parser for labels and matchers, and this input is incompatible`. To find
# tenant configurations that are valid but contain ambiguous matchers, search
# for log lines containing `Matchers input has disagreement`. Each log line
# includes the invalid input, a suggestion on how to fix the input (excluding
# ambiguous matchers, as these require manual correction), and the ID of the
# affected tenant. You must run GEM with debug-level logging enabled. Otherwise,
# these lines aren't logged. For more information, refer to
# https://prometheus.io/docs/alerting/latest/configuration/#label-matchers.
# Enabling and then disabling UTF-8 strict mode can break existing Alertmanager
# configurations if tenants added UTF-8 characters to their Alertmanager
# configuration while it was enabled.
# CLI flag: -alertmanager.utf8-strict-mode-enabled
[utf8_strict_mode: <boolean> | default = false]

# (experimental) Enable logging when parsing label matchers. This flag is
# intended to be used with -alertmanager.utf8-strict-mode-enabled to validate
# UTF-8 strict mode is working as intended.
# CLI flag: -alertmanager.log-parsing-label-matchers
[log_parsing_label_matchers: <boolean> | default = false]

# (experimental) Enable logging of tenant configurations that are incompatible
# with UTF-8 strict mode.
# CLI flag: -alertmanager.utf8-migration-logging-enabled
[utf8_migration_logging: <boolean> | default = false]

alertmanager_storage

The alertmanager_storage configures the GEM alertmanager storage backend.

yaml
# Backend storage to use. Supported backends are: s3, gcs, azure, swift,
# filesystem, local.
# CLI flag: -alertmanager-storage.backend
[backend: <string> | default = "filesystem"]

s3:
  # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
  # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
  # S3-compatible service in hostname:port format.
  # CLI flag: -alertmanager-storage.s3.endpoint
  [endpoint: <string> | default = ""]

  # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
  # to autodetect it.
  # CLI flag: -alertmanager-storage.s3.region
  [region: <string> | default = ""]

  # S3 bucket name
  # CLI flag: -alertmanager-storage.s3.bucket-name
  [bucket_name: <string> | default = ""]

  # S3 secret access key
  # CLI flag: -alertmanager-storage.s3.secret-access-key
  [secret_access_key: <string> | default = ""]

  # S3 access key ID
  # CLI flag: -alertmanager-storage.s3.access-key-id
  [access_key_id: <string> | default = ""]

  # S3 session token
  # CLI flag: -alertmanager-storage.s3.session-token
  [session_token: <string> | default = ""]

  # (advanced) If enabled, use http:// for the S3 endpoint instead of https://.
  # This could be useful in local dev/test environments while using an
  # S3-compatible backend storage, like Minio.
  # CLI flag: -alertmanager-storage.s3.insecure
  [insecure: <boolean> | default = false]

  # (advanced) The signature version to use for authenticating against S3.
  # Supported values are: v4, v2.
  # CLI flag: -alertmanager-storage.s3.signature-version
  [signature_version: <string> | default = "v4"]

  # (advanced) Use a specific version of the S3 list object API. Supported
  # values are v1 or v2. Default is unset.
  # CLI flag: -alertmanager-storage.s3.list-objects-version
  [list_objects_version: <string> | default = ""]

  # (advanced) Bucket lookup style type, used to access bucket in S3-compatible
  # service. Default is auto. Supported values are: auto, path, virtual-hosted.
  # CLI flag: -alertmanager-storage.s3.bucket-lookup-type
  [bucket_lookup_type: <string> | default = "auto"]

  # (experimental) When enabled, direct all AWS S3 requests to the dual-stack
  # IPv4/IPv6 endpoint for the configured region.
  # CLI flag: -alertmanager-storage.s3.dualstack-enabled
  [dualstack_enabled: <boolean> | default = true]

  # (experimental) The S3 storage class to use, not set by default. Details can
  # be found at https://aws.amazon.com/s3/storage-classes/. Supported values
  # are: STANDARD, REDUCED_REDUNDANCY, GLACIER, STANDARD_IA, ONEZONE_IA,
  # INTELLIGENT_TIERING, DEEP_ARCHIVE, OUTPOSTS
  # CLI flag: -alertmanager-storage.s3.storage-class
  [storage_class: <string> | default = ""]

  # (experimental) If enabled, it will use the default authentication methods of
  # the AWS SDK for go based on known environment variables and known AWS config
  # files.
  # CLI flag: -alertmanager-storage.s3.native-aws-auth-enabled
  [native_aws_auth_enabled: <boolean> | default = false]

  # (experimental) The minimum file size in bytes used for multipart uploads. If
  # 0, the value is optimally computed for each object.
  # CLI flag: -alertmanager-storage.s3.part-size
  [part_size: <int> | default = 0]

  # (experimental) If enabled, a Content-MD5 header is sent with S3 Put Object
  # requests. Consumes more resources to compute the MD5, but may improve
  # compatibility with object storage services that do not support checksums.
  # CLI flag: -alertmanager-storage.s3.send-content-md5
  [send_content_md5: <boolean> | default = false]

  # Accessing S3 resources using temporary, secure credentials provided by AWS
  # Security Token Service.
  # CLI flag: -alertmanager-storage.s3.sts-endpoint
  [sts_endpoint: <string> | default = ""]

  # The s3_sse configures the S3 server-side encryption.
  # The CLI flags prefix for this block configuration is: alertmanager-storage
  [sse: <s3_sse>]

  http:
    # (advanced) The time an idle connection will remain idle before closing.
    # CLI flag: -alertmanager-storage.s3.http.idle-conn-timeout
    [idle_conn_timeout: <duration> | default = 1m30s]

    # (advanced) The amount of time the client will wait for a servers response
    # headers.
    # CLI flag: -alertmanager-storage.s3.http.response-header-timeout
    [response_header_timeout: <duration> | default = 2m]

    # (advanced) If the client connects to S3 via HTTPS and this option is
    # enabled, the client will accept any certificate and hostname.
    # CLI flag: -alertmanager-storage.s3.http.insecure-skip-verify
    [insecure_skip_verify: <boolean> | default = false]

    # (advanced) Maximum time to wait for a TLS handshake. 0 means no limit.
    # CLI flag: -alertmanager-storage.s3.tls-handshake-timeout
    [tls_handshake_timeout: <duration> | default = 10s]

    # (advanced) The time to wait for a server's first response headers after
    # fully writing the request headers if the request has an Expect header. 0
    # to send the request body immediately.
    # CLI flag: -alertmanager-storage.s3.expect-continue-timeout
    [expect_continue_timeout: <duration> | default = 1s]

    # (advanced) Maximum number of idle (keep-alive) connections across all
    # hosts. 0 means no limit.
    # CLI flag: -alertmanager-storage.s3.max-idle-connections
    [max_idle_connections: <int> | default = 100]

    # (advanced) Maximum number of idle (keep-alive) connections to keep
    # per-host. If 0, a built-in default value is used.
    # CLI flag: -alertmanager-storage.s3.max-idle-connections-per-host
    [max_idle_connections_per_host: <int> | default = 100]

    # (advanced) Maximum number of connections per host. 0 means no limit.
    # CLI flag: -alertmanager-storage.s3.max-connections-per-host
    [max_connections_per_host: <int> | default = 0]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -alertmanager-storage.s3.http.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -alertmanager-storage.s3.http.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -alertmanager-storage.s3.http.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -alertmanager-storage.s3.http.tls-server-name
    [tls_server_name: <string> | default = ""]

  trace:
    # (advanced) When enabled, low-level S3 HTTP operation information is logged
    # at the debug level.
    # CLI flag: -alertmanager-storage.s3.trace.enabled
    [enabled: <boolean> | default = false]

gcs:
  # GCS bucket name
  # CLI flag: -alertmanager-storage.gcs.bucket-name
  [bucket_name: <string> | default = ""]

  # JSON either from a Google Developers Console client_credentials.json file,
  # or a Google Developers service account key. Needs to be valid JSON, not a
  # filesystem path. If empty, fallback to Google default logic:
  # 1. A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS
  # environment variable. For workload identity federation, refer to
  # https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation
  # on how to generate the JSON configuration file for on-prem/non-Google cloud
  # platforms.
  # 2. A JSON file in a location known to the gcloud command-line tool:
  # $HOME/.config/gcloud/application_default_credentials.json.
  # 3. On Google Compute Engine it fetches credentials from the metadata server.
  # CLI flag: -alertmanager-storage.gcs.service-account
  [service_account: <string> | default = ""]

azure:
  # Azure storage account name
  # CLI flag: -alertmanager-storage.azure.account-name
  [account_name: <string> | default = ""]

  # Azure storage account key. If unset, Azure managed identities will be used
  # for authentication instead.
  # CLI flag: -alertmanager-storage.azure.account-key
  [account_key: <string> | default = ""]

  # If `connection-string` is set, the value of `endpoint-suffix` will not be
  # used. Use this method over `account-key` if you need to authenticate via a
  # SAS token. Or if you use the Azurite emulator.
  # CLI flag: -alertmanager-storage.azure.connection-string
  [connection_string: <string> | default = ""]

  # Azure storage container name
  # CLI flag: -alertmanager-storage.azure.container-name
  [container_name: <string> | default = ""]

  # Azure storage endpoint suffix without schema. The account name will be
  # prefixed to this value to create the FQDN. If set to empty string, default
  # endpoint suffix is used.
  # CLI flag: -alertmanager-storage.azure.endpoint-suffix
  [endpoint_suffix: <string> | default = ""]

  # (advanced) Number of retries for recoverable errors
  # CLI flag: -alertmanager-storage.azure.max-retries
  [max_retries: <int> | default = 20]

  # (advanced) User assigned managed identity. If empty, then System assigned
  # identity is used.
  # CLI flag: -alertmanager-storage.azure.user-assigned-id
  [user_assigned_id: <string> | default = ""]

swift:
  # OpenStack Swift application credential id
  # CLI flag: -alertmanager-storage.swift.application-credential-id
  [application_credential_id: <string> | default = ""]

  # OpenStack Swift application credential name
  # CLI flag: -alertmanager-storage.swift.application-credential-name
  [application_credential_name: <string> | default = ""]

  # OpenStack Swift application credential secret
  # CLI flag: -alertmanager-storage.swift.application-credential-secret
  [application_credential_secret: <string> | default = ""]

  # OpenStack Swift authentication API version. 0 to autodetect.
  # CLI flag: -alertmanager-storage.swift.auth-version
  [auth_version: <int> | default = 0]

  # OpenStack Swift authentication URL
  # CLI flag: -alertmanager-storage.swift.auth-url
  [auth_url: <string> | default = ""]

  # OpenStack Swift username.
  # CLI flag: -alertmanager-storage.swift.username
  [username: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -alertmanager-storage.swift.user-domain-name
  [user_domain_name: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -alertmanager-storage.swift.user-domain-id
  [user_domain_id: <string> | default = ""]

  # OpenStack Swift user ID.
  # CLI flag: -alertmanager-storage.swift.user-id
  [user_id: <string> | default = ""]

  # OpenStack Swift API key.
  # CLI flag: -alertmanager-storage.swift.password
  [password: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -alertmanager-storage.swift.domain-id
  [domain_id: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -alertmanager-storage.swift.domain-name
  [domain_name: <string> | default = ""]

  # OpenStack Swift project ID (v2,v3 auth only).
  # CLI flag: -alertmanager-storage.swift.project-id
  [project_id: <string> | default = ""]

  # OpenStack Swift project name (v2,v3 auth only).
  # CLI flag: -alertmanager-storage.swift.project-name
  [project_name: <string> | default = ""]

  # ID of the OpenStack Swift project's domain (v3 auth only), only needed if it
  # differs the from user domain.
  # CLI flag: -alertmanager-storage.swift.project-domain-id
  [project_domain_id: <string> | default = ""]

  # Name of the OpenStack Swift project's domain (v3 auth only), only needed if
  # it differs from the user domain.
  # CLI flag: -alertmanager-storage.swift.project-domain-name
  [project_domain_name: <string> | default = ""]

  # OpenStack Swift Region to use (v2,v3 auth only).
  # CLI flag: -alertmanager-storage.swift.region-name
  [region_name: <string> | default = ""]

  # Name of the OpenStack Swift container to put chunks in.
  # CLI flag: -alertmanager-storage.swift.container-name
  [container_name: <string> | default = ""]

  # (advanced) Max retries on requests error.
  # CLI flag: -alertmanager-storage.swift.max-retries
  [max_retries: <int> | default = 3]

  # (advanced) Time after which a connection attempt is aborted.
  # CLI flag: -alertmanager-storage.swift.connect-timeout
  [connect_timeout: <duration> | default = 10s]

  # (advanced) Time after which an idle request is aborted. The timeout watchdog
  # is reset each time some data is received, so the timeout triggers after X
  # time no data is received on a request.
  # CLI flag: -alertmanager-storage.swift.request-timeout
  [request_timeout: <duration> | default = 5s]

filesystem:
  # Local filesystem storage directory.
  # CLI flag: -alertmanager-storage.filesystem.dir
  [dir: <string> | default = "alertmanager"]

# Prefix for all objects stored in the backend storage. For simplicity, it may
# only contain digits and English alphabet letters.
# CLI flag: -alertmanager-storage.storage-prefix
[storage_prefix: <string> | default = ""]

local:
  # Path at which alertmanager configurations are stored.
  # CLI flag: -alertmanager-storage.local.path
  [path: <string> | default = ""]

ingester_client

The ingester_client configures how the GEM distributors connect to the ingesters.

yaml
# Configures the gRPC client used to communicate with ingesters from
# distributors, queriers and rulers.
grpc_client_config:
  # (advanced) gRPC client max receive message size (bytes).
  # CLI flag: -ingester.client.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # (advanced) gRPC client max send message size (bytes).
  # CLI flag: -ingester.client.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 104857600]

  # (advanced) Use compression when sending messages. Supported values are:
  # 'gzip', 'snappy' and '' (disable compression)
  # CLI flag: -ingester.client.grpc-compression
  [grpc_compression: <string> | default = ""]

  # (advanced) Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -ingester.client.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # (advanced) Rate limit burst for gRPC client.
  # CLI flag: -ingester.client.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # (advanced) Enable backoff and retry when we hit rate limits.
  # CLI flag: -ingester.client.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # (advanced) Minimum delay when backing off.
    # CLI flag: -ingester.client.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # (advanced) Maximum delay when backing off.
    # CLI flag: -ingester.client.backoff-max-period
    [max_period: <duration> | default = 10s]

    # (advanced) Number of times to backoff and retry before failing.
    # CLI flag: -ingester.client.backoff-retries
    [max_retries: <int> | default = 10]

  # (experimental) Initial stream window size. Values less than the default are
  # not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -ingester.client.initial-stream-window-size
  [initial_stream_window_size: <int> | default = 63KiB1023B]

  # (experimental) Initial connection window size. Values less than the default
  # are not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -ingester.client.initial-connection-window-size
  [initial_connection_window_size: <int> | default = 63KiB1023B]

  # (advanced) Enable TLS in the gRPC client. This flag needs to be enabled when
  # any other TLS flag is set. If set to false, insecure connection to gRPC
  # server will be used.
  # CLI flag: -ingester.client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # (advanced) Path to the client certificate, which will be used for
  # authenticating with the server. Also requires the key path to be configured.
  # CLI flag: -ingester.client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # (advanced) Path to the key for the client certificate. Also requires the
  # client certificate to be configured.
  # CLI flag: -ingester.client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # (advanced) Path to the CA certificates to validate server certificate
  # against. If not set, the host's root CA certificates are used.
  # CLI flag: -ingester.client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # (advanced) Override the expected name on the server certificate.
  # CLI flag: -ingester.client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # (advanced) Skip validating server certificate.
  # CLI flag: -ingester.client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # (advanced) Override the default cipher suite list (separated by commas).
  # Allowed values:
  # 
  # Secure Ciphers:
  # - TLS_AES_128_GCM_SHA256
  # - TLS_AES_256_GCM_SHA384
  # - TLS_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  # 
  # Insecure Ciphers:
  # - TLS_RSA_WITH_RC4_128_SHA
  # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA
  # - TLS_RSA_WITH_AES_256_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA256
  # - TLS_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  # CLI flag: -ingester.client.tls-cipher-suites
  [tls_cipher_suites: <string> | default = ""]

  # (advanced) Override the default minimum TLS version. Allowed values:
  # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
  # CLI flag: -ingester.client.tls-min-version
  [tls_min_version: <string> | default = ""]

  # (advanced) The maximum amount of time to establish a connection. A value of
  # 0 means default gRPC client connect timeout and backoff.
  # CLI flag: -ingester.client.connect-timeout
  [connect_timeout: <duration> | default = 5s]

  # (advanced) Initial backoff delay after first connection failure. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -ingester.client.connect-backoff-base-delay
  [connect_backoff_base_delay: <duration> | default = 1s]

  # (advanced) Maximum backoff delay when establishing a connection. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -ingester.client.connect-backoff-max-delay
  [connect_backoff_max_delay: <duration> | default = 5s]

frontend_worker

The frontend_worker configures the worker - running within the GEM querier - picking up and executing queries enqueued by the query-frontend or query-scheduler.

yaml
# Address of the query-frontend component, in host:port format. If multiple
# query-frontends are running, the host should be a DNS resolving to all
# query-frontend instances. This option should be set only when query-scheduler
# component is not in use.
# CLI flag: -querier.frontend-address
[frontend_address: <string> | default = ""]

# Address of the query-scheduler component, in host:port format. The host should
# resolve to all query-scheduler instances. This option should be set only when
# query-scheduler component is in use and
# -query-scheduler.service-discovery-mode is set to 'dns'.
# CLI flag: -querier.scheduler-address
[scheduler_address: <string> | default = ""]

# (advanced) How often to query DNS for query-frontend or query-scheduler
# address.
# CLI flag: -querier.dns-lookup-period
[dns_lookup_duration: <duration> | default = 10s]

# (advanced) Querier ID, sent to the query-frontend to identify requests from
# the same querier. Defaults to hostname.
# CLI flag: -querier.id
[id: <string> | default = ""]

# Configures the gRPC client used to communicate between the querier and the
# query-frontend.
grpc_client_config:
  # (advanced) gRPC client max receive message size (bytes).
  # CLI flag: -querier.frontend-client.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # (advanced) gRPC client max send message size (bytes).
  # CLI flag: -querier.frontend-client.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 104857600]

  # (advanced) Use compression when sending messages. Supported values are:
  # 'gzip', 'snappy' and '' (disable compression)
  # CLI flag: -querier.frontend-client.grpc-compression
  [grpc_compression: <string> | default = ""]

  # (advanced) Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -querier.frontend-client.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # (advanced) Rate limit burst for gRPC client.
  # CLI flag: -querier.frontend-client.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # (advanced) Enable backoff and retry when we hit rate limits.
  # CLI flag: -querier.frontend-client.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # (advanced) Minimum delay when backing off.
    # CLI flag: -querier.frontend-client.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # (advanced) Maximum delay when backing off.
    # CLI flag: -querier.frontend-client.backoff-max-period
    [max_period: <duration> | default = 10s]

    # (advanced) Number of times to backoff and retry before failing.
    # CLI flag: -querier.frontend-client.backoff-retries
    [max_retries: <int> | default = 10]

  # (experimental) Initial stream window size. Values less than the default are
  # not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -querier.frontend-client.initial-stream-window-size
  [initial_stream_window_size: <int> | default = 63KiB1023B]

  # (experimental) Initial connection window size. Values less than the default
  # are not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -querier.frontend-client.initial-connection-window-size
  [initial_connection_window_size: <int> | default = 63KiB1023B]

  # (advanced) Enable TLS in the gRPC client. This flag needs to be enabled when
  # any other TLS flag is set. If set to false, insecure connection to gRPC
  # server will be used.
  # CLI flag: -querier.frontend-client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # (advanced) Path to the client certificate, which will be used for
  # authenticating with the server. Also requires the key path to be configured.
  # CLI flag: -querier.frontend-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # (advanced) Path to the key for the client certificate. Also requires the
  # client certificate to be configured.
  # CLI flag: -querier.frontend-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # (advanced) Path to the CA certificates to validate server certificate
  # against. If not set, the host's root CA certificates are used.
  # CLI flag: -querier.frontend-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # (advanced) Override the expected name on the server certificate.
  # CLI flag: -querier.frontend-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # (advanced) Skip validating server certificate.
  # CLI flag: -querier.frontend-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # (advanced) Override the default cipher suite list (separated by commas).
  # Allowed values:
  # 
  # Secure Ciphers:
  # - TLS_AES_128_GCM_SHA256
  # - TLS_AES_256_GCM_SHA384
  # - TLS_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  # 
  # Insecure Ciphers:
  # - TLS_RSA_WITH_RC4_128_SHA
  # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA
  # - TLS_RSA_WITH_AES_256_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA256
  # - TLS_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  # CLI flag: -querier.frontend-client.tls-cipher-suites
  [tls_cipher_suites: <string> | default = ""]

  # (advanced) Override the default minimum TLS version. Allowed values:
  # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
  # CLI flag: -querier.frontend-client.tls-min-version
  [tls_min_version: <string> | default = ""]

  # (advanced) The maximum amount of time to establish a connection. A value of
  # 0 means default gRPC client connect timeout and backoff.
  # CLI flag: -querier.frontend-client.connect-timeout
  [connect_timeout: <duration> | default = 5s]

  # (advanced) Initial backoff delay after first connection failure. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -querier.frontend-client.connect-backoff-base-delay
  [connect_backoff_base_delay: <duration> | default = 1s]

  # (advanced) Maximum backoff delay when establishing a connection. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -querier.frontend-client.connect-backoff-max-delay
  [connect_backoff_max_delay: <duration> | default = 5s]

# Configures the gRPC client used to communicate between the querier and the
# query-scheduler.
query_scheduler_grpc_client_config:
  # (advanced) gRPC client max receive message size (bytes).
  # CLI flag: -querier.scheduler-client.grpc-max-recv-msg-size
  [max_recv_msg_size: <int> | default = 104857600]

  # (advanced) gRPC client max send message size (bytes).
  # CLI flag: -querier.scheduler-client.grpc-max-send-msg-size
  [max_send_msg_size: <int> | default = 104857600]

  # (advanced) Use compression when sending messages. Supported values are:
  # 'gzip', 'snappy' and '' (disable compression)
  # CLI flag: -querier.scheduler-client.grpc-compression
  [grpc_compression: <string> | default = ""]

  # (advanced) Rate limit for gRPC client; 0 means disabled.
  # CLI flag: -querier.scheduler-client.grpc-client-rate-limit
  [rate_limit: <float> | default = 0]

  # (advanced) Rate limit burst for gRPC client.
  # CLI flag: -querier.scheduler-client.grpc-client-rate-limit-burst
  [rate_limit_burst: <int> | default = 0]

  # (advanced) Enable backoff and retry when we hit rate limits.
  # CLI flag: -querier.scheduler-client.backoff-on-ratelimits
  [backoff_on_ratelimits: <boolean> | default = false]

  backoff_config:
    # (advanced) Minimum delay when backing off.
    # CLI flag: -querier.scheduler-client.backoff-min-period
    [min_period: <duration> | default = 100ms]

    # (advanced) Maximum delay when backing off.
    # CLI flag: -querier.scheduler-client.backoff-max-period
    [max_period: <duration> | default = 10s]

    # (advanced) Number of times to backoff and retry before failing.
    # CLI flag: -querier.scheduler-client.backoff-retries
    [max_retries: <int> | default = 10]

  # (experimental) Initial stream window size. Values less than the default are
  # not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -querier.scheduler-client.initial-stream-window-size
  [initial_stream_window_size: <int> | default = 63KiB1023B]

  # (experimental) Initial connection window size. Values less than the default
  # are not supported and are ignored. Setting this to a value other than the
  # default disables the BDP estimator.
  # CLI flag: -querier.scheduler-client.initial-connection-window-size
  [initial_connection_window_size: <int> | default = 63KiB1023B]

  # (advanced) Enable TLS in the gRPC client. This flag needs to be enabled when
  # any other TLS flag is set. If set to false, insecure connection to gRPC
  # server will be used.
  # CLI flag: -querier.scheduler-client.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # (advanced) Path to the client certificate, which will be used for
  # authenticating with the server. Also requires the key path to be configured.
  # CLI flag: -querier.scheduler-client.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # (advanced) Path to the key for the client certificate. Also requires the
  # client certificate to be configured.
  # CLI flag: -querier.scheduler-client.tls-key-path
  [tls_key_path: <string> | default = ""]

  # (advanced) Path to the CA certificates to validate server certificate
  # against. If not set, the host's root CA certificates are used.
  # CLI flag: -querier.scheduler-client.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # (advanced) Override the expected name on the server certificate.
  # CLI flag: -querier.scheduler-client.tls-server-name
  [tls_server_name: <string> | default = ""]

  # (advanced) Skip validating server certificate.
  # CLI flag: -querier.scheduler-client.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # (advanced) Override the default cipher suite list (separated by commas).
  # Allowed values:
  # 
  # Secure Ciphers:
  # - TLS_AES_128_GCM_SHA256
  # - TLS_AES_256_GCM_SHA384
  # - TLS_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  # 
  # Insecure Ciphers:
  # - TLS_RSA_WITH_RC4_128_SHA
  # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA
  # - TLS_RSA_WITH_AES_256_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA256
  # - TLS_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  # CLI flag: -querier.scheduler-client.tls-cipher-suites
  [tls_cipher_suites: <string> | default = ""]

  # (advanced) Override the default minimum TLS version. Allowed values:
  # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
  # CLI flag: -querier.scheduler-client.tls-min-version
  [tls_min_version: <string> | default = ""]

  # (advanced) The maximum amount of time to establish a connection. A value of
  # 0 means default gRPC client connect timeout and backoff.
  # CLI flag: -querier.scheduler-client.connect-timeout
  [connect_timeout: <duration> | default = 5s]

  # (advanced) Initial backoff delay after first connection failure. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -querier.scheduler-client.connect-backoff-base-delay
  [connect_backoff_base_delay: <duration> | default = 1s]

  # (advanced) Maximum backoff delay when establishing a connection. Only
  # relevant if ConnectTimeout > 0.
  # CLI flag: -querier.scheduler-client.connect-backoff-max-delay
  [connect_backoff_max_delay: <duration> | default = 5s]

# (experimental) Enables streaming of responses from querier to query-frontend
# for response types that support it (currently only `active_series` responses
# do).
# CLI flag: -querier.response-streaming-enabled
[response_streaming_enabled: <boolean> | default = false]

etcd

The etcd configures the etcd client. The supported CLI flags <prefix> used to reference this configuration block are:

  • admin-api.leader-election.ring
  • alertmanager.sharding-ring
  • compactor.ring
  • distributor.ha-tracker
  • distributor.ring
  • ingester.partition-ring
  • ingester.ring
  • overrides-exporter.ring
  • query-scheduler.ring
  • ruler.ring
  • store-gateway.sharding-ring

 

yaml
# The etcd endpoints to connect to.
# CLI flag: -<prefix>.etcd.endpoints
[endpoints: <list of strings> | default = []]

# (advanced) The dial timeout for the etcd connection.
# CLI flag: -<prefix>.etcd.dial-timeout
[dial_timeout: <duration> | default = 10s]

# (advanced) The maximum number of retries to do for failed ops.
# CLI flag: -<prefix>.etcd.max-retries
[max_retries: <int> | default = 10]

# (advanced) Enable TLS.
# CLI flag: -<prefix>.etcd.tls-enabled
[tls_enabled: <boolean> | default = false]

# (advanced) Path to the client certificate, which will be used for
# authenticating with the server. Also requires the key path to be configured.
# CLI flag: -<prefix>.etcd.tls-cert-path
[tls_cert_path: <string> | default = ""]

# (advanced) Path to the key for the client certificate. Also requires the
# client certificate to be configured.
# CLI flag: -<prefix>.etcd.tls-key-path
[tls_key_path: <string> | default = ""]

# (advanced) Path to the CA certificates to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -<prefix>.etcd.tls-ca-path
[tls_ca_path: <string> | default = ""]

# (advanced) Override the expected name on the server certificate.
# CLI flag: -<prefix>.etcd.tls-server-name
[tls_server_name: <string> | default = ""]

# (advanced) Skip validating server certificate.
# CLI flag: -<prefix>.etcd.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]

# (advanced) Override the default cipher suite list (separated by commas).
# Allowed values:
# 
# Secure Ciphers:
# - TLS_AES_128_GCM_SHA256
# - TLS_AES_256_GCM_SHA384
# - TLS_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
# 
# Insecure Ciphers:
# - TLS_RSA_WITH_RC4_128_SHA
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA
# - TLS_RSA_WITH_AES_256_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA256
# - TLS_RSA_WITH_AES_128_GCM_SHA256
# - TLS_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# CLI flag: -<prefix>.etcd.tls-cipher-suites
[tls_cipher_suites: <string> | default = ""]

# (advanced) Override the default minimum TLS version. Allowed values:
# VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
# CLI flag: -<prefix>.etcd.tls-min-version
[tls_min_version: <string> | default = ""]

# Etcd username.
# CLI flag: -<prefix>.etcd.username
[username: <string> | default = ""]

# Etcd password.
# CLI flag: -<prefix>.etcd.password
[password: <string> | default = ""]

consul

The consul configures the consul client. The supported CLI flags <prefix> used to reference this configuration block are:

  • admin-api.leader-election.ring
  • alertmanager.sharding-ring
  • compactor.ring
  • distributor.ha-tracker
  • distributor.ring
  • ingester.partition-ring
  • ingester.ring
  • overrides-exporter.ring
  • query-scheduler.ring
  • ruler.ring
  • store-gateway.sharding-ring

 

yaml
# Hostname and port of Consul.
# CLI flag: -<prefix>.consul.hostname
[host: <string> | default = "localhost:8500"]

# (advanced) ACL Token used to interact with Consul.
# CLI flag: -<prefix>.consul.acl-token
[acl_token: <string> | default = ""]

# (advanced) HTTP timeout when talking to Consul
# CLI flag: -<prefix>.consul.client-timeout
[http_client_timeout: <duration> | default = 20s]

# (advanced) Enable consistent reads to Consul.
# CLI flag: -<prefix>.consul.consistent-reads
[consistent_reads: <boolean> | default = false]

# (advanced) Rate limit when watching key or prefix in Consul, in requests per
# second. 0 disables the rate limit.
# CLI flag: -<prefix>.consul.watch-rate-limit
[watch_rate_limit: <float> | default = 1]

# (advanced) Burst size used in rate limit. Values less than 1 are treated as 1.
# CLI flag: -<prefix>.consul.watch-burst-size
[watch_burst_size: <int> | default = 1]

# (advanced) Maximum duration to wait before retrying a Compare And Swap (CAS)
# operation.
# CLI flag: -<prefix>.consul.cas-retry-delay
[cas_retry_delay: <duration> | default = 1s]

memberlist

The memberlist configures the Gossip memberlist.

yaml
# (advanced) Name of the node in memberlist cluster. Defaults to hostname.
# CLI flag: -memberlist.nodename
[node_name: <string> | default = ""]

# (advanced) Add random suffix to the node name.
# CLI flag: -memberlist.randomize-node-name
[randomize_node_name: <boolean> | default = true]

# (advanced) The timeout for establishing a connection with a remote node, and
# for read/write operations.
# CLI flag: -memberlist.stream-timeout
[stream_timeout: <duration> | default = 2s]

# (advanced) Multiplication factor used when sending out messages (factor *
# log(N+1)).
# CLI flag: -memberlist.retransmit-factor
[retransmit_factor: <int> | default = 4]

# (advanced) How often to use pull/push sync.
# CLI flag: -memberlist.pullpush-interval
[pull_push_interval: <duration> | default = 30s]

# (advanced) How often to gossip.
# CLI flag: -memberlist.gossip-interval
[gossip_interval: <duration> | default = 200ms]

# (advanced) How many nodes to gossip to.
# CLI flag: -memberlist.gossip-nodes
[gossip_nodes: <int> | default = 3]

# (advanced) How long to keep gossiping to dead nodes, to give them chance to
# refute their death.
# CLI flag: -memberlist.gossip-to-dead-nodes-time
[gossip_to_dead_nodes_time: <duration> | default = 30s]

# (advanced) How soon can dead node's name be reclaimed with new address. 0 to
# disable.
# CLI flag: -memberlist.dead-node-reclaim-time
[dead_node_reclaim_time: <duration> | default = 0s]

# (advanced) Enable message compression. This can be used to reduce bandwidth
# usage at the cost of slightly more CPU utilization.
# CLI flag: -memberlist.compression-enabled
[compression_enabled: <boolean> | default = true]

# Gossip address to advertise to other members in the cluster. Used for NAT
# traversal.
# CLI flag: -memberlist.advertise-addr
[advertise_addr: <string> | default = ""]

# Gossip port to advertise to other members in the cluster. Used for NAT
# traversal.
# CLI flag: -memberlist.advertise-port
[advertise_port: <int> | default = 7946]

# (advanced) The cluster label is an optional string to include in outbound
# packets and gossip streams. Other members in the memberlist cluster will
# discard any message whose label doesn't match the configured one, unless the
# 'cluster-label-verification-disabled' configuration option is set to true.
# CLI flag: -memberlist.cluster-label
[cluster_label: <string> | default = ""]

# (advanced) When true, memberlist doesn't verify that inbound packets and
# gossip streams have the cluster label matching the configured one. This
# verification should be disabled while rolling out the change to the configured
# cluster label in a live memberlist cluster.
# CLI flag: -memberlist.cluster-label-verification-disabled
[cluster_label_verification_disabled: <boolean> | default = false]

# Other cluster members to join. Can be specified multiple times. It can be an
# IP, hostname or an entry specified in the DNS Service Discovery format.
# CLI flag: -memberlist.join
[join_members: <list of strings> | default = []]

# (advanced) Min backoff duration to join other cluster members.
# CLI flag: -memberlist.min-join-backoff
[min_join_backoff: <duration> | default = 1s]

# (advanced) Max backoff duration to join other cluster members.
# CLI flag: -memberlist.max-join-backoff
[max_join_backoff: <duration> | default = 1m]

# (advanced) Max number of retries to join other cluster members.
# CLI flag: -memberlist.max-join-retries
[max_join_retries: <int> | default = 10]

# If this node fails to join memberlist cluster, abort.
# CLI flag: -memberlist.abort-if-join-fails
[abort_if_cluster_join_fails: <boolean> | default = false]

# (advanced) If not 0, how often to rejoin the cluster. Occasional rejoin can
# help to fix the cluster split issue, and is harmless otherwise. For example
# when using only few components as a seed nodes (via -memberlist.join), then
# it's recommended to use rejoin. If -memberlist.join points to dynamic service
# that resolves to all gossiping nodes (eg. Kubernetes headless service), then
# rejoin is not needed.
# CLI flag: -memberlist.rejoin-interval
[rejoin_interval: <duration> | default = 0s]

# (advanced) How long to keep LEFT ingesters in the ring.
# CLI flag: -memberlist.left-ingesters-timeout
[left_ingesters_timeout: <duration> | default = 5m]

# (advanced) Timeout for leaving memberlist cluster.
# CLI flag: -memberlist.leave-timeout
[leave_timeout: <duration> | default = 20s]

# (advanced) Timeout for broadcasting all remaining locally-generated updates to
# other nodes when shutting down. Only used if there are nodes left in the
# memberlist cluster, and only applies to locally-generated updates, not to
# broadcast messages that are result of incoming gossip updates. 0 = no timeout,
# wait until all locally-generated updates are sent.
# CLI flag: -memberlist.broadcast-timeout-for-local-updates-on-shutdown
[broadcast_timeout_for_local_updates_on_shutdown: <duration> | default = 10s]

# (advanced) How much space to use for keeping received and sent messages in
# memory for troubleshooting (two buffers). 0 to disable.
# CLI flag: -memberlist.message-history-buffer-bytes
[message_history_buffer_bytes: <int> | default = 0]

# IP address to listen on for gossip messages. Multiple addresses may be
# specified. Defaults to 0.0.0.0
# CLI flag: -memberlist.bind-addr
[bind_addr: <list of strings> | default = []]

# Port to listen on for gossip messages.
# CLI flag: -memberlist.bind-port
[bind_port: <int> | default = 7946]

# (advanced) Timeout used when connecting to other nodes to send packet.
# CLI flag: -memberlist.packet-dial-timeout
[packet_dial_timeout: <duration> | default = 2s]

# (advanced) Timeout for writing 'packet' data.
# CLI flag: -memberlist.packet-write-timeout
[packet_write_timeout: <duration> | default = 5s]

# (advanced) Enable TLS on the memberlist transport layer.
# CLI flag: -memberlist.tls-enabled
[tls_enabled: <boolean> | default = false]

# (advanced) Path to the client certificate, which will be used for
# authenticating with the server. Also requires the key path to be configured.
# CLI flag: -memberlist.tls-cert-path
[tls_cert_path: <string> | default = ""]

# (advanced) Path to the key for the client certificate. Also requires the
# client certificate to be configured.
# CLI flag: -memberlist.tls-key-path
[tls_key_path: <string> | default = ""]

# (advanced) Path to the CA certificates to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -memberlist.tls-ca-path
[tls_ca_path: <string> | default = ""]

# (advanced) Override the expected name on the server certificate.
# CLI flag: -memberlist.tls-server-name
[tls_server_name: <string> | default = ""]

# (advanced) Skip validating server certificate.
# CLI flag: -memberlist.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]

# (advanced) Override the default cipher suite list (separated by commas).
# Allowed values:
# 
# Secure Ciphers:
# - TLS_AES_128_GCM_SHA256
# - TLS_AES_256_GCM_SHA384
# - TLS_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
# 
# Insecure Ciphers:
# - TLS_RSA_WITH_RC4_128_SHA
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA
# - TLS_RSA_WITH_AES_256_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA256
# - TLS_RSA_WITH_AES_128_GCM_SHA256
# - TLS_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# CLI flag: -memberlist.tls-cipher-suites
[tls_cipher_suites: <string> | default = ""]

# (advanced) Override the default minimum TLS version. Allowed values:
# VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
# CLI flag: -memberlist.tls-min-version
[tls_min_version: <string> | default = ""]

limits

The limits configures default and per-tenant limits imposed by GEM services (ie. distributor, ingester, …).

yaml
# Per-tenant push request rate limit in requests per second. 0 to disable.
# CLI flag: -distributor.request-rate-limit
[request_rate: <float> | default = 0]

# Per-tenant allowed push request burst size. 0 to disable.
# CLI flag: -distributor.request-burst-size
[request_burst_size: <int> | default = 0]

# Per-tenant ingestion rate limit in samples per second.
# CLI flag: -distributor.ingestion-rate-limit
[ingestion_rate: <float> | default = 10000]

# Per-tenant allowed ingestion burst size (in number of samples).
# CLI flag: -distributor.ingestion-burst-size
[ingestion_burst_size: <int> | default = 200000]

# (experimental) Per-tenant burst factor which is the maximum burst size allowed
# as a multiple of the per-tenant ingestion rate, this burst-factor must be
# greater than or equal to 1. If this is set it will override the
# ingestion-burst-size option.
# CLI flag: -distributor.ingestion-burst-factor
[ingestion_burst_factor: <float> | default = 0]

# Flag to enable, for all tenants, handling of samples with external labels
# identifying replicas in an HA Prometheus setup.
# CLI flag: -distributor.ha-tracker.enable-for-all-users
[accept_ha_samples: <boolean> | default = false]

# Prometheus label to look for in samples to identify a Prometheus HA cluster.
# CLI flag: -distributor.ha-tracker.cluster
[ha_cluster_label: <string> | default = "cluster"]

# Prometheus label to look for in samples to identify a Prometheus HA replica.
# CLI flag: -distributor.ha-tracker.replica
[ha_replica_label: <string> | default = "__replica__"]

# Maximum number of clusters that HA tracker will keep track of for a single
# tenant. 0 to disable the limit.
# CLI flag: -distributor.ha-tracker.max-clusters
[ha_max_clusters: <int> | default = 100]

# (advanced) This flag can be used to specify label names that to drop during
# sample ingestion within the distributor and can be repeated in order to drop
# multiple labels.
# CLI flag: -distributor.drop-label
[drop_labels: <list of strings> | default = []]

# Maximum length accepted for label names
# CLI flag: -validation.max-length-label-name
[max_label_name_length: <int> | default = 1024]

# Maximum length accepted for label value. This setting also applies to the
# metric name
# CLI flag: -validation.max-length-label-value
[max_label_value_length: <int> | default = 2048]

# Maximum number of label names per series.
# CLI flag: -validation.max-label-names-per-series
[max_label_names_per_series: <int> | default = 30]

# Maximum length accepted for metric metadata. Metadata refers to Metric Name,
# HELP and UNIT. Longer metadata is dropped except for HELP which is truncated.
# CLI flag: -validation.max-metadata-length
[max_metadata_length: <int> | default = 1024]

# Maximum number of buckets per native histogram sample. 0 to disable the limit.
# CLI flag: -validation.max-native-histogram-buckets
[max_native_histogram_buckets: <int> | default = 0]

# (experimental) Maximum number of exemplars per series per request. 0 to
# disable limit in request. The exceeding exemplars are dropped.
# CLI flag: -distributor.max-exemplars-per-series-per-request
[max_exemplars_per_series_per_request: <int> | default = 0]

# Whether to reduce or reject native histogram samples with more buckets than
# the configured limit.
# CLI flag: -validation.reduce-native-histogram-over-max-buckets
[reduce_native_histogram_over_max_buckets: <boolean> | default = true]

# (advanced) Controls how far into the future incoming samples and exemplars are
# accepted compared to the wall clock. Any sample or exemplar will be rejected
# if its timestamp is greater than '(now + creation_grace_period)'. This
# configuration is enforced in the distributor and ingester.
# CLI flag: -validation.create-grace-period
[creation_grace_period: <duration> | default = 10m]

# (advanced) Controls how far into the past incoming samples and exemplars are
# accepted compared to the wall clock. Any sample or exemplar will be rejected
# if its timestamp is lower than '(now - OOO window - past_grace_period)'. This
# configuration is enforced in the distributor and ingester. 0 to disable.
# CLI flag: -validation.past-grace-period
[past_grace_period: <duration> | default = 0s]

# (advanced) Enforce every metadata has a metric name.
# CLI flag: -validation.enforce-metadata-metric-name
[enforce_metadata_metric_name: <boolean> | default = true]

# The tenant's shard size used by shuffle-sharding. This value is the total size
# of the shard (ie. it is not the number of ingesters in the shard per zone, but
# the number of ingesters in the shard across all zones, if zone-awareness is
# enabled). Must be set both on ingesters and distributors. 0 disables shuffle
# sharding.
# CLI flag: -distributor.ingestion-tenant-shard-size
[ingestion_tenant_shard_size: <int> | default = 0]

# (experimental) List of metric relabel configurations. Note that in most
# situations, it is more effective to use metrics relabeling directly in the
# Prometheus server, e.g. remote_write.write_relabel_configs. Labels available
# during the relabeling phase and cleaned afterwards: __meta_tenant_id
[metric_relabel_configs: <relabel_config...> | default = ]

# (experimental) Enable metric relabeling for the tenant. This configuration
# option can be used to forcefully disable metric relabeling on a per-tenant
# basis.
# CLI flag: -distributor.metric-relabeling-enabled
[metric_relabeling_enabled: <boolean> | default = true]

# (experimental) If enabled, rate limit errors will be reported to the client
# with HTTP status code 529 (Service is overloaded). If disabled, status code
# 429 (Too Many Requests) is used. Enabling
# -distributor.retry-after-header.enabled before utilizing this option is
# strongly recommended as it helps prevent premature request retries by the
# client.
# CLI flag: -distributor.service-overload-status-code-on-rate-limit-enabled
[service_overload_status_code_on_rate_limit_enabled: <boolean> | default = false]

# The maximum number of in-memory series per tenant, across the cluster before
# replication. 0 to disable.
# CLI flag: -ingester.max-global-series-per-user
[max_global_series_per_user: <int> | default = 150000]

# The maximum number of in-memory series per metric name, across the cluster
# before replication. 0 to disable.
# CLI flag: -ingester.max-global-series-per-metric
[max_global_series_per_metric: <int> | default = 0]

# The maximum number of in-memory metrics with metadata per tenant, across the
# cluster. 0 to disable.
# CLI flag: -ingester.max-global-metadata-per-user
[max_global_metadata_per_user: <int> | default = 0]

# The maximum number of metadata per metric, across the cluster. 0 to disable.
# CLI flag: -ingester.max-global-metadata-per-metric
[max_global_metadata_per_metric: <int> | default = 0]

# (experimental) The maximum number of exemplars in memory, across the cluster.
# 0 to disable exemplars ingestion.
# CLI flag: -ingester.max-global-exemplars-per-user
[max_global_exemplars_per_user: <int> | default = 0]

# (experimental) Whether to ignore exemplars with out-of-order timestamps. If
# enabled, exemplars with out-of-order timestamps are silently dropped,
# otherwise they cause partial errors.
# CLI flag: -ingester.ignore-ooo-exemplars
[ignore_ooo_exemplars: <boolean> | default = false]

# (experimental) Enable ingestion of native histogram samples. If false, native
# histogram samples are ignored without an error. To query native histograms
# with query-sharding enabled make sure to set
# -query-frontend.query-result-response-format to 'protobuf'.
# CLI flag: -ingester.native-histograms-ingestion-enabled
[native_histograms_ingestion_enabled: <boolean> | default = false]

# (advanced) Additional custom trackers for active metrics. If there are active
# series matching a provided matcher (map value), the count will be exposed in
# the custom trackers metric labeled using the tracker name (map key). Zero
# valued counts are not exposed (and removed when they go back to zero).
# Example:
#   The following configuration will count the active series coming from dev and
#   prod namespaces for each tenant and label them as {name="dev"} and
#   {name="prod"} in the cortex_ingester_active_series_custom_tracker metric.
#   active_series_custom_trackers:
#       dev: '{namespace=~"dev-.*"}'
#       prod: '{namespace=~"prod-.*"}'
# CLI flag: -ingester.active-series-custom-trackers
[active_series_custom_trackers: <map of tracker name (string) to matcher (string)> | default = ]

# (experimental) Non-zero value enables out-of-order support for most recent
# samples that are within the time window in relation to the TSDB's maximum
# time, i.e., within [db.maxTime-timeWindow, db.maxTime]). The ingester will
# need more memory as a factor of rate of out-of-order samples being ingested
# and the number of series that are getting out-of-order samples. If query falls
# into this window, cached results will use value from
# -query-frontend.results-cache-ttl-for-out-of-order-time-window option to
# specify TTL for resulting cache entry.
# CLI flag: -ingester.out-of-order-time-window
[out_of_order_time_window: <duration> | default = 0s]

# (experimental) Whether the shipper should label out-of-order blocks with an
# external label before uploading them. Setting this label will compact
# out-of-order blocks separately from non-out-of-order blocks
# CLI flag: -ingester.out-of-order-blocks-external-label-enabled
[out_of_order_blocks_external_label_enabled: <boolean> | default = false]

# (experimental) Label used to define the group label for metrics separation.
# For each write request, the group is obtained from the first non-empty group
# label from the first timeseries in the incoming list of timeseries. Specific
# distributor and ingester metrics will be further separated adding a 'group'
# label with group label's value. Currently applies to the following metrics:
# cortex_discarded_samples_total
# CLI flag: -validation.separate-metrics-group-label
[separate_metrics_group_label: <string> | default = ""]

# Maximum number of chunks that can be fetched in a single query from ingesters
# and store-gateways. This limit is enforced in the querier, ruler and
# store-gateway. 0 to disable.
# CLI flag: -querier.max-fetched-chunks-per-query
[max_fetched_chunks_per_query: <int> | default = 2000000]

# (experimental) Maximum number of chunks estimated to be fetched in a single
# query from ingesters and store-gateways, as a multiple of
# -querier.max-fetched-chunks-per-query. This limit is enforced in the querier.
# Must be greater than or equal to 1, or 0 to disable.
# CLI flag: -querier.max-estimated-fetched-chunks-per-query-multiplier
[max_estimated_fetched_chunks_per_query_multiplier: <float> | default = 0]

# The maximum number of unique series for which a query can fetch samples from
# ingesters and store-gateways. This limit is enforced in the querier, ruler and
# store-gateway. 0 to disable
# CLI flag: -querier.max-fetched-series-per-query
[max_fetched_series_per_query: <int> | default = 0]

# The maximum size of all chunks in bytes that a query can fetch from ingesters
# and store-gateways. This limit is enforced in the querier and ruler. 0 to
# disable.
# CLI flag: -querier.max-fetched-chunk-bytes-per-query
[max_fetched_chunk_bytes_per_query: <int> | default = 0]

# (experimental) The maximum estimated memory a single query can consume at
# once, in bytes. This limit is only enforced when Mimir's query engine is in
# use. This limit is enforced in the querier. 0 to disable.
# CLI flag: -querier.max-estimated-memory-consumption-per-query
[max_estimated_memory_consumption_per_query: <int> | default = 0]

# Limit how long back data (series and metadata) can be queried, up until
# <lookback> duration ago. This limit is enforced in the query-frontend, querier
# and ruler for instant, range and remote read queries. For metadata queries
# like series, label names, label values queries the limit is enforced in the
# querier and ruler. If the requested time range is outside the allowed range,
# the request will not fail but will be manipulated to only query data within
# the allowed time range. 0 to disable.
# CLI flag: -querier.max-query-lookback
[max_query_lookback: <duration> | default = 0s]

# Limit the time range for partial queries at the querier level.
# CLI flag: -querier.max-partial-query-length
[max_partial_query_length: <duration> | default = 0s]

# Maximum number of split (by time) or partial (by shard) queries that will be
# scheduled in parallel by the query-frontend for a single input query. This
# limit is introduced to have a fairer query scheduling and avoid a single query
# over a large time range saturating all available queriers.
# CLI flag: -querier.max-query-parallelism
[max_query_parallelism: <int> | default = 14]

# Limit the time range (end - start time) of series, label names and values
# queries. This limit is enforced in the querier. If the requested time range is
# outside the allowed range, the request will not fail but will be manipulated
# to only query data within the allowed time range. 0 to disable.
# CLI flag: -store.max-labels-query-length
[max_labels_query_length: <duration> | default = 0s]

# (advanced) Most recent allowed cacheable result per-tenant, to prevent caching
# very recent results that might still be in flux.
# CLI flag: -query-frontend.max-cache-freshness
[max_cache_freshness: <duration> | default = 10m]

# Maximum number of queriers that can handle requests for a single tenant. If
# set to 0 or value higher than number of available queriers, *all* queriers
# will handle requests for the tenant. Each frontend (or query-scheduler, if
# used) will select the same set of queriers for the same tenant (given that all
# queriers are connected to all frontends / query-schedulers). This option only
# works with queriers connecting to the query-frontend / query-scheduler, not
# when using downstream URL.
# CLI flag: -query-frontend.max-queriers-per-tenant
[max_queriers_per_tenant: <int> | default = 0]

# The amount of shards to use when doing parallelisation via query sharding by
# tenant. 0 to disable query sharding for tenant. Query sharding implementation
# will adjust the number of query shards based on compactor shards. This allows
# querier to not search the blocks which cannot possibly have the series for
# given query shard.
# CLI flag: -query-frontend.query-sharding-total-shards
[query_sharding_total_shards: <int> | default = 16]

# The max number of sharded queries that can be run for a given received query.
# 0 to disable limit.
# CLI flag: -query-frontend.query-sharding-max-sharded-queries
[query_sharding_max_sharded_queries: <int> | default = 128]

# Disable query sharding for any query containing a regular expression matcher
# longer than the configured number of bytes. 0 to disable the limit.
# CLI flag: -query-frontend.query-sharding-max-regexp-size-bytes
[query_sharding_max_regexp_size_bytes: <int> | default = 4096]

# (experimental) Split instant queries by an interval and execute in parallel. 0
# to disable it.
# CLI flag: -query-frontend.split-instant-queries-by-interval
[split_instant_queries_by_interval: <duration> | default = 0s]

# (advanced) Maximum lookback beyond which queries are not sent to ingester. 0
# means all queries are sent to ingester.
# CLI flag: -querier.query-ingesters-within
[query_ingesters_within: <duration> | default = 13h]

# Limit the total query time range (end - start time). This limit is enforced in
# the query-frontend on the received instant, range or remote read query.
# CLI flag: -query-frontend.max-total-query-length
[max_total_query_length: <duration> | default = 0s]

# Time to live duration for cached query results. If query falls into
# out-of-order time window,
# -query-frontend.results-cache-ttl-for-out-of-order-time-window is used
# instead.
# CLI flag: -query-frontend.results-cache-ttl
[results_cache_ttl: <duration> | default = 1w]

# Time to live duration for cached query results if query falls into
# out-of-order time window. This is lower than -query-frontend.results-cache-ttl
# so that incoming out-of-order samples are returned in the query results
# sooner.
# CLI flag: -query-frontend.results-cache-ttl-for-out-of-order-time-window
[results_cache_ttl_for_out_of_order_time_window: <duration> | default = 10m]

# Time to live duration for cached cardinality query results. The value 0
# disables the cache.
# CLI flag: -query-frontend.results-cache-ttl-for-cardinality-query
[results_cache_ttl_for_cardinality_query: <duration> | default = 0s]

# Time to live duration for cached label names and label values query results.
# The value 0 disables the cache.
# CLI flag: -query-frontend.results-cache-ttl-for-labels-query
[results_cache_ttl_for_labels_query: <duration> | default = 0s]

# (advanced) Cache requests that are not step-aligned.
# CLI flag: -query-frontend.cache-unaligned-requests
[cache_unaligned_requests: <boolean> | default = false]

# Max size of the raw query, in bytes. This limit is enforced by the
# query-frontend for instant, range and remote read queries. 0 to not apply a
# limit to the size of the query.
# CLI flag: -query-frontend.max-query-expression-size-bytes
[max_query_expression_size_bytes: <int> | default = 0]

# (experimental) List of queries to block.
[blocked_queries: <blocked_queries_config...> | default = ]

# Mutate incoming queries to align their start and end with their step to
# improve result caching.
# CLI flag: -query-frontend.align-queries-with-step
[align_queries_with_step: <boolean> | default = false]

# Enables endpoints used for cardinality analysis.
# CLI flag: -querier.cardinality-analysis-enabled
[cardinality_analysis_enabled: <boolean> | default = false]

# Maximum size in bytes of distinct label names and values. When querier
# receives response from ingester, it merges the response with responses from
# other ingesters. This maximum size limit is applied to the merged(distinct)
# results. If the limit is reached, an error is returned.
# CLI flag: -querier.label-names-and-values-results-max-size-bytes
[label_names_and_values_results_max_size_bytes: <int> | default = 419430400]

# Maximum number of label names allowed to be queried in a single
# /api/v1/cardinality/label_values API call.
# CLI flag: -querier.label-values-max-cardinality-label-names-per-request
[label_values_max_cardinality_label_names_per_request: <int> | default = 100]

# (experimental) Maximum size of an active series or active native histogram
# series request result shard in bytes. 0 to disable.
# CLI flag: -querier.active-series-results-max-size-bytes
[active_series_results_max_size_bytes: <int> | default = 419430400]

# Duration to delay the evaluation of rules to ensure the underlying metrics
# have been pushed.
# CLI flag: -ruler.evaluation-delay-duration
[ruler_evaluation_delay_duration: <duration> | default = 1m]

# The tenant's shard size when sharding is used by ruler. Value of 0 disables
# shuffle sharding for the tenant, and tenant rules will be sharded across all
# ruler replicas.
# CLI flag: -ruler.tenant-shard-size
[ruler_tenant_shard_size: <int> | default = 0]

# Maximum number of rules per rule group per-tenant. 0 to disable.
# CLI flag: -ruler.max-rules-per-rule-group
[ruler_max_rules_per_rule_group: <int> | default = 20]

# Maximum number of rule groups per-tenant. 0 to disable.
# CLI flag: -ruler.max-rule-groups-per-tenant
[ruler_max_rule_groups_per_tenant: <int> | default = 70]

# Controls whether recording rules evaluation is enabled. This configuration
# option can be used to forcefully disable recording rules evaluation on a
# per-tenant basis.
# CLI flag: -ruler.recording-rules-evaluation-enabled
[ruler_recording_rules_evaluation_enabled: <boolean> | default = true]

# Controls whether alerting rules evaluation is enabled. This configuration
# option can be used to forcefully disable alerting rules evaluation on a
# per-tenant basis.
# CLI flag: -ruler.alerting-rules-evaluation-enabled
[ruler_alerting_rules_evaluation_enabled: <boolean> | default = true]

# (advanced) True to enable a re-sync of the configured rule groups as soon as
# they're changed via ruler's config API. This re-sync is in addition of the
# periodic syncing. When enabled, it may take up to few tens of seconds before a
# configuration change triggers the re-sync.
# CLI flag: -ruler.sync-rules-on-changes-enabled
[ruler_sync_rules_on_changes_enabled: <boolean> | default = true]

# (experimental) Maximum number of rules per rule group by namespace. Value is a
# map, where each key is the namespace and value is the number of rules allowed
# in the namespace (int). On the command line, this map is given in a JSON
# format. The number of rules specified has the same meaning as
# -ruler.max-rules-per-rule-group, but only applies for the specific namespace.
# If specified, it supersedes -ruler.max-rules-per-rule-group.
# CLI flag: -ruler.max-rules-per-rule-group-by-namespace
[ruler_max_rules_per_rule_group_by_namespace: <map of string to int> | default = {}]

# (experimental) Maximum number of rule groups per tenant by namespace. Value is
# a map, where each key is the namespace and value is the number of rule groups
# allowed in the namespace (int). On the command line, this map is given in a
# JSON format. The number of rule groups specified has the same meaning as
# -ruler.max-rule-groups-per-tenant, but only applies for the specific
# namespace. If specified, it supersedes -ruler.max-rule-groups-per-tenant.
# CLI flag: -ruler.max-rule-groups-per-tenant-by-namespace
[ruler_max_rule_groups_per_tenant_by_namespace: <map of string to int> | default = {}]

# (experimental) List of namespaces that are protected from modification unless
# a special HTTP header is used. If a namespace is protected, it can only be
# read, not modified via the ruler's configuration API. The value is a list of
# strings, where each string is a namespace name. On the command line, this list
# is given as a comma-separated list.
# CLI flag: -ruler.protected-namespaces
[ruler_protected_namespaces: <string> | default = ""]

# (experimental) Maximum number of independent rules that can run concurrently
# for each tenant. Depends on ruler.max-independent-rule-evaluation-concurrency
# being greater than 0. Ideally this flag should be a lower value. 0 to disable.
# CLI flag: -ruler.max-independent-rule-evaluation-concurrency-per-tenant
[ruler_max_independent_rule_evaluation_concurrency_per_tenant: <int> | default = 4]

# The tenant's shard size, used when store-gateway sharding is enabled. Value of
# 0 disables shuffle sharding for the tenant, that is all tenant blocks are
# sharded across all store-gateway replicas.
# CLI flag: -store-gateway.tenant-shard-size
[store_gateway_tenant_shard_size: <int> | default = 0]

# Delete blocks containing samples older than the specified retention period.
# Also used by query-frontend to avoid querying beyond the retention period by
# instant, range or remote read queries. 0 to disable.
# CLI flag: -compactor.blocks-retention-period
[compactor_blocks_retention_period: <duration> | default = 0s]

# The number of shards to use when splitting blocks. 0 to disable splitting.
# CLI flag: -compactor.split-and-merge-shards
[compactor_split_and_merge_shards: <int> | default = 0]

# Number of groups that blocks for splitting should be grouped into. Each group
# of blocks is then split separately. Number of output split shards is
# controlled by -compactor.split-and-merge-shards.
# CLI flag: -compactor.split-groups
[compactor_split_groups: <int> | default = 1]

# Max number of compactors that can compact blocks for single tenant. 0 to
# disable the limit and use all compactors.
# CLI flag: -compactor.compactor-tenant-shard-size
[compactor_tenant_shard_size: <int> | default = 0]

# If a partial block (unfinished block without meta.json file) hasn't been
# modified for this time, it will be marked for deletion. The minimum accepted
# value is 4h0m0s: a lower value will be ignored and the feature disabled. 0 to
# disable.
# CLI flag: -compactor.partial-block-deletion-delay
[compactor_partial_block_deletion_delay: <duration> | default = 1d]

# Enable block upload API for the tenant.
# CLI flag: -compactor.block-upload-enabled
[compactor_block_upload_enabled: <boolean> | default = false]

# Enable block upload validation for the tenant.
# CLI flag: -compactor.block-upload-validation-enabled
[compactor_block_upload_validation_enabled: <boolean> | default = true]

# Verify chunks when uploading blocks via the upload API for the tenant.
# CLI flag: -compactor.block-upload-verify-chunks
[compactor_block_upload_verify_chunks: <boolean> | default = true]

# (advanced) Maximum size in bytes of a block that is allowed to be uploaded or
# validated. 0 = no limit.
# CLI flag: -compactor.block-upload-max-block-size-bytes
[compactor_block_upload_max_block_size_bytes: <int> | default = 0]

# S3 server-side encryption type. Required to enable server-side encryption
# overrides for a specific tenant. If not set, the default S3 client settings
# are used.
[s3_sse_type: <string> | default = ""]

# S3 server-side encryption KMS Key ID. Ignored if the SSE type override is not
# set.
[s3_sse_kms_key_id: <string> | default = ""]

# S3 server-side encryption KMS encryption context. If unset and the key ID
# override is set, the encryption context will not be provided to S3. Ignored if
# the SSE type override is not set.
[s3_sse_kms_encryption_context: <string> | default = ""]

# Comma-separated list of network CIDRs to block in Alertmanager receiver
# integrations.
# CLI flag: -alertmanager.receivers-firewall-block-cidr-networks
[alertmanager_receivers_firewall_block_cidr_networks: <string> | default = ""]

# True to block private and local addresses in Alertmanager receiver
# integrations. It blocks private addresses defined by  RFC 1918 (IPv4
# addresses) and RFC 4193 (IPv6 addresses), as well as loopback, local unicast
# and local multicast addresses.
# CLI flag: -alertmanager.receivers-firewall-block-private-addresses
[alertmanager_receivers_firewall_block_private_addresses: <boolean> | default = false]

# Per-tenant rate limit for sending notifications from Alertmanager in
# notifications/sec. 0 = rate limit disabled. Negative value = no notifications
# are allowed.
# CLI flag: -alertmanager.notification-rate-limit
[alertmanager_notification_rate_limit: <float> | default = 0]

# Per-integration notification rate limits. Value is a map, where each key is
# integration name and value is a rate-limit (float). On command line, this map
# is given in JSON format. Rate limit has the same meaning as
# -alertmanager.notification-rate-limit, but only applies for specific
# integration. Allowed integration names: webhook, email, pagerduty, opsgenie,
# wechat, slack, victorops, pushover, sns, webex, telegram, discord, msteams.
# CLI flag: -alertmanager.notification-rate-limit-per-integration
[alertmanager_notification_rate_limit_per_integration: <map of string to float64> | default = {}]

# Maximum size of configuration file for Alertmanager that tenant can upload via
# Alertmanager API. 0 = no limit.
# CLI flag: -alertmanager.max-config-size-bytes
[alertmanager_max_config_size_bytes: <int> | default = 0]

# Maximum number of silences, including expired silences, that a tenant can have
# at once. 0 = no limit.
# CLI flag: -alertmanager.max-silences-count
[alertmanager_max_silences_count: <int> | default = 0]

# Maximum silence size in bytes. 0 = no limit.
# CLI flag: -alertmanager.max-silence-size-bytes
[alertmanager_max_silence_size_bytes: <int> | default = 0]

# Maximum number of templates in tenant's Alertmanager configuration uploaded
# via Alertmanager API. 0 = no limit.
# CLI flag: -alertmanager.max-templates-count
[alertmanager_max_templates_count: <int> | default = 0]

# Maximum size of single template in tenant's Alertmanager configuration
# uploaded via Alertmanager API. 0 = no limit.
# CLI flag: -alertmanager.max-template-size-bytes
[alertmanager_max_template_size_bytes: <int> | default = 0]

# Maximum number of aggregation groups in Alertmanager's dispatcher that a
# tenant can have. Each active aggregation group uses single goroutine. When the
# limit is reached, dispatcher will not dispatch alerts that belong to
# additional aggregation groups, but existing groups will keep working properly.
# 0 = no limit.
# CLI flag: -alertmanager.max-dispatcher-aggregation-groups
[alertmanager_max_dispatcher_aggregation_groups: <int> | default = 0]

# Maximum number of alerts that a single tenant can have. Inserting more alerts
# will fail with a log message and metric increment. 0 = no limit.
# CLI flag: -alertmanager.max-alerts-count
[alertmanager_max_alerts_count: <int> | default = 0]

# Maximum total size of alerts that a single tenant can have, alert size is the
# sum of the bytes of its labels, annotations and generatorURL. Inserting more
# alerts will fail with a log message and metric increment. 0 = no limit.
# CLI flag: -alertmanager.max-alerts-size-bytes
[alertmanager_max_alerts_size_bytes: <int> | default = 0]

# (advanced) Whether to enable automatic suffixes to names of metrics ingested
# through OTLP.
# CLI flag: -distributor.otel-metric-suffixes-enabled
[otel_metric_suffixes_enabled: <boolean> | default = false]

# (experimental) Whether to enable translation of OTel start timestamps to
# Prometheus zero samples in the OTLP endpoint.
# CLI flag: -distributor.otel-created-timestamp-zero-ingestion-enabled
[otel_created_timestamp_zero_ingestion_enabled: <boolean> | default = false]

# (experimental) The default consistency level to enforce for queries when using
# the ingest storage. Supports values: strong, eventual.
# CLI flag: -ingest-storage.read-consistency
[ingest_storage_read_consistency: <string> | default = "eventual"]

# (experimental) The number of partitions a tenant's data should be sharded to
# when using the ingest storage. Tenants are sharded across partitions using
# shuffle-sharding. 0 disables shuffle sharding and tenant is sharded across all
# partitions.
# CLI flag: -ingest-storage.ingestion-partition-tenant-shard-size
[ingestion_partitions_tenant_shard_size: <int> | default = 0]

blocks_storage

The blocks_storage configures the blocks storage.

yaml
# Backend storage to use. Supported backends are: s3, gcs, azure, swift,
# filesystem.
# CLI flag: -blocks-storage.backend
[backend: <string> | default = "filesystem"]

s3:
  # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
  # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
  # S3-compatible service in hostname:port format.
  # CLI flag: -blocks-storage.s3.endpoint
  [endpoint: <string> | default = ""]

  # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
  # to autodetect it.
  # CLI flag: -blocks-storage.s3.region
  [region: <string> | default = ""]

  # S3 bucket name
  # CLI flag: -blocks-storage.s3.bucket-name
  [bucket_name: <string> | default = ""]

  # S3 secret access key
  # CLI flag: -blocks-storage.s3.secret-access-key
  [secret_access_key: <string> | default = ""]

  # S3 access key ID
  # CLI flag: -blocks-storage.s3.access-key-id
  [access_key_id: <string> | default = ""]

  # S3 session token
  # CLI flag: -blocks-storage.s3.session-token
  [session_token: <string> | default = ""]

  # (advanced) If enabled, use http:// for the S3 endpoint instead of https://.
  # This could be useful in local dev/test environments while using an
  # S3-compatible backend storage, like Minio.
  # CLI flag: -blocks-storage.s3.insecure
  [insecure: <boolean> | default = false]

  # (advanced) The signature version to use for authenticating against S3.
  # Supported values are: v4, v2.
  # CLI flag: -blocks-storage.s3.signature-version
  [signature_version: <string> | default = "v4"]

  # (advanced) Use a specific version of the S3 list object API. Supported
  # values are v1 or v2. Default is unset.
  # CLI flag: -blocks-storage.s3.list-objects-version
  [list_objects_version: <string> | default = ""]

  # (advanced) Bucket lookup style type, used to access bucket in S3-compatible
  # service. Default is auto. Supported values are: auto, path, virtual-hosted.
  # CLI flag: -blocks-storage.s3.bucket-lookup-type
  [bucket_lookup_type: <string> | default = "auto"]

  # (experimental) When enabled, direct all AWS S3 requests to the dual-stack
  # IPv4/IPv6 endpoint for the configured region.
  # CLI flag: -blocks-storage.s3.dualstack-enabled
  [dualstack_enabled: <boolean> | default = true]

  # (experimental) The S3 storage class to use, not set by default. Details can
  # be found at https://aws.amazon.com/s3/storage-classes/. Supported values
  # are: STANDARD, REDUCED_REDUNDANCY, GLACIER, STANDARD_IA, ONEZONE_IA,
  # INTELLIGENT_TIERING, DEEP_ARCHIVE, OUTPOSTS
  # CLI flag: -blocks-storage.s3.storage-class
  [storage_class: <string> | default = ""]

  # (experimental) If enabled, it will use the default authentication methods of
  # the AWS SDK for go based on known environment variables and known AWS config
  # files.
  # CLI flag: -blocks-storage.s3.native-aws-auth-enabled
  [native_aws_auth_enabled: <boolean> | default = false]

  # (experimental) The minimum file size in bytes used for multipart uploads. If
  # 0, the value is optimally computed for each object.
  # CLI flag: -blocks-storage.s3.part-size
  [part_size: <int> | default = 0]

  # (experimental) If enabled, a Content-MD5 header is sent with S3 Put Object
  # requests. Consumes more resources to compute the MD5, but may improve
  # compatibility with object storage services that do not support checksums.
  # CLI flag: -blocks-storage.s3.send-content-md5
  [send_content_md5: <boolean> | default = false]

  # Accessing S3 resources using temporary, secure credentials provided by AWS
  # Security Token Service.
  # CLI flag: -blocks-storage.s3.sts-endpoint
  [sts_endpoint: <string> | default = ""]

  # The s3_sse configures the S3 server-side encryption.
  # The CLI flags prefix for this block configuration is: blocks-storage
  [sse: <s3_sse>]

  http:
    # (advanced) The time an idle connection will remain idle before closing.
    # CLI flag: -blocks-storage.s3.http.idle-conn-timeout
    [idle_conn_timeout: <duration> | default = 1m30s]

    # (advanced) The amount of time the client will wait for a servers response
    # headers.
    # CLI flag: -blocks-storage.s3.http.response-header-timeout
    [response_header_timeout: <duration> | default = 2m]

    # (advanced) If the client connects to S3 via HTTPS and this option is
    # enabled, the client will accept any certificate and hostname.
    # CLI flag: -blocks-storage.s3.http.insecure-skip-verify
    [insecure_skip_verify: <boolean> | default = false]

    # (advanced) Maximum time to wait for a TLS handshake. 0 means no limit.
    # CLI flag: -blocks-storage.s3.tls-handshake-timeout
    [tls_handshake_timeout: <duration> | default = 10s]

    # (advanced) The time to wait for a server's first response headers after
    # fully writing the request headers if the request has an Expect header. 0
    # to send the request body immediately.
    # CLI flag: -blocks-storage.s3.expect-continue-timeout
    [expect_continue_timeout: <duration> | default = 1s]

    # (advanced) Maximum number of idle (keep-alive) connections across all
    # hosts. 0 means no limit.
    # CLI flag: -blocks-storage.s3.max-idle-connections
    [max_idle_connections: <int> | default = 100]

    # (advanced) Maximum number of idle (keep-alive) connections to keep
    # per-host. If 0, a built-in default value is used.
    # CLI flag: -blocks-storage.s3.max-idle-connections-per-host
    [max_idle_connections_per_host: <int> | default = 100]

    # (advanced) Maximum number of connections per host. 0 means no limit.
    # CLI flag: -blocks-storage.s3.max-connections-per-host
    [max_connections_per_host: <int> | default = 0]

    # (advanced) Path to the CA certificates to validate server certificate
    # against. If not set, the host's root CA certificates are used.
    # CLI flag: -blocks-storage.s3.http.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # (advanced) Path to the client certificate, which will be used for
    # authenticating with the server. Also requires the key path to be
    # configured.
    # CLI flag: -blocks-storage.s3.http.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # (advanced) Path to the key for the client certificate. Also requires the
    # client certificate to be configured.
    # CLI flag: -blocks-storage.s3.http.tls-key-path
    [tls_key_path: <string> | default = ""]

    # (advanced) Override the expected name on the server certificate.
    # CLI flag: -blocks-storage.s3.http.tls-server-name
    [tls_server_name: <string> | default = ""]

  trace:
    # (advanced) When enabled, low-level S3 HTTP operation information is logged
    # at the debug level.
    # CLI flag: -blocks-storage.s3.trace.enabled
    [enabled: <boolean> | default = false]

gcs:
  # GCS bucket name
  # CLI flag: -blocks-storage.gcs.bucket-name
  [bucket_name: <string> | default = ""]

  # JSON either from a Google Developers Console client_credentials.json file,
  # or a Google Developers service account key. Needs to be valid JSON, not a
  # filesystem path. If empty, fallback to Google default logic:
  # 1. A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS
  # environment variable. For workload identity federation, refer to
  # https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation
  # on how to generate the JSON configuration file for on-prem/non-Google cloud
  # platforms.
  # 2. A JSON file in a location known to the gcloud command-line tool:
  # $HOME/.config/gcloud/application_default_credentials.json.
  # 3. On Google Compute Engine it fetches credentials from the metadata server.
  # CLI flag: -blocks-storage.gcs.service-account
  [service_account: <string> | default = ""]

azure:
  # Azure storage account name
  # CLI flag: -blocks-storage.azure.account-name
  [account_name: <string> | default = ""]

  # Azure storage account key. If unset, Azure managed identities will be used
  # for authentication instead.
  # CLI flag: -blocks-storage.azure.account-key
  [account_key: <string> | default = ""]

  # If `connection-string` is set, the value of `endpoint-suffix` will not be
  # used. Use this method over `account-key` if you need to authenticate via a
  # SAS token. Or if you use the Azurite emulator.
  # CLI flag: -blocks-storage.azure.connection-string
  [connection_string: <string> | default = ""]

  # Azure storage container name
  # CLI flag: -blocks-storage.azure.container-name
  [container_name: <string> | default = ""]

  # Azure storage endpoint suffix without schema. The account name will be
  # prefixed to this value to create the FQDN. If set to empty string, default
  # endpoint suffix is used.
  # CLI flag: -blocks-storage.azure.endpoint-suffix
  [endpoint_suffix: <string> | default = ""]

  # (advanced) Number of retries for recoverable errors
  # CLI flag: -blocks-storage.azure.max-retries
  [max_retries: <int> | default = 20]

  # (advanced) User assigned managed identity. If empty, then System assigned
  # identity is used.
  # CLI flag: -blocks-storage.azure.user-assigned-id
  [user_assigned_id: <string> | default = ""]

swift:
  # OpenStack Swift application credential id
  # CLI flag: -blocks-storage.swift.application-credential-id
  [application_credential_id: <string> | default = ""]

  # OpenStack Swift application credential name
  # CLI flag: -blocks-storage.swift.application-credential-name
  [application_credential_name: <string> | default = ""]

  # OpenStack Swift application credential secret
  # CLI flag: -blocks-storage.swift.application-credential-secret
  [application_credential_secret: <string> | default = ""]

  # OpenStack Swift authentication API version. 0 to autodetect.
  # CLI flag: -blocks-storage.swift.auth-version
  [auth_version: <int> | default = 0]

  # OpenStack Swift authentication URL
  # CLI flag: -blocks-storage.swift.auth-url
  [auth_url: <string> | default = ""]

  # OpenStack Swift username.
  # CLI flag: -blocks-storage.swift.username
  [username: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -blocks-storage.swift.user-domain-name
  [user_domain_name: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -blocks-storage.swift.user-domain-id
  [user_domain_id: <string> | default = ""]

  # OpenStack Swift user ID.
  # CLI flag: -blocks-storage.swift.user-id
  [user_id: <string> | default = ""]

  # OpenStack Swift API key.
  # CLI flag: -blocks-storage.swift.password
  [password: <string> | default = ""]

  # OpenStack Swift user's domain ID.
  # CLI flag: -blocks-storage.swift.domain-id
  [domain_id: <string> | default = ""]

  # OpenStack Swift user's domain name.
  # CLI flag: -blocks-storage.swift.domain-name
  [domain_name: <string> | default = ""]

  # OpenStack Swift project ID (v2,v3 auth only).
  # CLI flag: -blocks-storage.swift.project-id
  [project_id: <string> | default = ""]

  # OpenStack Swift project name (v2,v3 auth only).
  # CLI flag: -blocks-storage.swift.project-name
  [project_name: <string> | default = ""]

  # ID of the OpenStack Swift project's domain (v3 auth only), only needed if it
  # differs the from user domain.
  # CLI flag: -blocks-storage.swift.project-domain-id
  [project_domain_id: <string> | default = ""]

  # Name of the OpenStack Swift project's domain (v3 auth only), only needed if
  # it differs from the user domain.
  # CLI flag: -blocks-storage.swift.project-domain-name
  [project_domain_name: <string> | default = ""]

  # OpenStack Swift Region to use (v2,v3 auth only).
  # CLI flag: -blocks-storage.swift.region-name
  [region_name: <string> | default = ""]

  # Name of the OpenStack Swift container to put chunks in.
  # CLI flag: -blocks-storage.swift.container-name
  [container_name: <string> | default = ""]

  # (advanced) Max retries on requests error.
  # CLI flag: -blocks-storage.swift.max-retries
  [max_retries: <int> | default = 3]

  # (advanced) Time after which a connection attempt is aborted.
  # CLI flag: -blocks-storage.swift.connect-timeout
  [connect_timeout: <duration> | default = 10s]

  # (advanced) Time after which an idle request is aborted. The timeout watchdog
  # is reset each time some data is received, so the timeout triggers after X
  # time no data is received on a request.
  # CLI flag: -blocks-storage.swift.request-timeout
  [request_timeout: <duration> | default = 5s]

filesystem:
  # Local filesystem storage directory.
  # CLI flag: -blocks-storage.filesystem.dir
  [dir: <string> | default = "blocks"]

# Prefix for all objects stored in the backend storage. For simplicity, it may
# only contain digits and English alphabet letters.
# CLI flag: -blocks-storage.storage-prefix
[storage_prefix: <string> | default = ""]

# This configures how the querier and store-gateway discover and synchronize
# blocks stored in the bucket.
bucket_store:
  # Directory to store synchronized TSDB index headers. This directory is not
  # required to be persisted between restarts, but it's highly recommended in
  # order to improve the store-gateway startup time.
  # CLI flag: -blocks-storage.bucket-store.sync-dir
  [sync_dir: <string> | default = "./tsdb-sync/"]

  # (advanced) How frequently to scan the bucket, or to refresh the bucket index
  # (if enabled), in order to look for changes (new blocks shipped by ingesters
  # and blocks deleted by retention or compaction).
  # CLI flag: -blocks-storage.bucket-store.sync-interval
  [sync_interval: <duration> | default = 15m]

  # (advanced) Max number of concurrent queries to execute against the long-term
  # storage. The limit is shared across all tenants.
  # CLI flag: -blocks-storage.bucket-store.max-concurrent
  [max_concurrent: <int> | default = 200]

  # (advanced) Timeout for the queue of queries waiting for execution. If the
  # queue is full and the timeout is reached, the query will be retried on
  # another store-gateway. 0 means no timeout and all queries will wait
  # indefinitely for their turn.
  # CLI flag: -blocks-storage.bucket-store.max-concurrent-queue-timeout
  [max_concurrent_queue_timeout: <duration> | default = 5s]

  # (advanced) Maximum number of concurrent tenants synching blocks.
  # CLI flag: -blocks-storage.bucket-store.tenant-sync-concurrency
  [tenant_sync_concurrency: <int> | default = 1]

  # (advanced) Maximum number of concurrent blocks synching per tenant.
  # CLI flag: -blocks-storage.bucket-store.block-sync-concurrency
  [block_sync_concurrency: <int> | default = 4]

  # (advanced) Number of Go routines to use when syncing block meta files from
  # object storage per tenant.
  # CLI flag: -blocks-storage.bucket-store.meta-sync-concurrency
  [meta_sync_concurrency: <int> | default = 20]

  index_cache:
    # The index cache backend type. Supported values: inmemory, memcached,
    # redis.
    # CLI flag: -blocks-storage.bucket-store.index-cache.backend
    [backend: <string> | default = "inmemory"]

    # The memcached block configures the Memcached-based caching backend.
    # The CLI flags prefix for this block configuration is:
    # blocks-storage.bucket-store.index-cache
    [memcached: <memcached>]

    # The redis block configures the Redis-based caching backend.
    # The CLI flags prefix for this block configuration is:
    # blocks-storage.bucket-store.index-cache
    [redis: <redis>]

    inmemory:
      # Maximum size in bytes of in-memory index cache used to speed up blocks
      # index lookups (shared between all tenants).
      # CLI flag: -blocks-storage.bucket-store.index-cache.inmemory.max-size-bytes
      [max_size_bytes: <int> | default = 1073741824]

  chunks_cache:
    # Backend for chunks cache, if not empty. Supported values: memcached,
    # redis.
    # CLI flag: -blocks-storage.bucket-store.chunks-cache.backend
    [backend: <string> | default = ""]

    # The memcached block configures the Memcached-based caching backend.
    # The CLI flags prefix for this block configuration is:
    # blocks-storage.bucket-store.chunks-cache
    [memcached: <memcached>]

    # The redis block configures the Redis-based caching backend.
    # The CLI flags prefix for this block configuration is:
    # blocks-storage.bucket-store.chunks-cache
    [redis: <redis>]

    # (advanced) Maximum number of sub-GetRange requests that a single GetRange
    # request can be split into when fetching chunks. Zero or negative value =
    # unlimited number of sub-requests.
    # CLI flag: -blocks-storage.bucket-store.chunks-cache.max-get-range-requests
    [max_get_range_requests: <int> | default = 3]

    # (advanced) TTL for caching object attributes for chunks. If the metadata
    # cache is configured, attributes will be stored under this cache backend,
    # otherwise attributes are stored in the chunks cache backend.
    # CLI flag: -blocks-storage.bucket-store.chunks-cache.attributes-ttl
    [attributes_ttl: <duration> | default = 168h]

    # (advanced) Maximum number of object attribute items to keep in a first
    # level in-memory LRU cache. Metadata will be stored and fetched in-memory
    # before hitting the cache backend. 0 to disable the in-memory cache.
    # CLI flag: -blocks-storage.bucket-store.chunks-cache.attributes-in-memory-max-items
    [attributes_in_memory_max_items: <int> | default = 50000]

    # (advanced) TTL for caching individual chunks subranges.
    # CLI flag: -blocks-storage.bucket-store.chunks-cache.subrange-ttl
    [subrange_ttl: <duration> | default = 24h]

  metadata_cache:
    # Backend for metadata cache, if not empty. Supported values: memcached,
    # redis.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.backend
    [backend: <string> | default = ""]

    # The memcached block configures the Memcached-based caching backend.
    # The CLI flags prefix for this block configuration is:
    # blocks-storage.bucket-store.metadata-cache
    [memcached: <memcached>]

    # The redis block configures the Redis-based caching backend.
    # The CLI flags prefix for this block configuration is:
    # blocks-storage.bucket-store.metadata-cache
    [redis: <redis>]

    # (advanced) How long to cache list of tenants in the bucket.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.tenants-list-ttl
    [tenants_list_ttl: <duration> | default = 15m]

    # (advanced) How long to cache list of blocks for each tenant.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.tenant-blocks-list-ttl
    [tenant_blocks_list_ttl: <duration> | default = 5m]

    # (advanced) How long to cache list of chunks for a block.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.chunks-list-ttl
    [chunks_list_ttl: <duration> | default = 24h]

    # (advanced) How long to cache information that block metafile exists. Also
    # used for tenant deletion mark file.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.metafile-exists-ttl
    [metafile_exists_ttl: <duration> | default = 2h]

    # (advanced) How long to cache information that block metafile doesn't
    # exist. Also used for tenant deletion mark file.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.metafile-doesnt-exist-ttl
    [metafile_doesnt_exist_ttl: <duration> | default = 5m]

    # (advanced) How long to cache content of the metafile.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.metafile-content-ttl
    [metafile_content_ttl: <duration> | default = 24h]

    # (advanced) Maximum size of metafile content to cache in bytes. Caching
    # will be skipped if the content exceeds this size. This is useful to avoid
    # network round trip for large content if the configured caching backend has
    # an hard limit on cached items size (in this case, you should set this
    # limit to the same limit in the caching backend).
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.metafile-max-size-bytes
    [metafile_max_size_bytes: <int> | default = 1048576]

    # (advanced) How long to cache attributes of the block metafile.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.metafile-attributes-ttl
    [metafile_attributes_ttl: <duration> | default = 168h]

    # (advanced) How long to cache attributes of the block index.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.block-index-attributes-ttl
    [block_index_attributes_ttl: <duration> | default = 168h]

    # (advanced) How long to cache content of the bucket index.
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.bucket-index-content-ttl
    [bucket_index_content_ttl: <duration> | default = 5m]

    # (advanced) Maximum size of bucket index content to cache in bytes. Caching
    # will be skipped if the content exceeds this size. This is useful to avoid
    # network round trip for large content if the configured caching backend has
    # an hard limit on cached items size (in this case, you should set this
    # limit to the same limit in the caching backend).
    # CLI flag: -blocks-storage.bucket-store.metadata-cache.bucket-index-max-size-bytes
    [bucket_index_max_size_bytes: <int> | default = 1048576]

  # (advanced) Duration after which the blocks marked for deletion will be
  # filtered out while fetching blocks. The idea of ignore-deletion-marks-delay
  # is to ignore blocks that are marked for deletion with some delay. This
  # ensures store can still serve blocks that are meant to be deleted but do not
  # have a replacement yet.
  # CLI flag: -blocks-storage.bucket-store.ignore-deletion-marks-delay
  [ignore_deletion_mark_delay: <duration> | default = 1h]

  # (experimental) Duration after which blocks marked for deletion will still be
  # queried. This ensures queriers still query blocks that are meant to be
  # deleted but do not have a replacement yet.
  # CLI flag: -blocks-storage.bucket-store.ignore-deletion-marks-while-querying-delay
  [ignore_deletion_mark_while_querying_delay: <duration> | default = 50m]

  bucket_index:
    # (advanced) How frequently a bucket index, which previously failed to load,
    # should be tried to load again. This option is used only by querier.
    # CLI flag: -blocks-storage.bucket-store.bucket-index.update-on-error-interval
    [update_on_error_interval: <duration> | default = 1m]

    # (advanced) How long a unused bucket index should be cached. Once this
    # timeout expires, the unused bucket index is removed from the in-memory
    # cache. This option is used only by querier.
    # CLI flag: -blocks-storage.bucket-store.bucket-index.idle-timeout
    [idle_timeout: <duration> | default = 1h]

    # (advanced) The maximum allowed age of a bucket index (last updated) before
    # queries start failing because the bucket index is too old. The bucket
    # index is periodically updated by the compactor, and this check is enforced
    # in the querier (at query time).
    # CLI flag: -blocks-storage.bucket-store.bucket-index.max-stale-period
    [max_stale_period: <duration> | default = 1h]

  # (advanced) Blocks with minimum time within this duration are ignored, and
  # not loaded by store-gateway. Useful when used together with
  # -querier.query-store-after to prevent loading young blocks, because there
  # are usually many of them (depending on number of ingesters) and they are not
  # yet compacted. Negative values or 0 disable the filter.
  # CLI flag: -blocks-storage.bucket-store.ignore-blocks-within
  [ignore_blocks_within: <duration> | default = 10h]

  # (advanced) Max size - in bytes - of the in-memory series hash cache. The
  # cache is shared across all tenants and it's used only when query sharding is
  # enabled.
  # CLI flag: -blocks-storage.bucket-store.series-hash-cache-max-size-bytes
  [series_hash_cache_max_size_bytes: <int> | default = 1073741824]

  # (advanced) Max size - in bytes - of a gap for which the partitioner
  # aggregates together two bucket GET object requests.
  # CLI flag: -blocks-storage.bucket-store.partitioner-max-gap-bytes
  [partitioner_max_gap_bytes: <int> | default = 524288]

  # (advanced) Controls what is the ratio of postings offsets that the store
  # will hold in memory.
  # CLI flag: -blocks-storage.bucket-store.posting-offsets-in-mem-sampling
  [postings_offsets_in_mem_sampling: <int> | default = 32]

  index_header:
    # (advanced) Maximum number of idle file handles the store-gateway keeps
    # open for each index-header file.
    # CLI flag: -blocks-storage.bucket-store.index-header.max-idle-file-handles
    [max_idle_file_handles: <int> | default = 1]

    # (experimental) If enabled, store-gateway will periodically persist block
    # IDs of lazy loaded index-headers and load them eagerly during startup.
    # Ignored if index-header lazy loading is disabled.
    # CLI flag: -blocks-storage.bucket-store.index-header.eager-loading-startup-enabled
    [eager_loading_startup_enabled: <boolean> | default = true]

    # (advanced) If enabled, store-gateway will lazy load an index-header only
    # once required by a query.
    # CLI flag: -blocks-storage.bucket-store.index-header.lazy-loading-enabled
    [lazy_loading_enabled: <boolean> | default = true]

    # (advanced) If index-header lazy loading is enabled and this setting is >
    # 0, the store-gateway will offload unused index-headers after 'idle
    # timeout' inactivity.
    # CLI flag: -blocks-storage.bucket-store.index-header.lazy-loading-idle-timeout
    [lazy_loading_idle_timeout: <duration> | default = 1h]

    # (advanced) Maximum number of concurrent index header loads across all
    # tenants. If set to 0, concurrency is unlimited.
    # CLI flag: -blocks-storage.bucket-store.index-header.lazy-loading-concurrency
    [lazy_loading_concurrency: <int> | default = 4]

    # (advanced) Timeout for the queue of index header loads. If the queue is
    # full and the timeout is reached, the load will return an error. 0 means no
    # timeout and the load will wait indefinitely.
    # CLI flag: -blocks-storage.bucket-store.index-header.lazy-loading-concurrency-queue-timeout
    [lazy_loading_concurrency_queue_timeout: <duration> | default = 5s]

    # (advanced) If true, verify the checksum of index headers upon loading them
    # (either on startup or lazily when lazy loading is enabled). Setting to
    # true helps detect disk corruption at the cost of slowing down index header
    # loading.
    # CLI flag: -blocks-storage.bucket-store.index-header.verify-on-load
    [verify_on_load: <boolean> | default = false]

  # (advanced) This option controls how many series to fetch per batch. The
  # batch size must be greater than 0.
  # CLI flag: -blocks-storage.bucket-store.batch-series-size
  [streaming_series_batch_size: <int> | default = 5000]

  # (advanced) This parameter controls the trade-off in fetching series versus
  # fetching postings to fulfill a series request. Increasing the series
  # preference results in fetching more series and reducing the volume of
  # postings fetched. Reducing the series preference results in the opposite.
  # Increase this parameter to reduce the rate of fetched series bytes (see
  # "Mimir / Queries" dashboard) or API calls to the object store. Must be a
  # positive floating point number.
  # CLI flag: -blocks-storage.bucket-store.series-fetch-preference
  [series_fetch_preference: <float> | default = 0.75]

tsdb:
  # Directory to store TSDBs (including WAL) in the ingesters. This directory is
  # required to be persisted between restarts.
  # CLI flag: -blocks-storage.tsdb.dir
  [dir: <string> | default = "./tsdb/"]

  # TSDB blocks retention in the ingester before a block is removed. If shipping
  # is enabled, the retention will be relative to the time when the block was
  # uploaded to storage. If shipping is disabled then its relative to the
  # creation time of the block. This should be larger than the
  # -blocks-storage.tsdb.block-ranges-period, -querier.query-store-after and
  # large enough to give store-gateways and queriers enough time to discover
  # newly uploaded blocks.
  # CLI flag: -blocks-storage.tsdb.retention-period
  [retention_period: <duration> | default = 13h]

  # (advanced) How frequently the TSDB blocks are scanned and new ones are
  # shipped to the storage. 0 means shipping is disabled.
  # CLI flag: -blocks-storage.tsdb.ship-interval
  [ship_interval: <duration> | default = 1m]

  # (advanced) Maximum number of tenants concurrently shipping blocks to the
  # storage.
  # CLI flag: -blocks-storage.tsdb.ship-concurrency
  [ship_concurrency: <int> | default = 10]

  # (advanced) How frequently the ingester checks whether the TSDB head should
  # be compacted and, if so, triggers the compaction. GEM applies a jitter to
  # the first check, and subsequent checks will happen at the configured
  # interval. A block is only created if data covers the smallest block range.
  # The configured interval must be between 0 and 15 minutes.
  # CLI flag: -blocks-storage.tsdb.head-compaction-interval
  [head_compaction_interval: <duration> | default = 1m]

  # (advanced) Maximum number of tenants concurrently compacting TSDB head into
  # a new block
  # CLI flag: -blocks-storage.tsdb.head-compaction-concurrency
  [head_compaction_concurrency: <int> | default = 1]

  # (advanced) If TSDB head is idle for this duration, it is compacted. Note
  # that up to 25% jitter is added to the value to avoid ingesters compacting
  # concurrently. 0 means disabled.
  # CLI flag: -blocks-storage.tsdb.head-compaction-idle-timeout
  [head_compaction_idle_timeout: <duration> | default = 1h]

  # (advanced) The write buffer size used by the head chunks mapper. Lower
  # values reduce memory utilisation on clusters with a large number of tenants
  # at the cost of increased disk I/O operations. The configured buffer size
  # must be between 65536 and 8388608.
  # CLI flag: -blocks-storage.tsdb.head-chunks-write-buffer-size-bytes
  [head_chunks_write_buffer_size_bytes: <int> | default = 4194304]

  # (experimental) How much variance (as percentage between 0 and 1) should be
  # applied to the chunk end time, to spread chunks writing across time. Doesn't
  # apply to the last chunk of the chunk range. 0 means no variance.
  # CLI flag: -blocks-storage.tsdb.head-chunks-end-time-variance
  [head_chunks_end_time_variance: <float> | default = 0]

  # (advanced) The number of shards of series to use in TSDB (must be a power of
  # 2). Reducing this will decrease memory footprint, but can negatively impact
  # performance.
  # CLI flag: -blocks-storage.tsdb.stripe-size
  [stripe_size: <int> | default = 16384]

  # (advanced) True to enable TSDB WAL compression.
  # CLI flag: -blocks-storage.tsdb.wal-compression-enabled
  [wal_compression_enabled: <boolean> | default = false]

  # (advanced) TSDB WAL segments files max size (bytes).
  # CLI flag: -blocks-storage.tsdb.wal-segment-size-bytes
  [wal_segment_size_bytes: <int> | default = 134217728]

  # (advanced) Maximum number of CPUs that can simultaneously processes WAL
  # replay. If it is set to 0, then each TSDB is replayed with a concurrency
  # equal to the number of CPU cores available on the machine.
  # CLI flag: -blocks-storage.tsdb.wal-replay-concurrency
  [wal_replay_concurrency: <int> | default = 0]

  # (advanced) True to flush blocks to storage on shutdown. If false, incomplete
  # blocks will be reused after restart.
  # CLI flag: -blocks-storage.tsdb.flush-blocks-on-shutdown
  [flush_blocks_on_shutdown: <boolean> | default = false]

  # (advanced) If TSDB has not received any data for this duration, and all
  # blocks from TSDB have been shipped, TSDB is closed and deleted from local
  # disk. If set to positive value, this value should be equal or higher than
  # -querier.query-ingesters-within flag to make sure that TSDB is not closed
  # prematurely, which could cause partial query results. 0 or negative value
  # disables closing of idle TSDB.
  # CLI flag: -blocks-storage.tsdb.close-idle-tsdb-timeout
  [close_idle_tsdb_timeout: <duration> | default = 13h]

  # (experimental) True to enable snapshotting of in-memory TSDB data on disk
  # when shutting down.
  # CLI flag: -blocks-storage.tsdb.memory-snapshot-on-shutdown
  [memory_snapshot_on_shutdown: <boolean> | default = false]

  # (advanced) The size of the write queue used by the head chunks mapper. Lower
  # values reduce memory utilisation at the cost of potentially higher ingest
  # latency. Value of 0 switches chunks mapper to implementation without a
  # queue.
  # CLI flag: -blocks-storage.tsdb.head-chunks-write-queue-size
  [head_chunks_write_queue_size: <int> | default = 1000000]

  # (advanced) Max size - in bytes - of the in-memory series hash cache. The
  # cache is shared across all tenants and it's used only when query sharding is
  # enabled.
  # CLI flag: -blocks-storage.tsdb.series-hash-cache-max-size-bytes
  [series_hash_cache_max_size_bytes: <int> | default = 367001600]

  # (experimental) Maximum capacity for out of order chunks, in samples between
  # 1 and 255.
  # CLI flag: -blocks-storage.tsdb.out-of-order-capacity-max
  [out_of_order_capacity_max: <int> | default = 32]

  # (experimental) How long to cache postings for matchers in the Head and
  # OOOHead. 0 disables the cache and just deduplicates the in-flight calls.
  # CLI flag: -blocks-storage.tsdb.head-postings-for-matchers-cache-ttl
  [head_postings_for_matchers_cache_ttl: <duration> | default = 10s]

  # (deprecated) Maximum number of entries in the cache for postings for
  # matchers in the Head and OOOHead when TTL is greater than 0.
  # CLI flag: -blocks-storage.tsdb.head-postings-for-matchers-cache-size
  [head_postings_for_matchers_cache_size: <int> | default = 100]

  # (experimental) Maximum size in bytes of the cache for postings for matchers
  # in the Head and OOOHead when TTL is greater than 0.
  # CLI flag: -blocks-storage.tsdb.head-postings-for-matchers-cache-max-bytes
  [head_postings_for_matchers_cache_max_bytes: <int> | default = 104857600]

  # (experimental) Force the cache to be used for postings for matchers in the
  # Head and OOOHead, even if it's not a concurrent (query-sharding) call.
  # CLI flag: -blocks-storage.tsdb.head-postings-for-matchers-cache-force
  [head_postings_for_matchers_cache_force: <boolean> | default = false]

  # (experimental) How long to cache postings for matchers in each compacted
  # block queried from the ingester. 0 disables the cache and just deduplicates
  # the in-flight calls.
  # CLI flag: -blocks-storage.tsdb.block-postings-for-matchers-cache-ttl
  [block_postings_for_matchers_cache_ttl: <duration> | default = 10s]

  # (deprecated) Maximum number of entries in the cache for postings for
  # matchers in each compacted block when TTL is greater than 0.
  # CLI flag: -blocks-storage.tsdb.block-postings-for-matchers-cache-size
  [block_postings_for_matchers_cache_size: <int> | default = 100]

  # (experimental) Maximum size in bytes of the cache for postings for matchers
  # in each compacted block when TTL is greater than 0.
  # CLI flag: -blocks-storage.tsdb.block-postings-for-matchers-cache-max-bytes
  [block_postings_for_matchers_cache_max_bytes: <int> | default = 104857600]

  # (experimental) Force the cache to be used for postings for matchers in
  # compacted blocks, even if it's not a concurrent (query-sharding) call.
  # CLI flag: -blocks-storage.tsdb.block-postings-for-matchers-cache-force
  [block_postings_for_matchers_cache_force: <boolean> | default = false]

  # (experimental) When the number of in-memory series in the ingester is equal
  # to or greater than this setting, the ingester tries to compact the TSDB
  # Head. The early compaction removes from the memory all samples and inactive
  # series up until -ingester.active-series-metrics-idle-timeout time ago. After
  # an early compaction, the ingester will not accept any sample with a
  # timestamp older than -ingester.active-series-metrics-idle-timeout time ago
  # (unless out of order ingestion is enabled). The ingester checks every
  # -blocks-storage.tsdb.head-compaction-interval whether an early compaction is
  # required. Use 0 to disable it.
  # CLI flag: -blocks-storage.tsdb.early-head-compaction-min-in-memory-series
  [early_head_compaction_min_in_memory_series: <int> | default = 0]

  # (experimental) When the early compaction is enabled, the early compaction is
  # triggered only if the estimated series reduction is at least the configured
  # percentage (0-100).
  # CLI flag: -blocks-storage.tsdb.early-head-compaction-min-estimated-series-reduction-percentage
  [early_head_compaction_min_estimated_series_reduction_percentage: <int> | default = 15]

  # (experimental) Allows head compaction to happen when the min block range can
  # no longer be appended, without requiring 1.5x the chunk range worth of data
  # in the head.
  # CLI flag: -blocks-storage.tsdb.timely-head-compaction-enabled
  [timely_head_compaction_enabled: <boolean> | default = false]

# Rate limit (per second), if set <= 0 rate limiting is disabled.
# CLI flag: -blocks-storage.bucket-rate-limit.limit
[bucket_rate_limit: <float> | default = 0]

# Burst size
# CLI flag: -blocks-storage.bucket-rate-limit.burst
[bucket_rate_limit_burst: <int> | default = 1]

compactor

The compactor configures the compactor for the blocks storage.

yaml
# (advanced) List of compaction time ranges.
# CLI flag: -compactor.block-ranges
[block_ranges: <list of durations> | default = 2h0m0s,12h0m0s,24h0m0s]

# (advanced) Number of Go routines to use when downloading blocks for compaction
# and uploading resulting blocks.
# CLI flag: -compactor.block-sync-concurrency
[block_sync_concurrency: <int> | default = 8]

# (advanced) Number of Go routines to use when syncing block meta files from the
# long term storage.
# CLI flag: -compactor.meta-sync-concurrency
[meta_sync_concurrency: <int> | default = 20]

# Directory to temporarily store blocks during compaction. This directory is not
# required to be persisted between restarts.
# CLI flag: -compactor.data-dir
[data_dir: <string> | default = "./data-compactor/"]

# (advanced) The frequency at which the compaction runs
# CLI flag: -compactor.compaction-interval
[compaction_interval: <duration> | default = 1h]

# (advanced) How many times to retry a failed compaction within a single
# compaction run.
# CLI flag: -compactor.compaction-retries
[compaction_retries: <int> | default = 3]

# (advanced) Max number of concurrent compactions running.
# CLI flag: -compactor.compaction-concurrency
[compaction_concurrency: <int> | default = 1]

# How long the compactor waits before compacting first-level blocks that are
# uploaded by the ingesters. This configuration option allows for the reduction
# of cases where the compactor begins to compact blocks before all ingesters
# have uploaded their blocks to the storage.
# CLI flag: -compactor.first-level-compaction-wait-period
[first_level_compaction_wait_period: <duration> | default = 25m]

# (advanced) How frequently the compactor should run blocks cleanup and
# maintenance, as well as update the bucket index.
# CLI flag: -compactor.cleanup-interval
[cleanup_interval: <duration> | default = 15m]

# (advanced) Max number of tenants for which blocks cleanup and maintenance
# should run concurrently.
# CLI flag: -compactor.cleanup-concurrency
[cleanup_concurrency: <int> | default = 20]

# (advanced) Time before a block marked for deletion is deleted from bucket. If
# not 0, blocks will be marked for deletion and the compactor component will
# permanently delete blocks marked for deletion from the bucket. If 0, blocks
# will be deleted straight away. Note that deleting blocks immediately can cause
# query failures.
# CLI flag: -compactor.deletion-delay
[deletion_delay: <duration> | default = 12h]

# (advanced) For tenants marked for deletion, this is the time between deletion
# of the last block, and doing final cleanup (marker files, debug files) of the
# tenant.
# CLI flag: -compactor.tenant-cleanup-delay
[tenant_cleanup_delay: <duration> | default = 6h]

# (advanced) Max time for starting compactions for a single tenant. After this
# time no new compactions for the tenant are started before next compaction
# cycle. This can help in multi-tenant environments to avoid single tenant using
# all compaction time, but also in single-tenant environments to force new
# discovery of blocks more often. 0 = disabled.
# CLI flag: -compactor.max-compaction-time
[max_compaction_time: <duration> | default = 1h]

# (experimental) If enabled, will delete the bucket-index, markers and debug
# files in the tenant bucket when there are no blocks left in the index.
# CLI flag: -compactor.no-blocks-file-cleanup-enabled
[no_blocks_file_cleanup_enabled: <boolean> | default = false]

# (advanced) Number of goroutines opening blocks before compaction.
# CLI flag: -compactor.max-opening-blocks-concurrency
[max_opening_blocks_concurrency: <int> | default = 1]

# (advanced) Max number of blocks that can be closed concurrently during split
# compaction. Note that closing a newly compacted block uses a lot of memory for
# writing the index.
# CLI flag: -compactor.max-closing-blocks-concurrency
[max_closing_blocks_concurrency: <int> | default = 1]

# (advanced) Number of symbols flushers used when doing split compaction.
# CLI flag: -compactor.symbols-flushers-concurrency
[symbols_flushers_concurrency: <int> | default = 1]

# (advanced) Max number of uploaded blocks that can be validated concurrently. 0
# = no limit.
# CLI flag: -compactor.max-block-upload-validation-concurrency
[max_block_upload_validation_concurrency: <int> | default = 1]

# (advanced) Comma separated list of tenants that can be compacted. If
# specified, only these tenants will be compacted by the compactor, otherwise
# all tenants can be compacted. Subject to sharding.
# CLI flag: -compactor.enabled-tenants
[enabled_tenants: <string> | default = ""]

# (advanced) Comma separated list of tenants that cannot be compacted by the
# compactor. If specified, and the compactor would normally pick a given tenant
# for compaction (via -compactor.enabled-tenants or sharding), it will be
# ignored instead.
# CLI flag: -compactor.disabled-tenants
[disabled_tenants: <string> | default = ""]

sharding_ring:
  # The key-value store used to share the hash ring across multiple instances.
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -compactor.ring.store
    [store: <string> | default = "memberlist"]

    # (advanced) The prefix for the keys in the store. Should end with a /.
    # CLI flag: -compactor.ring.prefix
    [prefix: <string> | default = "collectors/"]

    # The consul configures the consul client.
    # The CLI flags prefix for this block configuration is: compactor.ring
    [consul: <consul>]

    # The etcd configures the etcd client.
    # The CLI flags prefix for this block configuration is: compactor.ring
    [etcd: <etcd>]

    multi:
      # (advanced) Primary backend storage used by multi-client.
      # CLI flag: -compactor.ring.multi.primary
      [primary: <string> | default = ""]

      # (advanced) Secondary backend storage used by multi-client.
      # CLI flag: -compactor.ring.multi.secondary
      [secondary: <string> | default = ""]

      # (advanced) Mirror writes to secondary store.
      # CLI flag: -compactor.ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # (advanced) Timeout for storing value to secondary store.
      # CLI flag: -compactor.ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # (advanced) Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -compactor.ring.heartbeat-period
  [heartbeat_period: <duration> | default = 15s]

  # (advanced) The heartbeat timeout after which compactors are considered
  # unhealthy within the ring. 0 = never (timeout disabled).
  # CLI flag: -compactor.ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # (advanced) Instance ID to register in the ring.
  # CLI flag: -compactor.ring.instance-id
  [instance_id: <string> | default = "<hostname>"]

  # List of network interface names to look up when finding the instance IP
  # address.
  # CLI flag: -compactor.ring.instance-interface-names
  [instance_interface_names: <list of strings> | default = [<private network interfaces>]]

  # (advanced) Port to advertise in the ring (defaults to
  # -server.grpc-listen-port).
  # CLI flag: -compactor.ring.instance-port
  [instance_port: <int> | default = 0]

  # (advanced) IP address to advertise in the ring. Default is auto-detected.
  # CLI flag: -compactor.ring.instance-addr
  [instance_addr: <string> | default = ""]

  # (advanced) Enable using a IPv6 instance address. (default false)
  # CLI flag: -compactor.ring.instance-enable-ipv6
  [instance_enable_ipv6: <boolean> | default = false]

  # (advanced) Minimum time to wait for ring stability at startup. 0 to disable.
  # CLI flag: -compactor.ring.wait-stability-min-duration
  [wait_stability_min_duration: <duration> | default = 0s]

  # (advanced) Maximum time to wait for ring stability at startup. If the
  # compactor ring keeps changing after this period of time, the compactor will
  # start anyway.
  # CLI flag: -compactor.ring.wait-stability-max-duration
  [wait_stability_max_duration: <duration> | default = 5m]

  # (advanced) Timeout for waiting on compactor to become ACTIVE in the ring.
  # CLI flag: -compactor.ring.wait-active-instance-timeout
  [wait_active_instance_timeout: <duration> | default = 10m]

# (advanced) The sorting to use when deciding which compaction jobs should run
# first for a given tenant. Supported values are:
# smallest-range-oldest-blocks-first, newest-blocks-first.
# CLI flag: -compactor.compaction-jobs-order
[compaction_jobs_order: <string> | default = "smallest-range-oldest-blocks-first"]

store_gateway

The store_gateway configures the store-gateway service used by the blocks storage.

yaml
# The hash ring configuration.
sharding_ring:
  # The key-value store used to share the hash ring across multiple instances.
  # This option needs be set both on the store-gateway, querier and ruler when
  # running in microservices mode.
  kvstore:
    # Backend storage to use for the ring. Supported values are: consul, etcd,
    # inmemory, memberlist, multi.
    # CLI flag: -store-gateway.sharding-ring.store
    [store: <string> | default = "memberlist"]

    # (advanced) The prefix for the keys in the store. Should end with a /.
    # CLI flag: -store-gateway.sharding-ring.prefix
    [prefix: <string> | default = "collectors/"]

    # The consul configures the consul client.
    # The CLI flags prefix for this block configuration is:
    # store-gateway.sharding-ring
    [consul: <consul>]

    # The etcd configures the etcd client.
    # The CLI flags prefix for this block configuration is:
    # store-gateway.sharding-ring
    [etcd: <etcd>]

    multi:
      # (advanced) Primary backend storage used by multi-client.
      # CLI flag: -store-gateway.sharding-ring.multi.primary
      [primary: <string> | default = ""]

      # (advanced) Secondary backend storage used by multi-client.
      # CLI flag: -store-gateway.sharding-ring.multi.secondary
      [secondary: <string> | default = ""]

      # (advanced) Mirror writes to secondary store.
      # CLI flag: -store-gateway.sharding-ring.multi.mirror-enabled
      [mirror_enabled: <boolean> | default = false]

      # (advanced) Timeout for storing value to secondary store.
      # CLI flag: -store-gateway.sharding-ring.multi.mirror-timeout
      [mirror_timeout: <duration> | default = 2s]

  # (advanced) Period at which to heartbeat to the ring. 0 = disabled.
  # CLI flag: -store-gateway.sharding-ring.heartbeat-period
  [heartbeat_period: <duration> | default = 15s]

  # (advanced) The heartbeat timeout after which store gateways are considered
  # unhealthy within the ring. 0 = never (timeout disabled). This option needs
  # be set both on the store-gateway, querier and ruler when running in
  # microservices mode.
  # CLI flag: -store-gateway.sharding-ring.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # (advanced) The replication factor to use when sharding blocks. This option
  # needs be set both on the store-gateway, querier and ruler when running in
  # microservices mode.
  # CLI flag: -store-gateway.sharding-ring.replication-factor
  [replication_factor: <int> | default = 3]

  # File path where tokens are stored. If empty, tokens are not stored at
  # shutdown and restored at startup.
  # CLI flag: -store-gateway.sharding-ring.tokens-file-path
  [tokens_file_path: <string> | default = ""]

  # (advanced) Number of tokens for each store-gateway.
  # CLI flag: -store-gateway.sharding-ring.num-tokens
  [num_tokens: <int> | default = 512]

  # True to enable zone-awareness and replicate blocks across different
  # availability zones. This option needs be set both on the store-gateway,
  # querier and ruler when running in microservices mode.
  # CLI flag: -store-gateway.sharding-ring.zone-awareness-enabled
  [zone_awareness_enabled: <boolean> | default = false]

  # When enabled, a store-gateway is automatically removed from the ring after
  # failing to heartbeat the ring for a period longer than 10 times the
  # configured -store-gateway.sharding-ring.heartbeat-timeout.
  # CLI flag: -store-gateway.sharding-ring.auto-forget-enabled
  [auto_forget_enabled: <boolean> | default = true]

  # (advanced) Minimum time to wait for ring stability at startup, if set to
  # positive value.
  # CLI flag: -store-gateway.sharding-ring.wait-stability-min-duration
  [wait_stability_min_duration: <duration> | default = 0s]

  # (advanced) Maximum time to wait for ring stability at startup. If the
  # store-gateway ring keeps changing after this period of time, the
  # store-gateway will start anyway.
  # CLI flag: -store-gateway.sharding-ring.wait-stability-max-duration
  [wait_stability_max_duration: <duration> | default = 5m]

  # (advanced) Instance ID to register in the ring.
  # CLI flag: -store-gateway.sharding-ring.instance-id
  [instance_id: <string> | default = "<hostname>"]

  # List of network interface names to look up when finding the instance IP
  # address.
  # CLI flag: -store-gateway.sharding-ring.instance-interface-names
  [instance_interface_names: <list of strings> | default = [<private network interfaces>]]

  # (advanced) Port to advertise in the ring (defaults to
  # -server.grpc-listen-port).
  # CLI flag: -store-gateway.sharding-ring.instance-port
  [instance_port: <int> | default = 0]

  # (advanced) IP address to advertise in the ring. Default is auto-detected.
  # CLI flag: -store-gateway.sharding-ring.instance-addr
  [instance_addr: <string> | default = ""]

  # (advanced) Enable using a IPv6 instance address. (default false)
  # CLI flag: -store-gateway.sharding-ring.instance-enable-ipv6
  [instance_enable_ipv6: <boolean> | default = false]

  # The availability zone where this instance is running. Required if
  # zone-awareness is enabled.
  # CLI flag: -store-gateway.sharding-ring.instance-availability-zone
  [instance_availability_zone: <string> | default = ""]

  # Unregister from the ring upon clean shutdown.
  # CLI flag: -store-gateway.sharding-ring.unregister-on-shutdown
  [unregister_on_shutdown: <boolean> | default = true]

# (advanced) Comma separated list of tenants that can be loaded by the
# store-gateway. If specified, only blocks for these tenants will be loaded by
# the store-gateway, otherwise all tenants can be loaded. Subject to sharding.
# CLI flag: -store-gateway.enabled-tenants
[enabled_tenants: <string> | default = ""]

# (advanced) Comma separated list of tenants that cannot be loaded by the
# store-gateway. If specified, and the store-gateway would normally load a given
# tenant for (via -store-gateway.enabled-tenants or sharding), it will be
# ignored instead.
# CLI flag: -store-gateway.disabled-tenants
[disabled_tenants: <string> | default = ""]

memcached

The memcached block configures the Memcached-based caching backend. The supported CLI flags <prefix> used to reference this configuration block are:

  • admin.client.cache
  • blocks-storage.bucket-store.chunks-cache
  • blocks-storage.bucket-store.index-cache
  • blocks-storage.bucket-store.metadata-cache
  • graphite.querier.aggregation-cache
  • graphite.querier.metric-name-cache
  • query-frontend.results-cache
  • ruler-storage.cache

 

yaml
# Comma-separated list of memcached addresses. Each address can be an IP
# address, hostname, or an entry specified in the DNS Service Discovery format.
# CLI flag: -<prefix>.memcached.addresses
[addresses: <string> | default = ""]

# The socket read/write timeout.
# CLI flag: -<prefix>.memcached.timeout
[timeout: <duration> | default = 200ms]

# The connection timeout.
# CLI flag: -<prefix>.memcached.connect-timeout
[connect_timeout: <duration> | default = 200ms]

# (experimental) The size of the write buffer (in bytes). The buffer is
# allocated for each connection to memcached.
# CLI flag: -<prefix>.memcached.write-buffer-size-bytes
[write_buffer_size_bytes: <int> | default = 4096]

# (experimental) The size of the read buffer (in bytes). The buffer is allocated
# for each connection to memcached.
# CLI flag: -<prefix>.memcached.read-buffer-size-bytes
[read_buffer_size_bytes: <int> | default = 4096]

# (advanced) The minimum number of idle connections to keep open as a percentage
# (0-100) of the number of recently used idle connections. If negative, idle
# connections are kept open indefinitely.
# CLI flag: -<prefix>.memcached.min-idle-connections-headroom-percentage
[min_idle_connections_headroom_percentage: <float> | default = -1]

# (advanced) The maximum number of idle connections that will be maintained per
# address.
# CLI flag: -<prefix>.memcached.max-idle-connections
[max_idle_connections: <int> | default = 100]

# (advanced) The maximum number of concurrent asynchronous operations can occur.
# CLI flag: -<prefix>.memcached.max-async-concurrency
[max_async_concurrency: <int> | default = 50]

# (advanced) The maximum number of enqueued asynchronous operations allowed.
# CLI flag: -<prefix>.memcached.max-async-buffer-size
[max_async_buffer_size: <int> | default = 25000]

# (advanced) The maximum number of concurrent connections running get
# operations. If set to 0, concurrency is unlimited.
# CLI flag: -<prefix>.memcached.max-get-multi-concurrency
[max_get_multi_concurrency: <int> | default = 100]

# (advanced) The maximum number of keys a single underlying get operation should
# run. If more keys are specified, internally keys are split into multiple
# batches and fetched concurrently, honoring the max concurrency. If set to 0,
# the max batch size is unlimited.
# CLI flag: -<prefix>.memcached.max-get-multi-batch-size
[max_get_multi_batch_size: <int> | default = 100]

# (advanced) The maximum size of an item stored in memcached, in bytes. Bigger
# items are not stored. If set to 0, no maximum size is enforced.
# CLI flag: -<prefix>.memcached.max-item-size
[max_item_size: <int> | default = 1048576]

# (advanced) Enable connecting to Memcached with TLS.
# CLI flag: -<prefix>.memcached.tls-enabled
[tls_enabled: <boolean> | default = false]

# (advanced) Path to the client certificate, which will be used for
# authenticating with the server. Also requires the key path to be configured.
# CLI flag: -<prefix>.memcached.tls-cert-path
[tls_cert_path: <string> | default = ""]

# (advanced) Path to the key for the client certificate. Also requires the
# client certificate to be configured.
# CLI flag: -<prefix>.memcached.tls-key-path
[tls_key_path: <string> | default = ""]

# (advanced) Path to the CA certificates to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -<prefix>.memcached.tls-ca-path
[tls_ca_path: <string> | default = ""]

# (advanced) Override the expected name on the server certificate.
# CLI flag: -<prefix>.memcached.tls-server-name
[tls_server_name: <string> | default = ""]

# (advanced) Skip validating server certificate.
# CLI flag: -<prefix>.memcached.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]

# (advanced) Override the default cipher suite list (separated by commas).
# Allowed values:
# 
# Secure Ciphers:
# - TLS_AES_128_GCM_SHA256
# - TLS_AES_256_GCM_SHA384
# - TLS_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
# 
# Insecure Ciphers:
# - TLS_RSA_WITH_RC4_128_SHA
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA
# - TLS_RSA_WITH_AES_256_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA256
# - TLS_RSA_WITH_AES_128_GCM_SHA256
# - TLS_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# CLI flag: -<prefix>.memcached.tls-cipher-suites
[tls_cipher_suites: <string> | default = ""]

# (advanced) Override the default minimum TLS version. Allowed values:
# VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
# CLI flag: -<prefix>.memcached.tls-min-version
[tls_min_version: <string> | default = ""]

redis

The redis block configures the Redis-based caching backend. The supported CLI flags <prefix> used to reference this configuration block are:

  • admin.client.cache
  • blocks-storage.bucket-store.chunks-cache
  • blocks-storage.bucket-store.index-cache
  • blocks-storage.bucket-store.metadata-cache
  • graphite.querier.aggregation-cache
  • graphite.querier.metric-name-cache
  • query-frontend.results-cache
  • ruler-storage.cache

 

yaml
# Redis Server or Cluster configuration endpoint to use for caching. A
# comma-separated list of endpoints for Redis Cluster or Redis Sentinel.
# CLI flag: -<prefix>.redis.endpoint
[endpoint: <string> | default = ""]

# Username to use when connecting to Redis.
# CLI flag: -<prefix>.redis.username
[username: <string> | default = ""]

# Password to use when connecting to Redis.
# CLI flag: -<prefix>.redis.password
[password: <string> | default = ""]

# Database index.
# CLI flag: -<prefix>.redis.db
[db: <int> | default = 0]

# (advanced) Redis Sentinel master name. An empty string for Redis Server or
# Redis Cluster.
# CLI flag: -<prefix>.redis.master-name
[master_name: <string> | default = ""]

# (advanced) Client dial timeout.
# CLI flag: -<prefix>.redis.dial-timeout
[dial_timeout: <duration> | default = 5s]

# (advanced) Client read timeout.
# CLI flag: -<prefix>.redis.read-timeout
[read_timeout: <duration> | default = 3s]

# (advanced) Client write timeout.
# CLI flag: -<prefix>.redis.write-timeout
[write_timeout: <duration> | default = 3s]

# (advanced) Maximum number of connections in the pool.
# CLI flag: -<prefix>.redis.connection-pool-size
[connection_pool_size: <int> | default = 100]

# (advanced) Maximum duration to wait to get a connection from pool.
# CLI flag: -<prefix>.redis.connection-pool-timeout
[connection_pool_timeout: <duration> | default = 4s]

# (advanced) Minimum number of idle connections.
# CLI flag: -<prefix>.redis.min-idle-connections
[min_idle_connections: <int> | default = 10]

# (advanced) Amount of time after which client closes idle connections.
# CLI flag: -<prefix>.redis.idle-timeout
[idle_timeout: <duration> | default = 5m]

# (advanced) Close connections older than this duration. If the value is zero,
# then the pool does not close connections based on age.
# CLI flag: -<prefix>.redis.max-connection-age
[max_connection_age: <duration> | default = 0s]

# (advanced) The maximum size of an item stored in Redis. Bigger items are not
# stored. If set to 0, no maximum size is enforced.
# CLI flag: -<prefix>.redis.max-item-size
[max_item_size: <int> | default = 16777216]

# (advanced) The maximum number of concurrent asynchronous operations can occur.
# CLI flag: -<prefix>.redis.max-async-concurrency
[max_async_concurrency: <int> | default = 50]

# (advanced) The maximum number of enqueued asynchronous operations allowed.
# CLI flag: -<prefix>.redis.max-async-buffer-size
[max_async_buffer_size: <int> | default = 25000]

# (advanced) The maximum number of concurrent connections running get
# operations. If set to 0, concurrency is unlimited.
# CLI flag: -<prefix>.redis.max-get-multi-concurrency
[max_get_multi_concurrency: <int> | default = 100]

# (advanced) The maximum size per batch for mget operations.
# CLI flag: -<prefix>.redis.max-get-multi-batch-size
[max_get_multi_batch_size: <int> | default = 100]

# (advanced) Enable connecting to Redis with TLS.
# CLI flag: -<prefix>.redis.tls-enabled
[tls_enabled: <boolean> | default = false]

# (advanced) Path to the client certificate, which will be used for
# authenticating with the server. Also requires the key path to be configured.
# CLI flag: -<prefix>.redis.tls-cert-path
[tls_cert_path: <string> | default = ""]

# (advanced) Path to the key for the client certificate. Also requires the
# client certificate to be configured.
# CLI flag: -<prefix>.redis.tls-key-path
[tls_key_path: <string> | default = ""]

# (advanced) Path to the CA certificates to validate server certificate against.
# If not set, the host's root CA certificates are used.
# CLI flag: -<prefix>.redis.tls-ca-path
[tls_ca_path: <string> | default = ""]

# (advanced) Override the expected name on the server certificate.
# CLI flag: -<prefix>.redis.tls-server-name
[tls_server_name: <string> | default = ""]

# (advanced) Skip validating server certificate.
# CLI flag: -<prefix>.redis.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]

# (advanced) Override the default cipher suite list (separated by commas).
# Allowed values:
# 
# Secure Ciphers:
# - TLS_AES_128_GCM_SHA256
# - TLS_AES_256_GCM_SHA384
# - TLS_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
# 
# Insecure Ciphers:
# - TLS_RSA_WITH_RC4_128_SHA
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA
# - TLS_RSA_WITH_AES_256_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA256
# - TLS_RSA_WITH_AES_128_GCM_SHA256
# - TLS_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# CLI flag: -<prefix>.redis.tls-cipher-suites
[tls_cipher_suites: <string> | default = ""]

# (advanced) Override the default minimum TLS version. Allowed values:
# VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
# CLI flag: -<prefix>.redis.tls-min-version
[tls_min_version: <string> | default = ""]

s3_sse

The s3_sse configures the S3 server-side encryption. The supported CLI flags <prefix> used to reference this configuration block are:

  • admin.client
  • alertmanager-storage
  • blocks-storage
  • common.storage
  • graphite.querier.schemas
  • ruler-storage

 

yaml
# Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
# CLI flag: -<prefix>.s3.sse.type
[type: <string> | default = ""]

# KMS Key ID used to encrypt objects in S3
# CLI flag: -<prefix>.s3.sse.kms-key-id
[kms_key_id: <string> | default = ""]

# KMS Encryption Context used for object encryption. It expects JSON formatted
# string.
# CLI flag: -<prefix>.s3.sse.kms-encryption-context
[kms_encryption_context: <string> | default = ""]

flusher

The flusher configures the WAL flusher target, used to manually run one-time flushes when scaling down ingesters.

yaml
# (advanced) Stop after flush has finished. If false, process will keep running,
# doing nothing.
# CLI flag: -flusher.exit-after-flush
[exit_after_flush: <boolean> | default = true]