Configure Grafana

Grafana has default and custom configuration files. You can customize your Grafana instance by modifying the custom configuration file or by using environment variables. To see the list of settings for a Grafana instance, refer to View server settings.

{{< admonition type="note" >}} After you add custom options, uncomment the relevant sections of the configuration file.

Restart Grafana for your changes to take effect. {{< /admonition >}}

Configuration file location

The default settings for a Grafana instance are stored in the <WORKING DIRECTORY>/conf/defaults.ini file. Don't change this file.

Depending on your OS, your custom configuration file is either the <WORKING DIRECTORY>/conf/custom.ini file or the /usr/local/etc/grafana/grafana.ini file. You can use a custom configuration path with the --config option.

Linux

If you installed Grafana using the deb or RPM packages, then your configuration file is located at /etc/grafana/grafana.ini and a separate custom.ini is not used. This path is specified in the Grafana init.d script using --config option.

Docker

Refer to Configure a Grafana Docker image for information about environmental variables, persistent storage, and building custom Docker images.

Windows

On Windows, the sample.ini file is located in the same directory as defaults.ini file. It contains all the settings commented out. Copy sample.ini and name it custom.ini.

macOS

By default, the configuration file is located at /opt/homebrew/etc/grafana/grafana.ini or /usr/local/etc/grafana/grafana.ini. For a Grafana instance installed using Homebrew, edit the grafana.ini file directly. Otherwise, add a configuration file named custom.ini to the conf directory to override the settings defined in conf/defaults.ini.

Grafana Cloud

There is no local configuration file for Grafana Cloud stacks, but many of these settings are still configurable. To edit configurable settings, open a support ticket.

Remove comments in the .ini files

Grafana uses semicolons (;) to comment out lines in the INI file. To uncomment a line, remove the semicolon (;) from the beginning of that line.

Grafana ignores all configuration lines that begin with a semicolon.

For example:

;http_port = 3000

Override configuration with environment variables

Don't use environment variables to add new configuration settings. Instead, use environment variables to override existing options.

To override an option:

GF_<SECTION NAME>_<KEY>

Where <SECTION NAME> is the text within the square brackets ([ and ]) in the configuration file. All letters must be uppercase, periods (.) and dashes (-) must replaced by underscores (_). For example, if you have these configuration settings:

# default section
instance_name = ${HOSTNAME}

[security]
admin_user = admin

[auth.google]
client_secret = 0ldS3cretKey

[plugin.grafana-image-renderer]
rendering_ignore_https_errors = true

[feature_toggles]
newNavigation = true

You can override variables on Linux machines with:

export GF_DEFAULT_INSTANCE_NAME=my-instance
export GF_SECURITY_ADMIN_USER=owner
export GF_AUTH_GOOGLE_CLIENT_SECRET=newS3cretKey
export GF_PLUGIN_GRAFANA_IMAGE_RENDERER_RENDERING_IGNORE_HTTPS_ERRORS=true
export GF_FEATURE_TOGGLES_newNavigation=true

Variable expansion

If any of your options contains the expression $__<PROVIDER>{<ARGUMENT>}or ${<ENVIRONMENT VARIABLE>}, then Grafana evaluates them. The evaluation runs the provider with the provided argument to get the final value of the option.

There are three providers: env, file, and vault.

env provider

The env provider expands environment variables. If you set an option to $__env{PORT} the value of the PORT environment variable replaces it. For environment variables you can also use the short-hand syntax ${PORT}.

The following example sets the log directory to the path in the LOGDIR environment variable:

[paths]
logs = $__env{LOGDIR}/grafana

file provider

The file provider reads a file from the filesystem. It trims whitespace from the beginning and the end of files.

The following example sets the database password to the contents of the /etc/secrets/gf_sql_password file:

[database]
password = $__file{/etc/secrets/gf_sql_password}

vault provider

The vault provider lets manage your secrets with Hashicorp Vault.

{{< admonition type="note" >}} The vault provider is only available in Grafana Enterprise.

For more information, refer to Integrate Grafana with Hashicorp Vault.

{{< /admonition >}}

Configuration options

The following headings describe the sections and configuration options of the Grafana configuration file.

app_mode

Options are production and development. Default is production. Don't change this option unless you are working on Grafana development.

instance_name

Set the name of the Grafana server instance. Used in logging, internal metrics, and clustering info. Defaults to: ${HOSTNAME}, which uses the value of the environment variable HOSTNAME, if that is empty or doesn't exist Grafana tries to use system calls to get the machine name.

[paths]

data

Path to where Grafana stores the sqlite3 database (if used), file-based sessions (if used), and other data. This path is usually specified via command line in the init.d script or the systemd service file.

macOS: The default SQLite database is located at /usr/local/var/lib/grafana

temp_data_lifetime

How long temporary images in data directory should be kept. Defaults to: 24h. Supported modifiers: h (hours), m (minutes), for example: 168h, 30m, 10h30m. Use 0 to never clean up temporary files.

logs

Path to where Grafana stores logs. This path is usually specified via command line in the init.d script or the systemd service file. You can override it in the configuration file or in the default environment variable file.

{{< admonition type="note" >}} When overriding the default log path in the configuration file or environment variable file, Grafana still logs to the default log path until it has fully started. {{< /admonition >}}

Override log path using the command line argument cfg:default.paths.logs:

./grafana-server --config /custom/config.ini --homepath /custom/homepath cfg:default.paths.logs=/custom/path

macOS: By default, the log file should be located at /usr/local/var/log/grafana/grafana.log.

plugins

Directory where Grafana automatically scans and looks for plugins. For information about manually or automatically installing plugins, refer to Install Grafana plugins.

macOS: By default, the Mac plugin location is: /usr/local/var/lib/grafana/plugins.

provisioning

Directory that contains provisioning configuration files that Grafana applies on startup. Dashboards are reloaded when the JSON files change.

[server]

protocol

http,https,h2,socket or socket_h2

min_tls_version

The TLS Handshake requires a minimum TLS version. The available options are TLS1.2 and TLS1.3. If you do not specify a version, the system uses TLS1.2.

http_addr

The host for the server to listen on. If your machine has more than one network interface, you can use this setting to expose the Grafana service on only one network interface and not have it available on others, such as the loopback interface. An empty value is equivalent to setting the value to 0.0.0.0, which means the Grafana service binds to all interfaces.

In environments where network address translation (NAT) is used, ensure you use the network interface address and not a final public address; otherwise, you might see errors such as bind: cannot assign requested address in the logs.

http_port

The port to bind to, defaults to 3000. To use port 80 you need to either give the Grafana binary permission for example:

sudo setcap 'cap_net_bind_service=+ep' /usr/sbin/grafana-server

Or redirect port 80 to the Grafana port using:

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000

Another way is to put a web server like Nginx or Apache in front of Grafana and have them proxy requests to Grafana.

domain

This setting is only used in as a part of the root_url setting (see below). Important if you use GitHub or Google OAuth.

enforce_domain

Redirect to correct domain if the host header does not match the domain. Prevents DNS rebinding attacks. Default is false.

root_url

This is the full URL used to access Grafana from a web browser. This is important if you use Google or GitHub OAuth authentication (for the callback URL to be correct).

{{< admonition type="note" >}} This setting is also important if you have a reverse proxy in front of Grafana that exposes it through a sub-path.

In that case add the sub-path to the end of this URL setting. {{< /admonition >}}

serve_from_sub_path

Serve Grafana from sub-path specified in root_url setting. By default it is set to false for compatibility reasons.

By enabling this setting and using a sub-path in root_url like root_url = http://localhost:3000/grafana, Grafana is accessible on http://localhost:3000/grafana. If accessed without sub-path Grafana redirects the request to the sub-path.

router_logging

Set to true for Grafana to log all HTTP requests (not just errors). These are logged as Info level events to the Grafana log.

static_root_path

The path to the directory where the frontend files (HTML, JS, and CSS files). Defaults to public which is why the Grafana binary needs to be executed with working directory set to the installation path.

enable_gzip

Set this option to true to enable HTTP compression, this can improve transfer speed and bandwidth utilization. It is recommended that most users leave it set at the default of true, however compression might increase CPU usage on constrained environments or cause issues with poorly-configured reverse proxies.

cert_file

Path to the certificate file (if protocol is set to https or h2).

cert_key

Path to the certificate key file (if protocol is set to https or h2).

cert_pass

Optional. Password to decrypt encrypted certificates.

certs_watch_interval

Controls whether cert_key and cert_file are periodically watched for changes. Disabled, by default. When enabled, cert_key and cert_file are watched for changes. If there is change, the new certificates are loaded automatically.

{{< admonition type="warning" >}} After the new certificates are loaded, connections with old certificates don't work. You must reload the connections with old certificates for them to work. {{< /admonition >}}

socket_gid

GID where the socket should be set when protocol=socket. Make sure that the target group is in the group of Grafana process and that Grafana process is the file owner before you change this setting. It is recommended to set the GID as HTTP server user GID. Not set when the value is -1.

socket_mode

Mode where the socket should be set when protocol=socket. Make sure that Grafana process is the file owner before you change this setting.

socket

Path where the socket should be created when protocol=socket. Make sure Grafana has appropriate permissions for that path before you change this setting.

serve_on_socket

If set to true and the primary protocol is http, https, or h2, Grafana will additionally serve on the Unix domain socket configured via socket. Defaults to false.

cdn_url

Specify a full HTTP URL address to the root of your Grafana CDN assets. Grafana adds edition and version paths.

For example, given a CDN URL like https://cdn.myserver.com, Grafana tries to load a JavaScript file from http://cdn.myserver.com/grafana-oss/7.4.0/public/build/app.<HASH>.js.

read_timeout

Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections. 0 means there is no timeout for reading the request.

[server.custom_response_headers]

This setting enables you to specify additional headers that the server adds to HTTP(S) responses.

exampleHeader1 = exampleValue1
exampleHeader2 = exampleValue2

[database]

Grafana needs a database to store users and dashboards (and other things). By default it is configured to use sqlite3 which is an embedded database (included in the main Grafana binary).

{{< admonition type="caution" >}} SQLite isn't recommended for production environments; use MySQL or PostgreSQL for production deployments. {{< /admonition >}}

type

Either mysql, postgres or sqlite3, it's your choice.

host

Only applicable to MySQL or Postgres. Includes IP or hostname and port or in case of Unix sockets the path to it. For example, for MySQL running on the same host as Grafana: host = 127.0.0.1:3306 or with Unix sockets: host = /var/run/mysqld/mysqld.sock

name

The name of the Grafana database. Leave it set to grafana or some other name.

user

The database user (not applicable for sqlite3).

password

The database user's password (not applicable for sqlite3). If the password contains # or ; you have to wrap it with triple quotes. For example """#password;"""

url

Use either URL or the previous fields to configure the database Example: type://user:password@host:port/name

max_idle_conn

The maximum number of connections in the idle connection pool.

max_open_conn

The maximum number of open connections to the database. For MYSQL, configure this setting on both Grafana and the database. For more information, refer to sysvar_max_connections.

conn_max_lifetime

Sets the maximum amount of time a connection may be reused. The default is 14400 (which means 14400 seconds or 4 hours). For MySQL, this setting should be shorter than the wait_timeout variable.

migration_locking

Set to false to disable database locking during the migrations. Default is true.

locking_attempt_timeout_sec

For mysql and postgres only. Specify the time, in seconds, to wait before failing to lock the database for the migrations. Default is 0.

log_queries

Set to true to log the SQL calls and execution times.

ssl_mode

For Postgres, use any valid libpq sslmode, for example, disable, require, verify-full, etc. For MySQL, use either true, false, or skip-verify.

ssl_sni

For Postgres, set to 0 to disable Server Name Indication. This is enabled by default on SSL-enabled connections.

isolation_level

Only the MySQL driver supports isolation levels in Grafana. In case the value is empty, the driver's default isolation level is applied. Available options are "READ-UNCOMMITTED", "READ-COMMITTED", "REPEATABLE-READ" or "SERIALIZABLE".

ca_cert_path

The path to the CA certificate to use. On many Linux systems, certs can be found in /etc/ssl/certs.

client_key_path

The path to the client key. Only if server requires client authentication.

client_cert_path

The path to the client cert. Only if server requires client authentication.

server_cert_name

The common name field of the certificate used by the mysql or postgres server. Not necessary if ssl_mode is set to skip-verify.

path

Only applicable for sqlite3 database. The path to the database file.

cache_mode

For "sqlite3" only. Shared cache setting used for connecting to the database. (private, shared) Defaults to private.

wal

For "sqlite3" only. Setting to enable/disable Write-Ahead Logging. The default value is false (disabled).

query_retries

This setting applies to sqlite only and controls the number of times the system retries a query when the database is locked. The default value is 0 (disabled).

transaction_retries

This setting applies to sqlite only and controls the number of times the system retries a transaction when the database is locked. The default value is 5.

instrument_queries

Set to true to add metrics and tracing for database queries. The default value is false.

skip_dashboard_uid_migration_on_startup

Set to true to skip dashboard UID migrations on startup. Improves startup performance for instances with large numbers of annotations who do not plan to downgrade Grafana. The default value is false.

[remote_cache]

Caches authentication tokens and other temporary authentication-related data in the configured database, Redis, or Memcached. This setting doesn't configure Query Caching in Grafana Enterprise.

{{< admonition type="note" >}} This setting doesn't control user session storage. User sessions are always stored in the main database configured in [database] regardless of your [remote_cache] settings. {{< /admonition >}}

type

Either redis, memcached, or database. Defaults to database

connstr

The remote cache connection string. The format depends on the type of the remote cache. Options are database, redis, and memcache.

database

Leave empty when using database and Grafana uses the primary database.

redis

Example connection string: network=tcp,addr=127.0.0.1:6379,pool_size=100,db=0,username=grafana,password=grafanaRocks,ssl=false

• network (optional) can be tcp or unix.
• addr is the host : port of the Redis server.
• pool_size (optional) is the number of underlying connections that can be made to Redis.
• db (optional) is the number identifier of the Redis database you want to use.
• username (optional) is the connection identifier to authenticate the current connection.
• password (optional) is the connection secret to authenticate the current connection.
• ssl (optional) is if SSL should be used to connect to Redis server. The value may be true, false, or insecure. Setting the value to insecure skips verification of the certificate chain and hostname when making the connection.

memcache

Example connection string: 127.0.0.1:11211

[dataproxy]

logging

This enables data proxy logging, default is false.

timeout

How long the data proxy should wait before timing out. Default is 30 seconds.

This setting also applies to core backend HTTP data sources where query requests use an HTTP client with timeout set.

keep_alive_seconds

Interval between keep-alive probes. Default is 30 seconds. For more details, refer to the Dialer.KeepAlive documentation.

tls_handshake_timeout_seconds

The length of time that Grafana waits for a successful TLS handshake with the data source. Default is 10 seconds. For more information, refer to the Transport.TLSHandshakeTimeout documentation.

expect_continue_timeout_seconds

The length of time that Grafana waits for the first response headers from a data source after fully writing the request headers, if the request has an Expect: 100-continue header. A value of 0 results in the body being sent immediately. Default is 1 second. For more information, refer to the Transport.ExpectContinueTimeout documentation.

max_conns_per_host

Limits the total number of connections per host, including connections in the dialing, active, and idle states. On limit violation, dials are blocked. A value of 0 means that there are no limits. Default is 0. For more information, refer to the Transport.MaxConnsPerHost documentation.

max_idle_connections

The maximum number of idle connections that Grafana maintains. Default is 100. For more information, refer to the Transport.MaxIdleConns documentation.

idle_conn_timeout_seconds

The length of time that Grafana maintains idle connections before closing them. Default is 90 seconds. For more information, refer to the Transport.IdleConnTimeout documentation.

send_user_header

If enabled and user is not anonymous, data proxy adds the X-Grafana-User header with username into the request. Default is false.

response_limit

Limits the amount of bytes that Grafana reads from responses of outgoing HTTP requests. Default is 0 which means disabled.

row_limit

Limits the number of rows that Grafana processes from SQL data sources. Default is 1000000.

user_agent

Sets a custom value for the User-Agent header for outgoing data proxy requests. If empty, the default value is Grafana/<BuildVersion> (for example Grafana/9.0.0).

[analytics]

enabled

This option is also known as usage analytics. When false, this option disables the writers that write to the Grafana database and the associated features, such as dashboard and data source insights, presence indicators, and advanced dashboard search. The default value is true.

reporting_enabled

When enabled Grafana sends anonymous usage statistics to stats.grafana.org. Grafana doesn't track IP addresses, only counters of running instances, versions, dashboards, and errors.

The anonymous usage statistics help inform the future development of Grafana. Counters are sent every 24 hours. Default value is true.

check_for_updates

Set to false to disable checking for new versions of Grafana in GitHub. When enabled, the check for a new version runs every ten minutes. It notifies, via the UI, when a new version is available. The check itself doesn't cause automatic updates of the Grafana software, nor does it send any sensitive information.

check_for_plugin_updates

Set to false to disable checking for new versions of installed plugins from https://grafana.com. When enabled, the check for a new plugin runs every ten minutes. It notifies, via the UI, when a new plugin update exists. The check itself doesn't cause any automatic updates of any plugins, nor does it send any sensitive information.

google_analytics_ua_id

If you want to track Grafana usage with Google Analytics specify your Universal Analytics ID here. By default this feature is disabled.

google_analytics_4_id

If you want to track Grafana usage with Google Analytics 4 specify your GA4 ID here. By default this feature is disabled.

google_tag_manager_id

Google Tag Manager ID, only enabled if you enter an ID here.

rudderstack_write_key

If you want to track Grafana usage via RudderStack specify your RudderStack Write Key here. The rudderstack_data_plane_url must also be provided for this feature to be enabled. By default this feature is disabled.

rudderstack_data_plane_url

RudderStack data plane URL to receive RudderStack events. You must also provide the rudderstack_write_key to enable this feature.

rudderstack_sdk_url

Optional. If tracking with RudderStack is enabled, you can provide a custom URL to load the RudderStack SDK.

rudderstack_v3_sdk_url

Optional. This is mirroring the old configuration option, which will be deprecated. If rudderstack_sdk_url and rudderstack_v3_sdk_url are both set, the feature toggle rudderstackUpgrade will control which one is loaded.

rudderstack_config_url

Optional. If tracking with RudderStack is enabled, you can provide a custom URL to load the RudderStack configuration.

rudderstack_integrations_url

Optional. If tracking with RudderStack is enabled, you can provide a custom URL to load the SDK for destinations running in device mode. This setting is only valid for RudderStack version 1.1 and higher.

application_insights_connection_string

If you want to track Grafana usage via Azure Application Insights, then specify your Application Insights connection string. Since the connection string contains semicolons, you need to wrap it in backticks (`). By default, tracking usage is disabled.

application_insights_endpoint_url

Optionally, use this option to override the default endpoint address for Application Insights data collecting. For details, refer to the Azure documentation.

application_insights_auto_route_tracking

Optionally, use this to configure enableAutoRouteTracking in Azure Application Insights. Defaults to true. For more details, refer to the Azure documentation

feedback_links_enabled

Set to false to remove all feedback links from the UI. Default is true.

[security]

disable_initial_admin_creation

Disable creation of a Grafana Admin user on first start of Grafana. Default is false.

admin_user

The name of the default Grafana Admin user, who has full permissions. Default is admin.

admin_password

The password of the default Grafana Admin. Set once on first-run. Default is admin.

admin_email

The email of the default Grafana Admin, created on startup. Default is admin@localhost.

secret_key

Used for signing some data source settings like secrets and passwords, the encryption format used is AES-256 in CFB mode. Cannot be changed without requiring an update to data source settings to re-encode them.

disable_gravatar

Set to true to disable the use of Gravatar for user profile images. Default is false.

data_source_proxy_whitelist

Define a allowlist of IP addresses or domains with ports, that can be used in data source URLs with the Grafana data source proxy.

The format is <IP> or <DOMAIN>:<PORT> separated by spaces. PostgreSQL, MySQL, and MSSQL data sources don't use the proxy and are not affected by this setting.

disable_brute_force_login_protection

Set to true to disable brute force login protection. Default is false. Login is blocked for five minutes if all login attempts are spent within a 5 minute window.

brute_force_login_protection_max_attempts

Configure how many login attempts can be made within a five minute window before being blocked. Default is 5.

disable_username_login_protection

Set to true to disable brute force login protection by username. Default is false. User will be unable to login for 5 minutes if all login attempts are spent within a 5 minute window.

disable_ip_address_login_protection

Set to true to disable brute force login protection by IP address. Default is true. Anyone from the IP address will be unable to login for 5 minutes if all login attempts are spent within a 5 minute window.

cookie_secure

Set to true if you host Grafana behind HTTPS. Default is false.

cookie_samesite

Sets the SameSite cookie attribute and prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. This setting also provides some protection against cross-site request forgery attacks (CSRF), read more about SameSite here. Valid values are lax, strict, none, and disabled. Default is lax. Using value disabled does not add any SameSite attribute to cookies.

If you want to use OAuth/SAML for login, it is necessary to configure this attribute as lax.

allow_embedding

When false, the HTTP header X-Frame-Options: deny is set in Grafana HTTP responses which instructs browsers to not allow rendering Grafana in a <frame>, <iframe>, <embed> or <object>. The main goal is to mitigate the risk of Clickjacking. Default is false.

strict_transport_security

Set to true if you want to enable HTTP Strict-Transport-Security (HSTS) response header. Only use this when HTTPS is enabled in your configuration, or when there is another upstream system that ensures your application does HTTPS (like a frontend load balancer). HSTS tells browsers that the site should only be accessed using HTTPS.

strict_transport_security_max_age_seconds

Sets how long a browser should cache HSTS in seconds. Only applied if strict_transport_security is enabled. The default value is 86400.

strict_transport_security_preload

Set to true to enable HSTS preloading option. Only applied if strict_transport_security is enabled. The default value is false.

strict_transport_security_subdomains

Set to true to enable the HSTS includeSubDomains option. Only applied if strict_transport_security is enabled. The default value is false.

x_content_type_options

Set to false to disable the X-Content-Type-Options response header. The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. The default value is true.

x_xss_protection

Set to false to disable the X-XSS-Protection header, which tells browsers to stop pages from loading when they detect reflected cross-site scripting (XSS) attacks. The default value is true.

content_security_policy

Set to true to add the Content-Security-Policy header to your requests. The Content Security Policy (CSP) controls which resources that the user agent can load and helps prevent XSS attacks.

content_security_policy_template

Set the policy template that's used to add the Content-Security-Policy header to your requests. $NONCE in the template includes a random nonce.

content_security_policy_report_only

Set to true to add the Content-Security-Policy-Report-Only header to your requests. CSP in "Report Only" mode lets you to experiment with policies by monitoring their effects without enforcing them. You can enable both policies simultaneously.

content_security_policy_template

Set the policy template that's used to add the Content-Security-Policy-Report-Only header to your requests. $NONCE in the template includes a random nonce.

actions_allow_post_url

Sets API paths to be accessible between plugins using the POST verb. If the value is empty, you can only pass remote requests through the proxy. If the value is set, you can also send authenticated POST requests to the local server. You typically use this to enable backend communication between plugins.

This is a comma-separated list which uses glob matching.

The following example allows access to all plugins that have a backend:

actions_allow_post_url=/api/plugins/*

The following example limits access to the backend of a single plugin:

actions_allow_post_url=/api/plugins/grafana-special-app

csrf_trusted_origins

List of additional allowed URLs to pass by the CSRF check. Suggested when authentication comes from an IdP.

csrf_additional_headers

List of allowed headers to be set by the user. Suggested to use for if authentication lives behind reverse proxies.

csrf_always_check

Set to true to execute the CSRF check even if the login cookie is not in a request (default false).

enable_frontend_sandbox_for_plugins

Comma-separated list of plugins IDs to load inside the frontend sandbox.

[snapshots]

enabled

Set to false to disable the snapshot feature (default true).

external_enabled

Set to false to disable external snapshot publish endpoint (default true).

external_snapshot_url

Set root URL to a Grafana instance where you want to publish external snapshots (defaults to https://snapshots.raintank.io).

external_snapshot_name

Set name for external snapshot button. Defaults to Publish to snapshots.raintank.io.

public_mode

Set to true to enable this Grafana instance to act as an external snapshot server and allow unauthenticated requests for creating and deleting snapshots. Default is false.

[dashboards]

versions_to_keep

Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1.

min_refresh_interval

This feature prevents users from setting the dashboard refresh interval to a lower value than a given interval value. The default interval value is 5 seconds. The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d). For example 30s or 1m.

This also limits the refresh interval options in Explore.

default_home_dashboard_path

Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json".

{{< admonition type="note" >}} On Linux, Grafana uses /usr/share/grafana/public/dashboards/home.json as the default home dashboard location. {{< /admonition >}}

[dashboard_cleanup]

Settings related to cleaning up associated dashboards information if the dashboard was deleted through /apis.

interval

How often to run the job to cleanup associated resources. The default interval is 30s. The minimum allowed value is 10s to ensure the system isn't overloaded.

The interval string must include a unit suffix (ms, s, m, h), e.g. 30s or 1m.

batch_size

Number of deleted dashboards to process in each batch during the cleanup process. Default: 10, Minimum: 5, Maximum: 200.

Increasing this value allows processing more dashboards in each cleanup cycle but may impact system performance.

[datasources]

default_manage_alerts_ui_toggle

Default behavior for the "Manage alerts via Alerting UI" toggle when configuring a data source. It only works if the data source's jsonData.manageAlerts prop does not contain a previously configured value.

default_allow_recording_rules_target_alerts_ui_toggle

Default behavior for the "Allow as recording rules target" toggle when configuring a data source. It only works if the data source's jsonData.allowAsRecordingRulesTarget prop does not contain a previously configured value.

[sql_datasources]

max_open_conns_default

For SQL data sources (MySql, Postgres, MSSQL) you can override the default maximum number of open connections (default: 100). The value configured in data source settings is preferred over the default value.

max_idle_conns_default

For SQL data sources (MySql, Postgres, MSSQL) you can override the default allowed number of idle connections (default: 100). The value configured in data source settings is preferred over the default value.

max_conn_lifetime_default

For SQL data sources (MySql, Postgres, MSSQL) you can override the default maximum connection lifetime specified in seconds (default: 14400). The value configured in data source settings is preferred over the default value.

[users]

allow_sign_up

Set to false to prohibit users from being able to sign up or create user accounts. Default is false. A Grafana Admin can still create users. For more information about creating a user, refer to Add a user.

allow_org_create

Set to false to prohibit users from creating new organizations. Default is false.

auto_assign_org

Set to true to automatically add new users to the main organization (ID 1). When set to false, new users automatically cause a new organization to be created for that new user. The organization is created even if the allow_org_create setting is set to false. Default is true.

auto_assign_org_id

Set this value to automatically add new users to the provided org. This requires auto_assign_org to be set to true. The organization must already exist. Default is 1.

auto_assign_org_role

The auto_assign_org_role setting determines the default role assigned to new users in the main organization if auto_assign_org setting is set to true. You can set this to one of the following roles: (Viewer (default), Admin, Editor, and None). For example:

auto_assign_org_role = Viewer

verify_email_enabled

Require email validation before sign up completes or when updating a user email address. Default is false.

login_default_org_id

Set the default organization for users when they sign in. The default is -1.

login_hint

Text used as placeholder text on login page for login/username input.

password_hint

Text used as placeholder text on login page for password input.

default_theme

Sets the default UI theme: dark, light, or system. The default theme is dark.

system matches the user's system theme.

default_language

This option sets the default UI language if a supported IETF language tag like en-US is available. If set to detect, the default UI language is determined by browser preference. The default is en-US.

home_page

Path to a custom home page. Users are only redirected to this if the default home dashboard is used. It should match a frontend route and contain a leading slash.

External user management

If you manage users externally you can replace the user invite button for organizations with a link to an external site together with a description.

viewers_can_edit

{{< admonition type="note" >}} This option is deprecated - assign your viewers as editors, if you are using RBAC assign the data sources explorer role to your users. {{< /admonition >}}

Viewers can access and use Explore and perform temporary edits on panels in dashboards they have access to. They cannot save their changes. Default is false.

user_invite_max_lifetime_duration

The duration in time a user invitation remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). Default is 24h (24 hours). The minimum supported duration is 15m (15 minutes).

verification_email_max_lifetime_duration

The duration in time a verification email, used to update the email address of a user, remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). Default is 1h (1 hour).

last_seen_update_interval

The frequency of updating a user's last seen time. This setting should be expressed as a duration. Examples: 1h (hour), 15m (minutes) Default is 15m (15 minutes). The minimum supported duration is 5m (5 minutes). The maximum supported duration is 1h (1 hour).

hidden_users

This is a comma-separated list of usernames. Users specified here are hidden in the Grafana UI. They are still visible to Grafana administrators and to themselves.

[auth]

Grafana provides many ways to authenticate users. Refer to the Grafana Authentication overview and other authentication documentation for detailed instructions on how to set up and configure authentication.

login_cookie_name

The cookie name for storing the auth token. Default is grafana_session.

login_maximum_inactive_lifetime_duration

The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration such 5m (minutes), 6h (hours), 10d (days), 2w (weeks), or 1M (month). The lifetime resets at each successful token rotation (token_rotation_interval_minutes).

login_maximum_lifetime_duration

The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30 days (30d). This setting should be expressed as a duration such 5m (minutes), 6h (hours), 10d (days), 2w (weeks), or 1M (month).

token_rotation_interval_minutes

How often auth tokens are rotated for authenticated users when the user is active. The default is each 10 minutes.

disable_login_form

Set to true to disable (hide) the login form, useful if you use OAuth 2.0. Default is false.

disable_signout_menu

Set to true to disable the sign out link in the side menu. This is useful if you use auth.proxy. Default is false.

signout_redirect_url

The URL the user is redirected to upon signing out. To support OpenID Connect RP-Initiated Logout, the user must add post_logout_redirect_uri to the signout_redirect_url.

Example:

signout_redirect_url = http://localhost:8087/realms/grafana/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Flogin

oauth_auto_login

{{< admonition type="note" >}} This option is deprecated - use auto_login option for specific OAuth provider instead. {{< /admonition >}}

Set to true to attempt login with OAuth automatically, skipping the login screen. This setting is ignored if multiple OAuth providers are configured. Default is false.

oauth_state_cookie_max_age

How many seconds the OAuth state cookie lives before being deleted. Default is 600 (seconds) Administrators can increase this if they experience OAuth login state mismatch errors.

oauth_login_error_message

A custom error message for when users are unauthorized. Default is a key for an internationalized phrase in the frontend, Login provider denied login request.

oauth_refresh_token_server_lock_min_wait_ms

Minimum wait time in milliseconds for the server lock retry mechanism. Default is 1000 (milliseconds). The server lock retry mechanism is used to prevent multiple Grafana instances from simultaneously refreshing OAuth tokens. This mechanism waits at least this amount of time before retrying to acquire the server lock.

There are five retries in total, so with the default value, the total wait time (for acquiring the lock) is at least 5 seconds (the wait time between retries is calculated as random(n, n + 500)), which means that the maximum token refresh duration must be less than 5-6 seconds.

If you experience issues with the OAuth token refresh mechanism, you can increase this value to allow more time for the token refresh to complete.

oauth_skip_org_role_update_sync

{{< admonition type="note" >}} This option is removed from G11 in favor of OAuth provider specific skip_org_role_sync settings. The following sections explain settings for each provider. {{< /admonition >}}

If you want to change the oauth_skip_org_role_update_sync setting from true to false, then each provider you have set up, use the skip_org_role_sync setting to specify whether you want to skip the synchronization.

{{< admonition type="warning" >}} Currently if no organization role mapping is found for a user, Grafana doesn't update the user's organization role.

If oauth_skip_org_role_update_sync option is set to false, users with no mapping are reset to the default organization role on every login.

For more information, refer to auto_assign_org_role option. {{< /admonition >}}

skip_org_role_sync

skip_org_role_sync prevents the synchronization of organization roles for a specific OAuth integration, while the deprecated setting oauth_skip_org_role_update_sync affects all configured OAuth providers.

The default value for skip_org_role_sync is false.

With skip_org_role_sync set to false, the users' organization and role is reset on every new login, based on the external provider's role. See your provider in the tables below.

With skip_org_role_sync set to true, when a user logs in for the first time, Grafana sets the organization role based on the value specified in auto_assign_org_role and forces the organization to auto_assign_org_id when specified, otherwise it falls back to OrgID 1.

{{< admonition type="note" >}} Enabling skip_org_role_sync also disables the synchronization of Grafana Admins from the external provider, as such allow_assign_grafana_admin is ignored. {{< /admonition >}}

Use this setting when you want to manage the organization roles of your users from within Grafana and be able to manually assign them to multiple organizations, or to prevent synchronization conflicts when they can be synchronized from another provider.

The behavior of oauth_skip_org_role_update_sync and skip_org_role_sync, can be seen in the tables below:

[auth.grafana_com]

[auth.azuread]

[auth.google]

{{< admonition type="note" >}} For GitLab, GitHub, Okta, Generic OAuth providers, Grafana synchronizes organization roles and sets Grafana Admins. The allow_assign_grafana_admin setting is also accounted for, to allow or not setting the Grafana Admin role from the external provider. {{< /admonition >}}

[auth.github]

[auth.gitlab]

[auth.generic_oauth]

[auth.okta]

Example skip_org_role_sync

[auth.google]

api_key_max_seconds_to_live

Limit of API key seconds to live before expiration. Default is -1 (unlimited).

sigv4_auth_enabled

Set to true to enable the AWS Signature Version 4 Authentication option for HTTP-based data sources. Default is false.

sigv4_verbose_logging

Set to true to enable verbose request signature logging when AWS Signature Version 4 Authentication is enabled. Default is false.

managed_service_accounts_enabled

Only available in Grafana 11.3+.

Set to true to enable the use of managed service accounts for plugin authentication. Default is false.

{{< admonition type="note" >}} This feature only supports single-organization deployments. The plugin's service account is automatically created in the default organization. This means the plugin can only access data and resources within that specific organization. {{< /admonition >}}

[auth.anonymous]

Refer to Anonymous authentication for detailed instructions.

[auth.github]

Refer to GitHub OAuth2 authentication for detailed instructions.

[auth.gitlab]

Refer to GitLab OAuth 2.0 authentication for detailed instructions.

[auth.google]

Refer to Google OAuth2 authentication for detailed instructions.

[auth.grafananet]

Legacy key names, still in the configuration file so they work in environment variables.

[auth.grafana_com]

Legacy key names, still in the configuration file so they work in environment variables.

[auth.azuread]

Refer to Entra ID OAuth2 authentication for detailed instructions.

[auth.okta]

Refer to Okta OAuth2 authentication for detailed instructions.

[auth.generic_oauth]

Refer to Generic OAuth authentication for detailed instructions.

[auth.basic]

Refer to Basic authentication for detailed instructions.

[auth.proxy]

Refer to Auth proxy authentication for detailed instructions.

[auth.ldap]

Refer to LDAP authentication for detailed instructions.

[aws]

You can configure core and external AWS plugins.

allowed_auth_providers

Specify what authentication providers the AWS plugins allow. For a list of allowed providers, refer to the data source configuration page for a given plugin. If you configure a plugin by provisioning, only providers that are specified in allowed_auth_providers are allowed.

Options: default (AWS SDK default), keys (Access and secret key), credentials (Credentials file), ec2_iam_role (EC2 IAM role)

assume_role_enabled

Set to false to disable AWS authentication from using an assumed role with temporary security credentials. For details about assume roles, refer to the AWS API reference documentation about the AssumeRole operation.

If this option is disabled, the Assume Role and the External Id field are removed from the AWS data source configuration page. If the plugin is configured using provisioning, it is possible to use an assumed role as long as assume_role_enabled is set to true.

list_metrics_page_limit

Use the List Metrics API option to load metrics for custom namespaces in the Amazon CloudWatch data source. By default, the page limit is 500.

[azure]

Grafana supports additional integration with Azure services when hosted in the Azure Cloud.

cloud

Azure cloud environment where Grafana is hosted:

clouds_config

The JSON configuration defines a list of Azure clouds and their associated properties when hosted in custom Azure environments.

For example:

clouds_config = `[
		{
			"name":"CustomCloud1",
			"displayName":"Custom Cloud 1",
			"aadAuthority":"https://login.cloud1.contoso.com/",
			"properties":{
				"azureDataExplorerSuffix": ".kusto.windows.cloud1.contoso.com",
				"logAnalytics":            "https://api.loganalytics.cloud1.contoso.com",
				"portal":                  "https://portal.azure.cloud1.contoso.com",
				"prometheusResourceId":    "https://prometheus.monitor.azure.cloud1.contoso.com",
				"resourceManager":         "https://management.azure.cloud1.contoso.com"
			}
		}]`

managed_identity_enabled

Specifies whether Grafana is running in Azure with Managed Identity configured (for example, running in a Azure Virtual Machines instance). Disabled by default, needs to be explicitly enabled.

managed_identity_client_id

The client ID to use for user-assigned managed identity.

Should be set for user-assigned identity and should be empty for system-assigned identity.

workload_identity_enabled

Specifies whether Entra ID Workload Identity authentication should be enabled in data sources that support it.

For more documentation on Entra ID Workload Identity, review Entra ID Workload Identity documentation.

Disabled by default, needs to be explicitly enabled.

workload_identity_tenant_id

Tenant ID of the Entra ID Workload Identity.

Allows to override default tenant ID of the Entra ID identity associated with the Kubernetes service account.

workload_identity_client_id

Client ID of the Entra ID Workload Identity.

Allows to override default client ID of the Entra ID identity associated with the Kubernetes service account.

workload_identity_token_file

Custom path to token file for the Entra ID Workload Identity.

Allows to set a custom path to the projected service account token file.

user_identity_enabled

Specifies whether user identity authentication (on behalf of currently signed-in user) should be enabled in data sources that support it (requires AAD authentication).

Disabled by default, needs to be explicitly enabled.

user_identity_fallback_credentials_enabled

Specifies whether user identity authentication fallback credentials should be enabled in data sources. Enabling this allows data source creators to provide fallback credentials for backend-initiated requests, such as alerting, recorded queries, and so on.

It is by default and needs to be explicitly disabled. It doesn't have any effect if user identity authentication is disabled.

user_identity_token_url

Override token URL for Azure Active Directory.

By default is the same as token URL configured for AAD authentication settings.

user_identity_client_authentication

Override client authentication method for Azure Active Directory. Currently supported values are client_secret_post and managed_identity.

By default is the same as client authentication method configured for AAD authentication settings.

user_identity_client_id

Override ADD application ID which would be used to exchange users token to an access token for the data source.

By default is the same as used in AAD authentication or can be set to another application (for OBO flow).

user_identity_client_secret

Override the AAD application client secret.

By default is the same as used in AAD authentication or can be set to another application (for OBO flow).

user_identity_managed_identity_client_id

Override the AAD application managed identity client ID of the federated credential configured as a user-assigned managed identity.

By default is the same as used in AAD authentication or can be set to another managed identity (for OBO flow).

user_identity_federated_credential_audience

Override the AAD federated credential audience of the federated credential configured as a user-assigned managed identity.

By default is the same as used in AAD authentication or can be set to another audience (for OBO flow).

forward_settings_to_plugins

Set plugins to receive Azure settings via plugin context.

By default, this includes all Grafana Labs owned Azure plugins or those that use Azure settings (Azure Monitor, Azure Data Explorer, Prometheus, MSSQL).

azure_entra_password_credentials_enabled

Specifies whether Entra password authentication can be used for the MSSQL data source. This authentication isn't recommended and consideration should be taken before enabling this.

Disabled by default, needs to be explicitly enabled.

[auth.jwt]

Refer to JWT authentication for more information.

[smtp]

Email server settings.

enabled

Enable this to allow Grafana to send email. Default is false.

host

Default is localhost:25. Use port 465 for implicit TLS.

user

In case of SMTP auth, default is empty.

password

In case of SMTP auth, default is empty. If the password contains # or ;, then you have to wrap it with triple quotes. Example: """#password;"""

cert_file

File path to a cert file, default is empty.

key_file

File path to a key file, default is empty.

skip_verify

Verify SSL for SMTP server, default is false.

from_address

Address used when sending out emails, default is [email protected].

from_name

Name to be used when sending out emails, default is Grafana.

ehlo_identity

Name to be used as client identity for EHLO in SMTP conversation, default is <instance_name>.

startTLS_policy

Either OpportunisticStartTLS, MandatoryStartTLS, NoStartTLS, or empty. Default is empty.

enable_tracing

Enable trace propagation in email headers, using the traceparent, tracestate and (optionally) baggage fields. Default is false. To enable, you must first configure tracing in one of the tracing.opentelemetry.* sections.

[smtp.static_headers]

Enter key-value pairs on their own lines to be included as headers on outgoing emails. All keys must be in canonical mail header format. Examples: Foo=bar, Foo-Header=bar.

[emails]

welcome_email_on_sign_up

Default is false.

templates_pattern

Enter a comma separated list of template patterns. Default is emails/*.html, emails/*.txt.

content_types

Enter a comma-separated list of content types that should be included in the emails that are sent. List the content types according descending preference. For example, text/html, text/plain for HTML as the most preferred. The order of the parts is significant as the mail clients uses the media type that is supported and most preferred by the sender. Supported content types are text/html and text/plain. Default is text/html.

[log]

Grafana logging options.

mode

Options are console, file, and syslog. Default is console and file. Use spaces to separate multiple modes, for example, console file.

level

Options are debug, info, warn, error. critical is an alias for error. Default is info.

filters

Optional settings to set different levels for specific loggers. For example: filters = sqlstore:debug

You can use multiple filters with a comma-seperated list: For example: filters = sqlstore:debug,plugins:info

The equivalent for a docker-compose.yaml looks like this:

GF_LOG_FILTERS: sqlstore:debug,plugins:info
GF_LOG_LEVEL: error

user_facing_default_error

Use this configuration option to set the default error message shown to users. This message is displayed instead of sensitive backend errors, which should be obfuscated. The default message is Please inspect the Grafana server log for details..

[log.console]

Only applicable when console is used in [log] mode.

level

See [log] level for values. Default is inherited from [log] level.

format

Log line format, valid options are text, console, and json. Default is console.

[log.file]

Only applicable when file used in [log] mode.

level

See [log] level for values. Default is inherited from [log] level.

format

Log line format, valid options are text, console, and json. Default is text.

log_rotate

Enable automated log rotation, valid options are false or true. Default is true. When enabled use the max_lines, max_size_shift, daily_rotate and max_days to configure the behavior of the log rotation.

max_lines

Maximum lines per file before rotating it. Default is 1000000.

max_size_shift

Maximum size of file before rotating it. Default is 28, which means 1 << 28, 256MB.

daily_rotate

Enable daily rotation of files, valid options are false or true. Default is true.

max_days

Maximum number of days to keep log files. Default is 7.

[log.syslog]

Only applicable when syslog used in [log] mode.

level

See [log] level for values. Default is inherited from [log] level.

format

Log line format, valid options are text, console, and json. Default is text.

network and address

Syslog network type and address. This can be UDP, TCP, or UNIX. If left blank, then the default UNIX endpoints are used.

facility

Syslog facility. Valid options are user, daemon or local0 through local7. Default is empty.

tag

Syslog tag. By default, the process's argv[0] is used.

[log.frontend]

enabled

Grafana Faro instrumentation is initialized. Default is false. Enables the default set of instrumentations from getWebInstrumentations. See the options below to selectively disable some of these.

custom_endpoint

Custom HTTP endpoint to send events captured by the Grafana Faro agent to. Default, /log-grafana-javascript-agent, logs the events to standard output.

api_key

If custom_endpoint required authentication, you can set the API key here. Only relevant for Grafana JavaScript Agent provider.

instrumentations_console_enabled

Enables the Console instrumentation for Grafana Faro, defaults to true.

instrumentations_performance_enabled

Enables the Performance instrumentation for Grafana Faro, defaults to true.

instrumentations_csp_enabled

Enables the Content Security Policy Violations instrumentation for Grafana Faro, defaults to true.

instrumentations_tracing_enabled

Enables the Tracing instrumentation for Grafana Faro, defaults to true.

log_endpoint_requests_per_second_limit

Requests per second limit enforced per an extended period, for Grafana backend log ingestion endpoint, /log-grafana-javascript-agent. Default is 3.

log_endpoint_burst_limit

Maximum requests accepted per short interval of time for Grafana backend log ingestion endpoint, /log-grafana-javascript-agent. Default is 15.

bot_filter_enabled

Enables the bot filter for the Grafana Faro JavaScript agent integration. Default is false. When enabled, it will filter out requests from known bots and crawlers.

[quota]

Set quotas to -1 to make unlimited.

enabled

Enable usage quotas. Default is false.

org_user

Limit the number of users allowed per organization. Default is 10.

org_dashboard

Limit the number of dashboards allowed per organization. Default is 100.

org_data_source

Limit the number of data sources allowed per organization. Default is 10.

org_api_key

Limit the number of API keys that can be entered per organization. Default is 10.

org_alert_rule

Limit the number of alert rules that can be entered per organization. Default is 100.

user_org

Limit the number of organizations a user can create. Default is 10.

global_user

Sets a global limit of users. Default is -1 (unlimited).

global_org

Sets a global limit on the number of organizations that can be created. Default is -1 (unlimited).

global_dashboard

Sets a global limit on the number of dashboards that can be created. Default is -1 (unlimited).

global_api_key

Sets global limit of API keys that can be entered. Default is -1 (unlimited).

global_session

Sets a global limit on number of users that can be logged in at one time. Default is -1 (unlimited).

global_alert_rule

Sets a global limit on number of alert rules that can be created. Default is -1 (unlimited).

global_correlations

Sets a global limit on number of correlations that can be created. Default is -1 (unlimited).

alerting_rule_evaluation_results

Limit the number of query evaluation results per alert rule. If the condition query of an alert rule produces more results than this limit, the evaluation results in an error. Default is -1 (unlimited).

[unified_alerting]

For more information about the Grafana alerts, refer to Grafana Alerting.

enabled

Enable or disable Grafana Alerting. The default value is true.

Alerting rules migrated from dashboards and panels include a link back via the annotations.

disabled_orgs

Comma-separated list of organization IDs for which to disable Grafana 8 Unified Alerting.

admin_config_poll_interval

Specify the frequency of polling for configuration changes. The default value is 60s.

The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), for example, 30s or 1m.

alertmanager_config_poll_interval

Specify the frequency of polling for Alertmanager configuration changes. The default value is 60s.

The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), for example, 30s or 1m.

alertmanager_max_template_output_bytes

Maximum size in bytes that the expanded result of any single template expression (e.g. {{ .CommonAnnotations.description }}, {{ .ExternalURL }}, etc.) may reach during notification rendering. The limit is checked after template execution for each templated field, but before the value is inserted into the final notification payload sent to the receiver. If exceeded, the notification will contain output truncated up to the limit and a warning will be logged. The default value is 10,485,760 bytes (10Mb).

ha_redis_address

Redis server address or addresses. It can be a single Redis address if using Redis standalone, or a list of comma-separated addresses if using Redis Cluster/Sentinel.

{{< admonition type="note" >}} For more information on Redis, refer to Enable alerting high availability using Redis. {{< /admonition >}}

ha_redis_cluster_mode_enabled

Set to true when using Redis in Cluster mode. Mutually exclusive with ha_redis_sentinel_mode_enabled.

ha_redis_sentinel_mode_enabled

Set to true when using Redis in Sentinel mode. Mutually exclusive with ha_redis_cluster_mode_enabled.

ha_redis_sentinel_master_name

Redis Sentinel master name. Only applicable when ha_redis_sentinel_mode_enabled is set to true.

ha_redis_username

The username that should be used to authenticate with Redis.

ha_redis_password

The password that should be used to authenticate with Redis.

ha_redis_sentinel_username

The username that should be used to authenticate with Redis Sentinel. Only applicable when ha_redis_sentinel_mode_enabled is set to true.

ha_redis_sentinel_password

The password that should be used to authenticate with Redis Sentinel. Only applicable when ha_redis_sentinel_mode_enabled is set to true.

ha_redis_db

The Redis database. The default value is 0.

ha_redis_prefix

A prefix that is used for every key or channel that is created on the Redis server as part of HA for alerting. Useful if you plan to share Redis with multiple Grafana instances.

ha_redis_peer_name

The name of the cluster peer to use as an identifier. If none is provided, a random one is generated.

ha_redis_max_conns

The maximum number of simultaneous Redis connections.

ha_redis_tls_enabled

Enable TLS on the client used to communicate with the Redis server. This should be set to true if using any of the other ha_redis_tls_* fields.

ha_redis_tls_cert_path

Path to the PEM-encoded TLS client certificate file used to authenticate with the Redis server. Required if using Mutual TLS.

ha_redis_tls_key_path

Path to the PEM-encoded TLS private key file. Also requires the client certificate to be configured. Required if using Mutual TLS.

ha_redis_tls_ca_path

Path to the PEM-encoded CA certificates file. If not set, the host's root CA certificates are used.

ha_redis_tls_server_name

Overrides the expected name of the Redis server certificate.

ha_redis_tls_insecure_skip_verify

Skips validating the Redis server certificate.

ha_redis_tls_cipher_suites

Overrides the default TLS cipher suite list.

ha_redis_tls_min_version

Overrides the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13

ha_listen_address

Listen IP address and port to receive unified alerting messages for other Grafana instances. The port is used for both TCP and UDP. It is assumed other Grafana instances are also running on the same port. The default value is 0.0.0.0:9094.

ha_advertise_address

Explicit IP address and port to advertise other Grafana instances. The port is used for both TCP and UDP.

ha_peers

Comma-separated list of initial instances (in a format of <HOST>:<PORT>) that form the HA cluster. Configuring this setting enables the High Availability mode for alerting.

ha_peer_timeout

Time to wait for an instance to send a notification via the Alertmanager. In HA, each Grafana instance is assigned a position (for example, 0, 1). We then multiply this position with the timeout to indicate how long should each instance wait before sending the notification to take into account replication lag. The default value is 15s.

The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), for example, 30s or 1m.

ha_label

The label is an optional string to include on each packet and stream. It uniquely identifies the cluster and prevents cross-communication issues when sending gossip messages in an environment with multiple clusters.

ha_gossip_interval

The interval between sending gossip messages. By lowering this value (more frequent) gossip messages are propagated across cluster more quickly at the expense of increased bandwidth usage. The default value is 200ms.

The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), for example, 30s or 1m.

ha_reconnect_timeout

Length of time to attempt to reconnect to a lost peer. When running Grafana in a Kubernetes cluster, set this duration to less than 15m.

The string is a possibly signed sequence of decimal numbers followed by a unit suffix (ms, s, m, h, d), such as 30s or 1m.

ha_push_pull_interval

The interval between gossip full state syncs. Setting this interval lower (more frequent) increases convergence speeds across larger clusters at the expense of increased bandwidth usage. The default value is 60s.

The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), for example, 30s or 1m.

ha_single_node_evaluation

Enable single-node evaluation mode for alerting in high availability. When enabled, only one Grafana instance in the cluster evaluates alert rules instead of all instances evaluating all rules. This reduces query load on data sources from N times to 1. The default value is false.

Requires high availability clustering to be configured (either Memberlist or Redis).

For more information, refer to Single-node evaluation mode.

ha_single_evaluation_alert_broadcast_queue_size

The size of the message queue used to broadcast alerts from the primary instance to other instances in single-node evaluation mode. Increase this value if you have many alert rules and see broadcast messages being dropped. The default value is 200. Only used when ha_single_node_evaluation is true.

execute_alerts

Enable or disable alerting rule execution. The default value is true. The alerting UI remains visible.

evaluation_timeout

Sets the alert evaluation timeout when fetching data from the data source. The default value is 30s.

The timeout string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), for example, 30s or 1m.

max_attempts

The maximum number of times Grafana retries evaluating an alert rule before giving up on that evaluation. Default is 3.

The retry mechanism:

• Adds jitter to retry delays to prevent thundering herd problems when multiple rules fail simultaneously.
• Stops when either max_attempts is reached or the rule’s evaluation interval is exceeded.

You can customize retry behaviour with initial_retry_delay, max_retry_delay, and randomization_factor.

initial_retry_delay

The initial delay before retrying a failed alert evaluation. Default is 1s.

This value is the starting point for exponential backoff.

initialization_timeout

Allows the context deadline for the AlertNG service to be configurable. The default timeout is 30s.

max_retry_delay

The maximum delay between retries during exponential backoff. Default is 4s.

After the retry delay reaches max_retry_delay, all subsequent retries use this delay.

To avoid overlapping retries with scheduled evaluations, max_retry_delay must be less than the rule’s evaluation interval.

randomization_factor

The randomization factor for exponential backoff retries. Default is 0.1.

The value must be between 0 and 1.

The actual retry delay is chosen randomly between:

[current_delay*(1-randomization_factor), current_delay*(1+randomization_factor)]

min_interval

Sets the minimum interval to enforce between rule evaluations. The default value is 10s which equals the scheduler interval. Rules are adjusted if they are less than this value or if they are not multiple of the scheduler interval (10s). Higher values can help with resource management as Grafana schedules fewer evaluations over time.

The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), for example, 30s or 1m.

{{< admonition type="note" >}} This setting has precedence over each individual rule frequency. If a rule frequency is lower than this value, then this value is enforced. {{< /admonition >}}

rule_version_record_limit

Defines the limits for how many alert rule versions are stored in the database per alert rule.

The default 0 value means there's no limit.

[unified_alerting.screenshots]

For more information about screenshots, refer to Images in notifications.

capture

Enable screenshots in notifications. This option requires a remote HTTP image rendering service. For more information, refer to [rendering].

capture_timeout

The timeout for capturing screenshots. If a screenshot cannot be captured within the timeout then the notification is sent without a screenshot. The maximum duration is 30 seconds. This timeout should be less than the minimum Interval of all Evaluation Groups to avoid back pressure on alert rule evaluation.

max_concurrent_screenshots

The maximum number of screenshots that can be taken at the same time. This option is different from concurrent_render_request_limit as max_concurrent_screenshots sets the number of concurrent screenshots that can be taken at the same time for all firing alerts where as concurrent_render_request_limit sets the total number of concurrent screenshots across all Grafana services.

upload_external_image_storage

Uploads screenshots to the local Grafana server or remote storage such as Azure, S3 and GCS. For more information, refer to [external_image_storage]. If this option is false then screenshots are persisted to disk for up to temp_data_lifetime.

[unified_alerting.reserved_labels]

For more information about Grafana Reserved Labels, refer to Labels in Grafana Alerting

disabled_labels

Comma-separated list of reserved labels added by the Grafana Alerting engine that should be disabled.

For example: disabled_labels=grafana_folder

[unified_alerting.state_history]

This section configures where Grafana Alerting writes alert state history. Refer to Configure alert state history for end-to-end setup and examples.

enabled

Enables recording alert state history. Default is false.

backend

Select the backend used to store alert state history. Supported values: loki, prometheus, multiple.

loki_remote_url

The URL of the Loki server used when backend = loki (or when backend = multiple and Loki is a primary/secondary).

prometheus_target_datasource_uid

Target Prometheus data source UID used for writing alert state changes when backend = prometheus (or when backend = multiple and Prometheus is a secondary).

prometheus_metric_name

Optional. Metric name for the alert state metric. Default is GRAFANA_ALERTS.

prometheus_write_timeout

Optional. Timeout for writing alert state data to the target data source. Default is 10s.

primary

Used only when backend = multiple. Selects the primary backend (for example loki).

secondaries

Used only when backend = multiple. Comma-separated list of secondary backends (for example prometheus).

[unified_alerting.state_history.annotations]

This section controls retention of annotations automatically created while evaluating alert rules when alerting state history backend is configured to be annotations (see setting [unified_alerting.state_history].backend)

max_age

Configures for how long alert annotations are stored. Default is 0, which keeps them forever. This setting should be expressed as an duration. Ex 6h (hours), 10d (days), 2w (weeks), 1M (month).

max_annotations_to_keep

Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.

[unified_alerting.prometheus_conversion]

This section applies only to rules imported as Grafana-managed rules. For more information about the import process, refer to Import data source-managed rules to Grafana-managed rules.

rule_query_offset

Set the query offset to imported Grafana-managed rules when query_offset is not defined in the original rule group configuration. The default value is 1m.

default_datasource_uid

Set the default data source UID to use for query execution when importing Prometheus rules. Grafana uses this default when the X-Grafana-Alerting-Datasource-UID header isn't provided during import. If this option isn't set, the header becomes required. The default value is empty.

[annotations]

cleanupjob_batchsize

Configures the batch size for the annotation clean-up job. This setting is used for dashboard, API, and alert annotations.

tags_length

Enforces the maximum allowed amount of tags for any newly introduced annotations. This value can be between 500 and 4096 (inclusive). The default value is 500. Setting it to a higher value would impact performance and is therefore not recommended.

[annotations.dashboard]

Dashboard annotations means that annotations are associated with the dashboard they are created on.

max_age

Configures how long dashboard annotations are stored. Default is 0, which keeps them forever. This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).

max_annotations_to_keep

Configures max number of dashboard annotations that Grafana stores. Default value is 0, which keeps all dashboard annotations.

[annotations.api]

API annotations means that the annotations have been created using the API without any association with a dashboard.

max_age

Configures how long Grafana stores API annotations. Default is 0, which keeps them forever. This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).

max_annotations_to_keep

Configures max number of API annotations that Grafana keeps. Default value is 0, which keeps all API annotations.

[explore]

For more information about this feature, refer to Explore.

enabled

Enable or disable the Explore section. Default is enabled.

defaultTimeOffset

Set a default time offset from now on the time picker. Default is 1 hour. This setting should be expressed as a duration. Examples: 1h (hour), 1d (day), 1w (week), 1M (month).

hide_logs_download

Show or hide the button to download logs in Explore. Default is false, so that the button will be visible.

[help]

Configures the help section.

enabled

Enable or disable the Help section. Default is enabled.

[profile]

Configures the Profile section.

enabled

Enable or disable the Profile section. Default is enabled.

[news]

news_feed_enabled

Enables the news feed section. Default is true

[query]

concurrent_query_limit

Set the number of queries that can be executed concurrently in a mixed data source panel. Default is the number of CPUs.

[query_history]

Configures Query history in Explore.

enabled

Enable or disable the Query history. Default is enabled.

[short_links]

Configures settings around the short link feature.

expire_time

Short links that are never accessed are considered expired or stale and can be deleted as cleanup. Set the expiration time in days. The default is -1 days (never expire). The maximum is 365 days.

A setting above the maximum uses the value 365 instead. A negative value such as -1 disables expiry.

[metrics]

For detailed instructions, refer to Internal Grafana metrics.

enabled

Enable metrics reporting. defaults true. Available via HTTP API <URL>/metrics.

interval_seconds

Flush/write interval when sending metrics to external TSDB. Defaults to 10.

disable_total_stats

If set to true, then total stats generation (stat_totals_* metrics) is disabled. Default is false.

total_stats_collector_interval_seconds

Sets the total stats collector interval. The default is 1800 seconds (30 minutes).

basic_auth_username and basic_auth_password

If both are set, then basic authentication is required to access the metrics endpoint.

[metrics.environment_info]

Adds dimensions to the grafana_environment_info metric, which can expose more information about the Grafana instance.

; exampleLabel1 = exampleValue1
; exampleLabel2 = exampleValue2

[metrics.graphite]

Use these options if you want to send internal Grafana metrics to Graphite.

address

Enable by setting the address. Format is <Hostname or ip>:port.

prefix

Graphite metric prefix. Defaults to prod.grafana.%(instance_name)s.

[grafana_net]

Refer to [grafana_com] configuration as that's the preferred configuration name. The [grafana_net] configuration is still accepted and parsed as [grafana_com] configuration.

[grafana_com]

url

Default is https://grafana.com. The default authentication identity provider for Grafana Cloud.

[tracing.jaeger]

[Deprecated - use tracing.opentelemetry.jaeger or tracing.opentelemetry.otlp instead]

Configure a Jaeger client in Grafana for distributed tracing.

You can also use the standard JAEGER_* environment variables to configure Jaeger. For the full list, refer to the table in Trace configuration via environment variables. Environment variables override any settings provided here.

address

The host:port destination for reporting spans. (ex: localhost:6831)

Can be set with the environment variables JAEGER_AGENT_HOST and JAEGER_AGENT_PORT.

always_included_tag

Comma-separated list of tags to include in all new spans, such as tag1:value1,tag2:value2.

Can be set with the environment variable JAEGER_TAGS (use = instead of : with the environment variable).

sampler_type

Default value is const.

Specifies the type of sampler: const, probabilistic, ratelimiting, or remote.

Refer to https://www.jaegertracing.io/docs/1.16/sampling/#client-sampling-configuration for details on the different tracing types.

Can be set with the environment variable JAEGER_SAMPLER_TYPE.

To override this setting, enter sampler_type in the tracing.opentelemetry section.

sampler_param

Default value is 1.

This is the sampler configuration parameter. Depending on the value of sampler_type, it can be 0, 1, or a decimal value in between.

• For const sampler, 0 or 1 for always false/true respectively
• For probabilistic sampler, a probability between 0 and 1.0
• For rateLimiting sampler, the number of spans per second
• For remote sampler, the argument is the same as for probabilistic and indicates the initial sampling rate before the actual ones received from the remote.

May be set with the environment variable JAEGER_SAMPLER_PARAM.

Setting sampler_param in the tracing.opentelemetry section overrides this setting.

sampling_server_url

sampling_server_url is the URL of a sampling manager providing a sampling strategy.

Setting sampling_server_url in the tracing.opentelemetry section overrides this setting.

zipkin_propagation

Default value is false.

Controls whether or not to use the Zipkin span propagation format (with x-b3- HTTP headers). By default, the Jaeger format is used.

Can be set with the environment variable and value JAEGER_PROPAGATION=b3.

disable_shared_zipkin_spans

Default value is false.

Setting this to true turns off shared RPC spans. Leaving this available is the most common setting when using Zipkin elsewhere in your infrastructure.

[tracing.opentelemetry]

Configure general parameters shared between OpenTelemetry providers.

custom_attributes

Comma-separated list of attributes to include in all new spans, such as key1:value1,key2:value2.

Can be set or overridden with the environment variable OTEL_RESOURCE_ATTRIBUTES (use = instead of : with the environment variable). The service name can be set or overridden using attributes or with the environment variable OTEL_SERVICE_NAME.

sampler_type

Default value is const.

Specifies the type of sampler: const, probabilistic, ratelimiting, or remote.

sampler_param

Default value is 1.

Depending on the value of sampler_type, the sampler configuration parameter can be 0, 1, or any decimal value between 0 and 1.

• For the const sampler, use 0 to never sample or 1 to always sample
• For the probabilistic sampler, you can use a decimal value between 0.0 and 1.0
• For the rateLimiting sampler, enter the number of spans per second
• For the remote sampler, use a decimal value between 0.0 and 1.0 to specify the initial sampling rate used before the first update is received from the sampling server

sampling_server_url

When sampler_type is remote, this specifies the URL of the sampling server. This can be used by all tracing providers.

Use a sampling server that supports the Jaeger remote sampling API, such as jaeger-agent, jaeger-collector, opentelemetry-collector-contrib, or Grafana Alloy.

[tracing.opentelemetry.jaeger]

Configure Grafana with a Jaeger client for distributed tracing.

address

The <HOST>:<PORT> destination for reporting spans. For example, localhost:14268/api/traces.

propagation

The propagation specifies the text map propagation format. The values jaeger and w3c are supported. Add a comma (,) between values to specify multiple formats (for example, "jaeger,w3c"). The default value is w3c.

[tracing.opentelemetry.otlp]

Configure Grafana with an OTLP client for distributed tracing.

address

The <HOST>:<PORT> destination for reporting spans. For example, localhost:4317.

propagation

The propagation specifies the text map propagation format. The values jaeger and w3c are supported. Add a comma (,) between values to specify multiple formats (for example, "jaeger,w3c"). The default value is w3c.

insecure

Toggles the insecure communication setting, defaults to true. When set to false, the OTLP client will use TLS credentials with the default system cert pool for communication.

[external_image_storage]

These options control how images should be made public so they can be shared on services like Slack or email message.

provider

Options are s3, webdav, gcs, azure_blob, local). If left empty, then Grafana ignores the upload action.

[external_image_storage.s3]

endpoint

Optional endpoint URL (hostname or fully qualified URI) to override the default generated S3 endpoint. If you want to keep the default, just leave this empty. You must still provide a region value if you specify an endpoint.

path_style_access

Set this to true to force path-style addressing in S3 requests, which uses http://s3.amazonaws.com/<BUCKET>/<KEY>, instead of the default, which is virtual hosted bucket addressing when possible (http://<BUCKET>.s3.amazonaws.com/<KEY>).

{{< admonition type="note" >}} This option is specific to the Amazon S3 service. {{< /admonition >}}

bucket_url

(for backward compatibility, only works when no bucket or region are configured) Bucket URL for S3. AWS region can be specified within URL or defaults to 'us-east-1', for example,

• http://grafana.s3.amazonaws.com/
• https://grafana.s3-ap-southeast-2.amazonaws.com/

bucket

Bucket name for S3. For example, grafana.snapshot.

region

Region name for S3. For example, us-east-1 or `cn-north-1.

path

Optional extra path inside bucket, useful to apply expiration policies.

access_key

Access key, for example, AAAAAAAAAAAAAAAAAAAA.

Access key requires permissions to the S3 bucket for the 's3:PutObject' and 's3:PutObjectAcl' actions.

secret_key

Secret key, for example, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.

[external_image_storage.webdav]

url

URL where Grafana sends PUT request with images.

username

Basic auth username.

password

Basic auth password.

public_url

Optional URL to send to users in notifications. If the string contains the sequence {{file}}, it is replaced with the uploaded filename. Otherwise, the filename is appended to the path part of the URL, leaving any query string unchanged.

[external_image_storage.gcs]

key_file

Optional path to JSON key file associated with a Google service account to authenticate and authorize. If no value is provided it tries to use the application default credentials. Service Account keys can be created and downloaded from https://console.developers.google.com/permissions/serviceaccounts.

Service Account should have "Storage Object Writer" role. The access control model of the bucket needs to be "Set object-level and bucket-level permissions". Grafana makes the images public readable when signed URLs aren't enabled.

bucket

Bucket Name on Google Cloud Storage.

path

Optional extra path inside bucket.

enable_signed_urls

If set to true, Grafana creates a signed URL for the image uploaded to Google Cloud Storage.

signed_url_expiration

Sets the signed URL expiration, which defaults to seven days.

[external_image_storage.azure_blob]

account_name

Storage account name.

account_key

Storage account key

container_name

Container name where to store "Blob" images with random names. Creating the blob container beforehand is required. Only public containers are supported.

sas_token_expiration_days

Number of days for SAS token validity. If specified, a SAS token is attached to image URL. Allow storing images in private containers.

[external_image_storage.local]

This option does not require any configuration.

[rendering]

Options to configure a remote HTTP image rendering service, for example, using https://github.com/grafana/grafana-image-renderer.

renderer_token

An authentication token is be sent to and verified by the renderer. The renderer denies any request without an authentication token matching the one configured on the renderer.

server_url

URL to a remote HTTP image renderer service, for example, http://localhost:8081/render, that Grafana can use to render panels and dashboards to PNG-images using HTTP requests to an external service.

callback_url

If the remote HTTP image renderer service runs on a different server than the Grafana server you may have to configure this to a URL where Grafana is reachable, for example, http://grafana.domain/.

The callback_url can also be configured to support usage of the image renderer running as a plugin with support for SSL / HTTPS. For example https://localhost:3000/.

concurrent_render_request_limit

Concurrent render request limit affects when the /render HTTP endpoint is used. Rendering many images at the same time can overload the server, which this setting can help protect against by only allowing a certain number of concurrent requests. Default is 30.

ca_cert_file_path

Path to the PEM-encoded CA certificate file from the Image Renderer server.

default_image_width

Configures the width of the rendered image. The default width is 1000.

default_image_height

Configures the height of the rendered image. The default height is 500.

default_image_scale

Configures the scale of the rendered image. The default scale is 1.

[panels]

enable_alpha

Set to true if you want to test alpha panels that are not yet ready for general usage. Default is false.

disable_sanitize_html

{{< admonition type="note" >}} This configuration is not available in Grafana Cloud instances. {{< /admonition >}}

If set to true Grafana allows script tags in text panels. Not recommended as it enables XSS vulnerabilities. Default is false.

[plugins]

enable_alpha

Set to true if you want to test alpha plugins that are not yet ready for general usage. Default is false.

allow_loading_unsigned_plugins

Enter a comma-separated list of plugin identifiers to identify plugins to load even if they are unsigned. Plugins with modified signatures are never loaded.

We do not recommend using this option. For more information, refer to Plugin signatures.

plugin_admin_enabled

Available to Grafana administrators only, enables installing, uninstalling, and updating plugins directly from the Grafana UI. Set to true by default. Setting it to false hides the controls.

For more information, refer to Plugin catalog.

plugin_admin_external_manage_enabled

Set to true if you want to enable external management of plugins. Default is false. This is only applicable to Grafana Cloud users.

plugin_catalog_url

Custom install/learn more URL for enterprise plugins. Defaults to https://grafana.com/grafana/plugins/.

plugin_catalog_hidden_plugins

Enter a comma-separated list of plugin identifiers to hide in the plugin catalog.

public_key_retrieval_disabled

Disable download of the public key for verifying plugin signature. The default is false. If disabled, it uses the hard-coded public key.

public_key_retrieval_on_startup

Force download of the public key for verifying plugin signature on startup. The default is false. If disabled, the public key is retrieved every 10 days. Requires public_key_retrieval_disabled to be false to have any effect.

disable_plugins

Enter a comma-separated list of plugin identifiers to avoid loading (including core plugins). These plugins are hidden in the catalog.

preinstall

Enter a comma-separated list of plugin identifiers to install on startup, using the Grafana catalog as the source. Preinstalled plugins cannot be uninstalled from the Grafana user interface; they need to be removed from this list first.

Plugins are installed asynchronously, as a background process. This means that Grafana starts up faster, but the plugins may not be available immediately.

To pin plugins to a specific version, use the format plugin_id@version, for example,[email protected]. If no version is specified, the latest version is installed. The plugin is automatically updated to the latest version when a new version is available in the Grafana plugin catalog on startup (except for new major versions).

To use a custom URL to download a plugin, use the format plugin_id@version@url, for example, [email protected]@https://example.com/grafana-piechart-panel-1.6.0.zip.

By default, Grafana installs some suggested plugins on startup. For a list of default preinstalled plugins, refer to pkg/setting/setting_plugins.go:35.

preinstall_sync

Enter a comma-separated list of plugin identifiers to install on startup, using the Grafana catalog as the source. Same as preinstall, but installs plugins synchronously.

These will be installed before starting Grafana. Useful when used with provisioning.

preinstall_disabled

This option disables all preinstalled plugins. The default is false. To disable a specific plugin from being preinstalled, use the disable_plugins option.

preinstall_auto_update

Enable automatic updates for preinstalled plugins on start-up. When enabled, preinstalled plugins without a pinned version are automatically updated to the latest version when Grafana starts.

The default is true.

To prevent automatic updates for specific plugins, pin them to a specific version using the format plugin_id@version in the preinstall setting.

[live]

max_connections

The max_connections option specifies the maximum number of connections to the Grafana Live WebSocket endpoint per Grafana server instance. Default is 100.

Refer to Grafana Live configuration documentation if you specify a number higher than default since this can require some operating system and infrastructure tuning.

0 disables Grafana Live, -1 means unlimited connections.

allowed_origins

The allowed_origins option is a comma-separated list of additional origins (Origin header of HTTP Upgrade request during WebSocket connection establishment) that is accepted by Grafana Live.

If not set (default), then the origin is matched over root_url which should be sufficient for most scenarios.

Origin patterns support wildcard symbol "*".

For example:

[live]
allowed_origins = "https://*.example.com"

ha_engine

Experimental

The high availability (HA) engine name for Grafana Live. By default, it's not set. The only possible value is redis.

For more information, refer to the Configure Grafana Live HA setup.

ha_engine_address

Experimental

Address string of selected the high availability (HA) Live engine. For Redis, it's a host:port string. Example:

[live]
ha_engine = redis
ha_engine_address: redis-headless.grafana.svc.cluster.local:6379
ha_engine_password: $__file{/your/redis/password/secret/mount}

[provisioning]

allowed_targets

Comma-separated list of targets that a repository can control. folder by default. Use folder if you want the repository to only control a folder within the Grafana instance. Use instance if you want the repository to control the whole Grafana instance.

allow_image_rendering

Whether image rendering is allowed for dashboard previews. Requires the image rendering service to be configured. Default is true.

min_sync_interval

The minimum sync interval that you can set for a repository. Indicates how often the controller will check for changes in the repository that were not propagated by a webhook. The minimum value is 10s. Default is 10s.

repository_types

List of enabled repository types, separated by |. When empty, defaults are applied by each subsystem.

Supported types: local, git, github. Grafana Enterprise additionally supports bitbucket and gitlab.

max_repositories

Maximum number of repositories allowed. Default is 10. Set to 0 for unlimited repositories.

max_resources_per_repository

Maximum number of resources (dashboards, folders, etc.) allowed per repository. Default is 0, which means unlimited.

[plugin.plugin_id]

This section can be used to configure plugin-specific settings. Replace the plugin_id attribute with the plugin ID present in plugin.json.

Properties described in this section are available for all plugins, but you must set them individually for each plugin.

tracing

{{< admonition type="note" >}} OpenTelemetry must be configured as well. {{< /admonition >}}

If true, propagate the tracing context to the plugin backend and enable tracing (if the backend supports it).

as_external

Load an external version of a core plugin if it has been installed.

[plugin.grafana-image-renderer]

For more information, refer to Image rendering.

rendering_timezone

Instruct headless browser instance to use a default timezone when not provided by Grafana, for example, when rendering panel image of alert. Refer to the ICU metaZones.txt file for a list of supported timezone IDs. Fallbacks to TZ environment variable if not set.

rendering_language

Instruct headless browser instance to use a default language when not provided by Grafana, for example, when rendering panel image of alert. Refer to the HTTP header Accept-Language to understand how to format this value, for example, 'fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5'.

rendering_viewport_device_scale_factor

Instruct headless browser instance to use a default device scale factor when not provided by Grafana, for example, when rendering panel image of alert. Default is 1. Using a higher value produces more detailed images (higher DPI), but requires more disk space to store an image.

rendering_ignore_https_errors

Instruct headless browser instance whether to ignore HTTPS errors during navigation. Per default HTTPS errors are not ignored. Due to the security risk, we do not recommend that you ignore HTTPS errors.

rendering_verbose_logging

Instruct headless browser instance whether to capture and log verbose information when rendering an image. Default is false and only captures and log error messages.

When enabled, debug messages are captured and logged as well.

For the verbose information to be included in the Grafana server log you have to adjust the rendering log level to debug, configure [log].filter = rendering:debug.

rendering_dumpio

Instruct headless browser instance whether to output its debug and error messages into running process of remote rendering service. Default is false.

It can be useful to set this to true when troubleshooting.

rendering_timing_metrics

{{< admonition type="note" >}} Available from grafana-image-renderer v3.9.0+ {{< /admonition >}}

Instruct a headless browser instance on whether to record metrics for the duration of every rendering step. Default is false.

Setting this to true when optimizing the rendering mode settings to improve the plugin performance or when troubleshooting can be useful.

rendering_args

Additional arguments to pass to the headless browser instance. Defaults are --no-sandbox,--disable-gpu. The list of Chromium flags can be found at (https://peter.sh/experiments/chromium-command-line-switches/). Separate multiple arguments with commas.

rendering_chrome_bin

You can configure the plugin to use a different browser binary instead of the pre-packaged version of Chromium.

Note that this is not recommended. You might encounter problems if the installed version of Chrome or Chromium is not compatible with the plugin.

rendering_mode

Instruct how headless browser instances are created. Default is default and creates a new browser instance on each request.

Mode clustered makes sure that only a maximum of browsers or incognito pages can execute concurrently.

Mode reusable uses one browser instance and creates a new incognito page on each request.

rendering_clustering_mode

When rendering_mode = clustered, you can instruct how many browsers or incognito pages can execute concurrently. Default is browser and clusters using browser instances.

Mode context clusters using incognito pages.

rendering_clustering_max_concurrency

When rendering_mode = clustered, you can define the maximum number of browser instances or incognito pages that can execute concurrently. Default is 5.

rendering_clustering_timeout

{{< admonition type="note" >}} Available in grafana-image-renderer v3.3.0 and later versions. {{< /admonition >}}

When rendering_mode = clustered, you can specify the duration a rendering request can take before it times out. Default is 30 seconds.

rendering_viewport_max_width

Limit the maximum viewport width that can be requested.

rendering_viewport_max_height

Limit the maximum viewport height that can be requested.

rendering_viewport_max_device_scale_factor

Limit the maximum viewport device scale factor that can be requested.

grpc_host

Change the listening host of the gRPC server. Default host is 127.0.0.1.

grpc_port

Change the listening port of the gRPC server. Default port is 0 and uses a port not in use.

[enterprise]

For more information about Grafana Enterprise, refer to Grafana Enterprise.

[feature_toggles]

FEATURE_NAME = <value>

Use a key-value pair to set feature flag values explicitly, overriding any default values. A few different types are supported, following the OpenFeature specification. See the defaults.ini file for more details.

For example, to disable an on-by-default feature toggle named exploreMixedDatasource, specify exploreMixedDatasource = false.

enable

{{< admonition type="note" >}} This option is deprecated and will be removed in a future major release. Use individual toggle entries instead. {{< /admonition >}}

Keys of features to enable, separated by spaces.

[date_formats]

This section controls system-wide defaults for date formats used in time ranges, graphs, and date input boxes.

The format patterns use Moment.js formatting tokens.

full_date

Full date format used by time range picker and in other places where a full date is rendered.

intervals

These intervals formats are used in the graph to show only a partial date or time. For example, if there are only minutes between Y-axis tick labels then the interval_minute format is used.

Defaults

interval_second = HH:mm:ss
interval_minute = HH:mm
interval_hour = MM/DD HH:mm
interval_day = MM/DD
interval_month = YYYY-MM
interval_year = YYYY

use_browser_locale

Set this to true to have date formats automatically derived from your browser location. Defaults to false. This is an experimental feature.

default_timezone

Used as the default time zone for user preferences. Can be either browser for the browser local time zone or a time zone name from the IANA Time Zone database, such as UTC or Europe/Amsterdam.

default_week_start

Set the default start of the week, valid values are: saturday, sunday, monday or browser to use the browser locale to define the first day of the week. Default is browser.

[time_picker]

This section controls system-wide defaults for the time picker, such as the default quick ranges.

quick_ranges

Set the default set of quick relative offset time ranges that show up in the right column of the time picker. Each configuration entry must have a from, to, and display field. Any configuration for this field must be in valid JSON format made up of a list of quick range configurations.

The from and to fields should be valid relative time ranges. For more information the relative time formats, refer to Time units and relative ranges.. The from field is required, but omitting to will result in the from value being used in both fields.

If no configuration is provided, the default time ranges will be used.

For example:

[time_picker]
quick_ranges = """[
{"from":"now-6s","to":"now","display":"Last 6 seconds"},
{"from":"now-10m","to":"now","display":"Last 10 minutes"},
{"from":"now-25h","to":"now","display":"Last 24 hours"},
{"from":"now/w","to":"now/w","display":"This week"},
{"from":"now-1w/w","to":"now-1w/w","display":"Last week"},
{"from":"now-10d","to":"now","display":"Last 10 days"}
]"""

[expressions]

enabled

Set this to false to disable expressions and hide them in the Grafana UI. Default is true.

sql_expression_cell_limit

Set the maximum number of cells that can be passed to a SQL expression. Default is 100000. A setting of 0 means no limit.

sql_expression_output_cell_limit

Set the maximum number of cells that can be returned from a SQL expression. Default is 100000. A setting of 0 means no limit.

sql_expression_query_length_limit

Set the maximum length of a SQL query that can be used in a SQL expression. Default is 10000 characters. A setting of 0 means no limit.

sql_expression_timeout

The duration a SQL expression will run before being cancelled. The default is 10s. A setting of 0s means no limit.

[geomap]

This section controls the defaults settings for Geomap Plugin.

default_baselayer_config

The JSON configuration used to define the default base map. Four base map options to choose from are carto, esriXYZTiles, xyzTiles, standard. For example, to set cartoDB light as the default base layer:

default_baselayer_config = `{
  "type": "xyz",
  "config": {
    "attribution": "Open street map",
    "url": "https://tile.openstreetmap.org/{z}/{x}/{y}.png"
  }
}`

enable_custom_baselayers

Set this to false to disable loading other custom base maps and hide them in the Grafana UI. Default is true.

[rbac]

Refer to Role-based access control for more information.

[navigation.app_sections]

Move an app plugin (referenced by its id), including all its pages, to a specific navigation section. Format: <pluginId> = <sectionId> <sortWeight>

[navigation.app_standalone_pages]

Move an individual app plugin page (referenced by its path field) to a specific navigation section. Format: <pageUrl> = <sectionId> <sortWeight>

[public_dashboards]

This section configures the shared dashboards feature.

enabled

Set this to false to disable the shared dashboards feature. This prevents users from creating new shared dashboards and disables existing ones.