Administration on Grafana Labs

Preferences

Sat, 04 Apr 2026 12:26:57 +0000

Grafana preferences

Grafana preferences are basic settings. They control the Grafana UI theme, home dashboard, time zone, and so on.

Preferences are sometimes confusing because they can be set at four different levels, listed from highest level to lowest:

Server - Affects all users on the Grafana server. Set by a Grafana Server Admin.
Organization - Affects all users in an organization. Set by an Organization Admin.
Team - Affects all users assigned to a team. Set by an Organization Admin or Team Admin. To learn more about these roles, refer to Organization roles.
User account - Affects the individual user. Set by the user on their own account.

The lowest level always takes precedence. For example, if a user sets their theme to Light, then their visualization of Grafana displays the light theme. Nothing at any higher level can override that.

If the user is aware of the change and intended it, then that’s great! But if the user is a Server Admin who made the change to their user preferences a long time ago, they might have forgotten they did that. Then, if that Server Admin is trying to change the theme at the server level, they’ll get frustrated as none of their changes have any effect that they can see. (Also, the users on the server might be confused, because they can see the server-level changes!)

View server

Sat, 04 Apr 2026 12:26:57 +0000

View server information

This setting contains information about tools that Grafana Server Admins can use to learn more about their Grafana servers.

Configuration

Sat, 04 Apr 2026 12:26:57 +0000

Configuration

Grafana has default and custom configuration files. You can customize your Grafana instance by modifying the custom configuration file or by using environment variables. To see the list of settings for a Grafana instance, refer to View server settings.

Note: After you add custom options, uncomment the relevant sections of the configuration file. Restart Grafana for your changes to take effect.

Configuration file location

The default settings for a Grafana instance are stored in the $WORKING_DIR/conf/defaults.ini file. Do not change this file.

Depending on your OS, your custom configuration file is either the $WORKING_DIR/conf/defaults.ini file or the /usr/local/etc/grafana/grafana.ini file. The custom configuration file path can be overridden using the --config parameter.

Linux

If you installed Grafana using the deb or rpm packages, then your configuration file is located at /etc/grafana/grafana.ini and a separate custom.ini is not used. This path is specified in the Grafana init.d script using --config file parameter.

Docker

Refer to Configure a Grafana Docker image for information about environmental variables, persistent storage, and building custom Docker images.

Windows

On Windows, the sample.ini file is located in the same directory as defaults.ini file. It contains all the settings commented out. Copy sample.ini and name it custom.ini.

macOS

By default, the configuration file is located at /usr/local/etc/grafana/grafana.ini. For a Grafana instance installed using Homebrew, edit the grafana.ini file directly. Otherwise, add a configuration file named custom.ini to the conf folder to override the settings defined in conf/defaults.ini.

Remove comments in the .ini files

Grafana uses semicolons (the ; char) to comment out lines in a .ini file. You must uncomment each line in the custom.ini or the grafana.ini file that you are modify by removing ; from the beginning of that line. Otherwise your changes will be ignored.

For example:

# The HTTP port  to use
;http_port = 3000

Override configuration with environment variables

Do not use environment variables to add new configuration settings. Instead, use environmental variables to override existing options.

To override an option:

GF_<SectionName>_<KeyName>

Where the section name is the text within the brackets. Everything should be uppercase, . and - should be replaced by _. For example, if you have these configuration settings:

# default section
instance_name = ${HOSTNAME}

[security]
admin_user = admin

[auth.google]
client_secret = 0ldS3cretKey

[plugin.grafana-image-renderer]
rendering_ignore_https_errors = true

You can override them on Linux machines with:

export GF_DEFAULT_INSTANCE_NAME=my-instance
export GF_SECURITY_ADMIN_USER=owner
export GF_AUTH_GOOGLE_CLIENT_SECRET=newS3cretKey
export GF_PLUGIN_GRAFANA_IMAGE_RENDERER_RENDERING_IGNORE_HTTPS_ERRORS=true

Variable expansion

Note: Only available in Grafana 7.1+.

If any of your options contains the expression $__<provider>{<argument>} or ${<environment variable>}, then they will be processed by Grafana’s variable expander. The expander runs the provider with the provided argument to get the final value of the option.

There are three providers: env, file, and vault.

Env provider

The env provider can be used to expand an environment variable. If you set an option to $__env{PORT} the PORT environment variable will be used in its place. For environment variables you can also use the short-hand syntax ${PORT}. Grafana’s log directory would be set to the grafana directory in the directory behind the LOGDIR environment variable in the following example.

[paths]
logs = $__env{LOGDIR}/grafana

File provider

file reads a file from the filesystem. It trims whitespace from the beginning and the end of files. The database password in the following example would be replaced by the content of the /etc/secrets/gf_sql_password file:

[database]
password = $__file{/etc/secrets/gf_sql_password}

Vault provider

The vault provider allows you to manage your secrets with Hashicorp Vault.

Vault provider is only available in Grafana Enterprise v7.1+. For more information, refer to Vault integration in Grafana Enterprise.

app_mode

Options are production and development. Default is production. Do not change this option unless you are working on Grafana development.

instance_name

Set the name of the grafana-server instance. Used in logging, internal metrics, and clustering info. Defaults to: ${HOSTNAME}, which will be replaced with environment variable HOSTNAME, if that is empty or does not exist Grafana will try to use system calls to get the machine name.

[paths]

data

Path to where Grafana stores the sqlite3 database (if used), file-based sessions (if used), and other data. This path is usually specified via command line in the init.d script or the systemd service file.

macOS: The default SQLite database is located at /usr/local/var/lib/grafana

temp_data_lifetime

How long temporary images in data directory should be kept. Defaults to: 24h. Supported modifiers: h (hours), m (minutes), for example: 168h, 30m, 10h30m. Use 0 to never clean up temporary files.

logs

Path to where Grafana stores logs. This path is usually specified via command line in the init.d script or the systemd service file. You can override it in the configuration file or in the default environment variable file. However, please note that by overriding this the default log path will be used temporarily until Grafana has fully initialized/started.

Override log path using the command line argument cfg:default.paths.logs:

./grafana-server --config /custom/config.ini --homepath /custom/homepath cfg:default.paths.logs=/custom/path

macOS: By default, the log file should be located at /usr/local/var/log/grafana/grafana.log.

plugins

Directory where Grafana automatically scans and looks for plugins. For information about manually or automatically installing plugins, refer to Install Grafana plugins.

macOS: By default, the Mac plugin location is: /usr/local/var/lib/grafana/plugins.

provisioning

Folder that contains provisioning config files that Grafana will apply on startup. Dashboards will be reloaded when the json files changes.

[server]

protocol

http,https,h2 or socket

http_addr

The IP address to bind to. If empty will bind to all interfaces

http_port

The port to bind to, defaults to 3000. To use port 80 you need to either give the Grafana binary permission for example:

$ sudo setcap 'cap_net_bind_service=+ep' /usr/sbin/grafana-server

Or redirect port 80 to the Grafana port using:

$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000

Another way is to put a web server like Nginx or Apache in front of Grafana and have them proxy requests to Grafana.

domain

This setting is only used in as a part of the root_url setting (see below). Important if you use GitHub or Google OAuth.

enforce_domain

Redirect to correct domain if the host header does not match the domain. Prevents DNS rebinding attacks. Default is false.

root_url

This is the full URL used to access Grafana from a web browser. This is important if you use Google or GitHub OAuth authentication (for the callback URL to be correct).

Note: This setting is also important if you have a reverse proxy in front of Grafana that exposes it through a subpath. In that case add the subpath to the end of this URL setting.

serve_from_sub_path

Serve Grafana from subpath specified in root_url setting. By default it is set to false for compatibility reasons.

By enabling this setting and using a subpath in root_url above, e.g. root_url = http://localhost:3000/grafana, Grafana is accessible on http://localhost:3000/grafana.

router_logging

Set to true for Grafana to log all HTTP requests (not just errors). These are logged as Info level events to the Grafana log.

static_root_path

The path to the directory where the front end files (HTML, JS, and CSS files). Defaults to public which is why the Grafana binary needs to be executed with working directory set to the installation path.

enable_gzip

Set this option to true to enable HTTP compression, this can improve transfer speed and bandwidth utilization. It is recommended that most users set it to true. By default it is set to false for compatibility reasons.

cert_file

Path to the certificate file (if protocol is set to https or h2).

cert_key

Path to the certificate key file (if protocol is set to https or h2).

socket

Path where the socket should be created when protocol=socket. Make sure that Grafana has appropriate permissions before you change this setting.

cdn_url

Note: Available in Grafana v7.4 and later versions.

Specify a full HTTP URL address to the root of your Grafana CDN assets. Grafana will add edition and version paths.

For example, given a cdn url like https://cdn.myserver.com grafana will try to load a javascript file from http://cdn.myserver.com/grafana-oss/7.4.0/public/build/app.<hash>.js.

read_timeout

Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections. 0 means there is no timeout for reading the request.

[database]

Grafana needs a database to store users and dashboards (and other things). By default it is configured to use sqlite3 which is an embedded database (included in the main Grafana binary).

type

Either mysql, postgres or sqlite3, it’s your choice.

host

Only applicable to MySQL or Postgres. Includes IP or hostname and port or in case of Unix sockets the path to it. For example, for MySQL running on the same host as Grafana: host = 127.0.0.1:3306 or with Unix sockets: host = /var/run/mysqld/mysqld.sock

name

The name of the Grafana database. Leave it set to grafana or some other name.

user

The database user (not applicable for sqlite3).

password

The database user’s password (not applicable for sqlite3). If the password contains # or ; you have to wrap it with triple quotes. For example """#password;"""

url

Use either URL or the other fields below to configure the database Example: mysql://user:secret@host:port/database

max_idle_conn

The maximum number of connections in the idle connection pool.

max_open_conn

The maximum number of open connections to the database.

conn_max_lifetime

Sets the maximum amount of time a connection may be reused. The default is 14400 (which means 14400 seconds or 4 hours). For MySQL, this setting should be shorter than the wait_timeout variable.

locking_attempt_timeout_sec

For “mysql”, if lockingMigration feature toggle is set, specify the time (in seconds) to wait before failing to lock the database for the migrations. Default is 0.

log_queries

Set to true to log the sql calls and execution times.

ssl_mode

For Postgres, use either disable, require or verify-full. For MySQL, use either true, false, or skip-verify.

isolation_level

Only the MySQL driver supports isolation levels in Grafana. In case the value is empty, the driver’s default isolation level is applied. Available options are “READ-UNCOMMITTED”, “READ-COMMITTED”, “REPEATABLE-READ” or “SERIALIZABLE”.

ca_cert_path

The path to the CA certificate to use. On many Linux systems, certs can be found in /etc/ssl/certs.

client_key_path

The path to the client key. Only if server requires client authentication.

client_cert_path

The path to the client cert. Only if server requires client authentication.

server_cert_name

The common name field of the certificate used by the mysql or postgres server. Not necessary if ssl_mode is set to skip-verify.

path

Only applicable for sqlite3 database. The file path where the database will be stored.

cache_mode

For “sqlite3” only. Shared cache setting used for connecting to the database. (private, shared) Defaults to private.

[remote_cache]

Caches authentication details and session information in the configured database, Redis or Memcached. This setting does not configure Query Caching in Grafana Enterprise.

type

Either redis, memcached, or database. Defaults to database

connstr

The remote cache connection string. The format depends on the type of the remote cache. Options are database, redis, and memcache.

database

Leave empty when using database since it will use the primary database.

redis

Example connstr: addr=127.0.0.1:6379,pool_size=100,db=0,ssl=false

addr is the host : port of the redis server.
pool_size (optional) is the number of underlying connections that can be made to redis.
db (optional) is the number identifier of the redis database you want to use.
ssl (optional) is if SSL should be used to connect to redis server. The value may be true, false, or insecure. Setting the value to insecure skips verification of the certificate chain and hostname when making the connection.

memcache

Example connstr: 127.0.0.1:11211

[dataproxy]

logging

This enables data proxy logging, default is false.

timeout

How long the data proxy should wait before timing out. Default is 30 seconds.

This setting also applies to core backend HTTP data sources where query requests use an HTTP client with timeout set.

keep_alive_seconds

Interval between keep-alive probes. Default is 30 seconds. For more details check the Dialer.KeepAlive documentation.

tls_handshake_timeout_seconds

The length of time that Grafana will wait for a successful TLS handshake with the datasource. Default is 10 seconds. For more details check the Transport.TLSHandshakeTimeout documentation.

expect_continue_timeout_seconds

The length of time that Grafana will wait for a datasource’s first response headers after fully writing the request headers, if the request has an “Expect: 100-continue” header. A value of 0 will result in the body being sent immediately. Default is 1 second. For more details check the Transport.ExpectContinueTimeout documentation.

max_conns_per_host

Optionally limits the total number of connections per host, including connections in the dialing, active, and idle states. On limit violation, dials are blocked. A value of 0 means that there are no limits. Default is 0. For more details check the Transport.MaxConnsPerHost documentation.

max_idle_connections

The maximum number of idle connections that Grafana will maintain. Default is 100. For more details check the Transport.MaxIdleConns documentation.

max_idle_connections_per_host

[Deprecated - use max_idle_connections instead]

The maximum number of idle connections per host that Grafana will maintain. Default is 2. For more details check the Transport.MaxIdleConnsPerHost documentation.

idle_conn_timeout_seconds

The length of time that Grafana maintains idle connections before closing them. Default is 90 seconds. For more details check the Transport.IdleConnTimeout documentation.

send_user_header

If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request. Default is false.

response_limit

Limits the amount of bytes that will be read/accepted from responses of outgoing HTTP requests. Default is 0 which means disabled.

row_limit

Limits the number of rows that Grafana will process from SQL (relational) data sources. Default is 1000000.

[analytics]

reporting_enabled

When enabled Grafana will send anonymous usage statistics to stats.grafana.org. No IP addresses are being tracked, only simple counters to track running instances, versions, dashboard and error counts. It is very helpful to us, so please leave this enabled. Counters are sent every 24 hours. Default value is true.

check_for_updates

Set to false to disable all checks to https://grafana.com for new versions of installed plugins and to the Grafana GitHub repository to check for a newer version of Grafana. The version information is used in some UI views to notify that a new Grafana update or a plugin update exists. This option does not cause any auto updates, nor send any sensitive information. The check is run every 10 minutes.

google_analytics_ua_id

If you want to track Grafana usage via Google analytics specify your Universal Analytics ID here. By default this feature is disabled.

google_tag_manager_id

Google Tag Manager ID, only enabled if you enter an ID here.

rudderstack_write_key

If you want to track Grafana usage via Rudderstack specify your Rudderstack Write Key here. The rudderstack_data_plane_url must also be provided for this feature to be enabled. By default this feature is disabled.

rudderstack_data_plane_url

Rudderstack data plane url that will receive Rudderstack events. The rudderstack_write_key must also be provided for this feature to be enabled.

rudderstack_sdk_url

Optional. If tracking with Rudderstack is enabled, you can provide a custom URL to load the Rudderstack SDK.

rudderstack_config_url

Optional. If tracking with Rudderstack is enabled, you can provide a custom URL to load the Rudderstack config.

application_insights_connection_string

If you want to track Grafana usage via Azure Application Insights, then specify your Application Insights connection string. Since the connection string contains semicolons, you need to wrap it in backticks (`). By default, tracking usage is disabled.

application_insights_endpoint_url

	Optionally, use this option to override the default endpoint address for Application Insights data collecting. For details, refer to the [Azure documentation](https://docs.microsoft.com/en-us/azure/azure-monitor/app/custom-endpoints?tabs=js).

[security]

disable_initial_admin_creation

Only available in Grafana v6.5+.

Disable creation of admin user on first start of Grafana. Default is false.

admin_user

The name of the default Grafana Admin user, who has full permissions. Default is admin.

admin_password

The password of the default Grafana Admin. Set once on first-run. Default is admin.

secret_key

Used for signing some data source settings like secrets and passwords, the encryption format used is AES-256 in CFB mode. Cannot be changed without requiring an update to data source settings to re-encode them.

disable_gravatar

Set to true to disable the use of Gravatar for user profile images. Default is false.

data_source_proxy_whitelist

Define a whitelist of allowed IP addresses or domains, with ports, to be used in data source URLs with the Grafana data source proxy. Format: ip_or_domain:port separated by spaces. PostgreSQL, MySQL, and MSSQL data sources do not use the proxy and are therefore unaffected by this setting.

disable_brute_force_login_protection

Set to true to disable brute force login protection. Default is false.

cookie_secure

Set to true if you host Grafana behind HTTPS. Default is false.

cookie_samesite

Sets the SameSite cookie attribute and prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. This setting also provides some protection against cross-site request forgery attacks (CSRF), read more about SameSite here. Valid values are lax, strict, none, and disabled. Default is lax. Using value disabled does not add any SameSite attribute to cookies.

allow_embedding

When false, the HTTP header X-Frame-Options: deny will be set in Grafana HTTP responses which will instruct browsers to not allow rendering Grafana in a <frame>, <iframe>, <embed> or <object>. The main goal is to mitigate the risk of Clickjacking. Default is false.

strict_transport_security

Set to true if you want to enable HTTP Strict-Transport-Security (HSTS) response header. Only use this when HTTPS is enabled in your configuration, or when there is another upstream system that ensures your application does HTTPS (like a frontend load balancer). HSTS tells browsers that the site should only be accessed using HTTPS.

strict_transport_security_max_age_seconds

Sets how long a browser should cache HSTS in seconds. Only applied if strict_transport_security is enabled. The default value is 86400.

strict_transport_security_preload

Set to true to enable HSTS preloading option. Only applied if strict_transport_security is enabled. The default value is false.

strict_transport_security_subdomains

Set to true if to enable the HSTS includeSubDomains option. Only applied if strict_transport_security is enabled. The default value is false.

x_content_type_options

Set to true to enable the X-Content-Type-Options response header. The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. The default value is false.

x_xss_protection

Set to false to disable the X-XSS-Protection header, which tells browsers to stop pages from loading when they detect reflected cross-site scripting (XSS) attacks. The default value is false until the next minor release, 6.3.

content_security_policy

Set to true to add the Content-Security-Policy header to your requests. CSP allows to control resources that the user agent can load and helps prevent XSS attacks.

content_security_policy_template

Set Content Security Policy template used when adding the Content-Security-Policy header to your requests. $NONCE in the template includes a random nonce.

[snapshots]

external_enabled

Set to false to disable external snapshot publish endpoint (default true).

external_snapshot_url

Set root URL to a Grafana instance where you want to publish external snapshots (defaults to https://snapshots.raintank.io).

external_snapshot_name

Set name for external snapshot button. Defaults to Publish to snapshots.raintank.io.

public_mode

Set to true to enable this Grafana instance to act as an external snapshot server and allow unauthenticated requests for creating and deleting snapshots. Default is false.

snapshot_remove_expired

Enable this to automatically remove expired snapshots. Default is true.

[dashboards]

versions_to_keep

Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1.

min_refresh_interval

Only available in Grafana v6.7+.

This feature prevents users from setting the dashboard refresh interval to a lower value than a given interval value. The default interval value is 5 seconds. The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.

As of Grafana v7.3, this also limits the refresh interval options in Explore.

default_home_dashboard_path

Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + “dashboards/home.json”.

Note: On Linux, Grafana uses /usr/share/grafana/public/dashboards/home.json as the default home dashboard location.

[users]

allow_sign_up

Set to false to prohibit users from being able to sign up / create user accounts. Default is false. The admin user can still create users from the Grafana Admin Pages.

allow_org_create

Set to false to prohibit users from creating new organizations. Default is false.

auto_assign_org

Set to true to automatically add new users to the main organization (id 1). When set to false, new users automatically cause a new organization to be created for that new user. Default is true.

auto_assign_org_id

Set this value to automatically add new users to the provided org. This requires auto_assign_org to be set to true. Please make sure that this organization already exists. Default is 1.

auto_assign_org_role

The role new users will be assigned for the main organization (if the above setting is set to true). Defaults to Viewer, other valid options are Admin and Editor. e.g.:

auto_assign_org_role = Viewer

verify_email_enabled

Require email validation before sign up completes. Default is false.

login_hint

Text used as placeholder text on login page for login/username input.

password_hint

Text used as placeholder text on login page for password input.

default_theme

Set the default UI theme: dark or light. Default is dark.

home_page

Path to a custom home page. Users are only redirected to this if the default home dashboard is used. It should match a frontend route and contain a leading slash.

External user management

If you manage users externally you can replace the user invite button for organizations with a link to an external site together with a description.

viewers_can_edit

Viewers can access and use Explore and perform temporary edits on panels in dashboards they have access to. They cannot save their changes. Default is false.

editors_can_admin

Editors can administrate dashboards, folders and teams they create. Default is false.

user_invite_max_lifetime_duration

The duration in time a user invitation remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). Default is 24h (24 hours). The minimum supported duration is 15m (15 minutes).

hidden_users

This is a comma-separated list of usernames. Users specified here are hidden in the Grafana UI. They are still visible to Grafana administrators and to themselves.

[auth]

Grafana provides many ways to authenticate users. Refer to the Grafana Authentication overview and other authentication documentation for detailed instructions on how to set up and configure authentication.

login_cookie_name

The cookie name for storing the auth token. Default is grafana_session.

login_maximum_inactive_lifetime_duration

The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month). The lifetime resets at each successful token rotation (token_rotation_interval_minutes).

login_maximum_lifetime_duration

The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30 days (30d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month).

token_rotation_interval_minutes

How often auth tokens are rotated for authenticated users when the user is active. The default is each 10 minutes.

disable_login_form

Set to true to disable (hide) the login form, useful if you use OAuth. Default is false.

disable_signout_menu

Set to true to disable the signout link in the side menu. This is useful if you use auth.proxy. Default is false.

signout_redirect_url

URL to redirect the user to after they sign out.

oauth_auto_login

Set to true to attempt login with OAuth automatically, skipping the login screen. This setting is ignored if multiple OAuth providers are configured. Default is false.

oauth_state_cookie_max_age

How many seconds the OAuth state cookie lives before being deleted. Default is 600 (seconds) Administrators can increase this if they experience OAuth login state mismatch errors.

oauth_skip_org_role_update_sync

Skip forced assignment of OrgID 1 or auto_assign_org_id for external logins. Default is false. Use this setting to distribute users with external login to multiple organizations. Otherwise, the users’ organization would get reset on every new login, for example, via AzureAD.

api_key_max_seconds_to_live

Limit of API key seconds to live before expiration. Default is -1 (unlimited).

sigv4_auth_enabled

Only available in Grafana 7.3+.

Set to true to enable the AWS Signature Version 4 Authentication option for HTTP-based datasources. Default is false.

sigv4_verbose_logging

Only available in Grafana 8.4+.

Set to true to enable verbose request signature logging when AWS Signature Version 4 Authentication is enabled. Default is false.

[auth.anonymous]

Refer to Anonymous authentication for detailed instructions.

[auth.github]

Refer to GitHub OAuth2 authentication for detailed instructions.

[auth.gitlab]

Refer to Gitlab OAuth2 authentication for detailed instructions.

[auth.google]

Refer to Google OAuth2 authentication for detailed instructions.

[auth.grafananet]

Legacy key names, still in the config file so they work in env variables.

[auth.grafana_com]

Legacy key names, still in the config file so they work in env variables.

[auth.azuread]

Refer to Azure AD OAuth2 authentication for detailed instructions.

[auth.okta]

Refer to Okta OAuth2 authentication for detailed instructions.

[auth.generic_oauth]

Refer to Generic OAuth authentication for detailed instructions.

[auth.basic]

Refer to Basic authentication for detailed instructions.

[auth.proxy]

Refer to Auth proxy authentication for detailed instructions.

[auth.ldap]

Refer to LDAP authentication for detailed instructions.

[aws]

You can configure core and external AWS plugins.

allowed_auth_providers

Specify what authentication providers the AWS plugins allow. For a list of allowed providers, refer to the data-source configuration page for a given plugin. If you configure a plugin by provisioning, only providers that are specified in allowed_auth_providers are allowed.

Options: default (AWS SDK default), keys (Access and secret key), credentials (Credentials file), ec2_iam_role (EC2 IAM role)

assume_role_enabled

Set to false to disable AWS authentication from using an assumed role with temporary security credentials. For details about assume roles, refer to the AWS API reference documentation about the AssumeRole operation.

If this option is disabled, the Assume Role and the External Id field are removed from the AWS data source configuration page. If the plugin is configured using provisioning, it is possible to use an assumed role as long as assume_role_enabled is set to true.

list_metrics_page_limit

Use the List Metrics API option to load metrics for custom namespaces in the CloudWatch data source. By default, the page limit is 500.

[azure]

Grafana supports additional integration with Azure services when hosted in the Azure Cloud.

cloud

Azure cloud environment where Grafana is hosted:

Azure Cloud	Value
Microsoft Azure public cloud	AzureCloud (default)
Microsoft Chinese national cloud	AzureChinaCloud
US Government cloud	AzureUSGovernment
Microsoft German national cloud (“Black Forest”)	AzureGermanCloud

managed_identity_enabled

Specifies whether Grafana hosted in Azure service with Managed Identity configured (e.g. Azure Virtual Machines instance). Disabled by default, needs to be explicitly enabled.

managed_identity_client_id

The client ID to use for user-assigned managed identity.

Should be set for user-assigned identity and should be empty for system-assigned identity.

[auth.jwt]

Refer to JWT authentication for more information.

[smtp]

Email server settings.

enabled

Enable this to allow Grafana to send email. Default is false.

host

Default is localhost:25.

user

In case of SMTP auth, default is empty.

password

In case of SMTP auth, default is empty. If the password contains # or ;, then you have to wrap it with triple quotes. Example: “”"#password;"""

cert_file

File path to a cert file, default is empty.

key_file

File path to a key file, default is empty.

skip_verify

Verify SSL for SMTP server, default is false.

from_address

Address used when sending out emails, default is admin@grafana.localhost.

from_name

Name to be used when sending out emails, default is Grafana.

ehlo_identity

Name to be used as client identity for EHLO in SMTP dialog, default is <instance_name>.

startTLS_policy

Either “OpportunisticStartTLS”, “MandatoryStartTLS”, “NoStartTLS”. Default is empty.

[emails]

welcome_email_on_sign_up

Default is false.

templates_pattern

Enter a comma separated list of template patterns. Default is emails/*.html, emails/*.txt.

content_types

Enter a comma-separated list of content types that should be included in the emails that are sent. List the content types according descending preference, e.g. text/html, text/plain for HTML as the most preferred. The order of the parts is significant as the mail clients will use the content type that is supported and most preferred by the sender. Supported content types are text/html and text/plain. Default is text/html.

[log]

Grafana logging options.

mode

Options are “console”, “file”, and “syslog”. Default is “console” and “file”. Use spaces to separate multiple modes, e.g. console file.

level

Options are “debug”, “info”, “warn”, “error”, and “critical”. Default is info.

filters

Optional settings to set different levels for specific loggers. For example: filters = sqlstore:debug

[log.console]

Only applicable when “console” is used in [log] mode.

level

Options are “debug”, “info”, “warn”, “error”, and “critical”. Default is inherited from [log] level.

format

Log line format, valid options are text, console and json. Default is console.

[log.file]

Only applicable when “file” used in [log] mode.

level

Options are “debug”, “info”, “warn”, “error”, and “critical”. Default is inherited from [log] level.

format

Log line format, valid options are text, console and json. Default is text.

log_rotate

Enable automated log rotation, valid options are false or true. Default is true. When enabled use the max_lines, max_size_shift, daily_rotate and max_days to configure the behavior of the log rotation.

max_lines

Maximum lines per file before rotating it. Default is 1000000.

max_size_shift

Maximum size of file before rotating it. Default is 28, which means 1 << 28, 256MB.

daily_rotate

Enable daily rotation of files, valid options are false or true. Default is true.

max_days

Maximum number of days to keep log files. Default is 7.

[log.syslog]

Only applicable when “syslog” used in [log] mode.

level

Options are “debug”, “info”, “warn”, “error”, and “critical”. Default is inherited from [log] level.

format

Log line format, valid options are text, console, and json. Default is text.

network and address

Syslog network type and address. This can be UDP, TCP, or UNIX. If left blank, then the default UNIX endpoints are used.

facility

Syslog facility. Valid options are user, daemon or local0 through local7. Default is empty.

tag

Syslog tag. By default, the process’s argv[0] is used.

[log.frontend]

Note: This feature is available in Grafana 7.4+.

enabled

Sentry javascript agent is initialized. Default is false.

sentry_dsn

Sentry DSN if you want to send events to Sentry

custom_endpoint

Custom HTTP endpoint to send events captured by the Sentry agent to. Default, /log, will log the events to stdout.

sample_rate

Rate of events to be reported between 0 (none) and 1 (all, default), float.

log_endpoint_requests_per_second_limit

Requests per second limit enforced per an extended period, for Grafana backend log ingestion endpoint, /log. Default is 3.

log_endpoint_burst_limit

Maximum requests accepted per short interval of time for Grafana backend log ingestion endpoint, /log. Default is 15.

[quota]

Set quotas to -1 to make unlimited.

enabled

Enable usage quotas. Default is false.

org_user

Limit the number of users allowed per organization. Default is 10.

org_dashboard

Limit the number of dashboards allowed per organization. Default is 100.

org_data_source

Limit the number of data sources allowed per organization. Default is 10.

org_api_key

Limit the number of API keys that can be entered per organization. Default is 10.

org_alert_rule

Limit the number of alert rules that can be entered per organization. Default is 100.

user_org

Limit the number of organizations a user can create. Default is 10.

global_user

Sets a global limit of users. Default is -1 (unlimited).

global_org

Sets a global limit on the number of organizations that can be created. Default is -1 (unlimited).

global_dashboard

Sets a global limit on the number of dashboards that can be created. Default is -1 (unlimited).

global_api_key

Sets global limit of API keys that can be entered. Default is -1 (unlimited).

global_session

Sets a global limit on number of users that can be logged in at one time. Default is -1 (unlimited).

global_alert_rule

Sets a global limit on number of alert rules that can be created. Default is -1 (unlimited).

[unified_alerting]

For more information about the Grafana alerts, refer to Unified Alerting.

enabled

Enable the Unified Alerting sub-system and interface. When enabled we’ll migrate all of your alert rules and notification channels to the new system. New alert rules will be created and your notification channels will be converted into an Alertmanager configuration. Previous data is preserved to enable backwards compatibility but new data is removed. The default value is false.

Alerting Rules migrated from dashboards and panels will include a link back via the annotations.

disabled_orgs

Comma-separated list of organization IDs for which to disable Grafana 8 Unified Alerting.

admin_config_poll_interval

Specify the frequency of polling for admin config changes. The default value is 60s.

The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.

alertmanager_config_poll_interval

Specify the frequency of polling for Alertmanager config changes. The default value is 60s.

The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.

ha_listen_address

Listen address/hostname and port to receive unified alerting messages for other Grafana instances. The port is used for both TCP and UDP. It is assumed other Grafana instances are also running on the same port. The default value is 0.0.0.0:9094.

ha_advertise_address

Explicit address/hostname and port to advertise other Grafana instances. The port is used for both TCP and UDP.

ha_peers

Comma-separated list of initial instances (in a format of host:port) that will form the HA cluster. Configuring this setting will enable High Availability mode for alerting.

ha_peer_timeout

Time to wait for an instance to send a notification via the Alertmanager. In HA, each Grafana instance will be assigned a position (e.g. 0, 1). We then multiply this position with the timeout to indicate how long should each instance wait before sending the notification to take into account replication lag. The default value is 15s.

The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.

ha_gossip_interval

The interval between sending gossip messages. By lowering this value (more frequent) gossip messages are propagated across cluster more quickly at the expense of increased bandwidth usage. The default value is 200ms.

The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.

ha_push_pull_interval

The interval between gossip full state syncs. Setting this interval lower (more frequent) will increase convergence speeds across larger clusters at the expense of increased bandwidth usage. The default value is 60s.

The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.

execute_alerts

Enable or disable alerting rule execution. The default value is true. The alerting UI remains visible. This option has a legacy version in the alerting section that takes precedence.

evaluation_timeout

Sets the alert evaluation timeout when fetching data from the datasource. The default value is 30s. This option has a legacy version in the alerting section that takes precedence.

The timeout string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.

max_attempts

Sets a maximum number of times we’ll attempt to evaluate an alert rule before giving up on that evaluation. The default value is 3. This option has a legacy version in the alerting section that takes precedence.

min_interval

Sets the minimum interval to enforce between rule evaluations. The default value is 10s which equals the scheduler interval. Rules will be adjusted if they are less than this value or if they are not multiple of the scheduler interval (10s). Higher values can help with resource management as we’ll schedule fewer evaluations over time. This option has a legacy version in the alerting section that takes precedence.

The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.

Note. This setting has precedence over each individual rule frequency. If a rule frequency is lower than this value, then this value is enforced.

[alerting]

For more information about the legacy dashboard alerting feature in Grafana, refer to Alerts overview.

enabled

Set to false to enable Grafana alerting and to disable legacy alerting engine. to disable Grafana alerting, set to true.

execute_alerts

Turns off alert rule execution, but alerting is still visible in the Grafana UI.

error_or_timeout

Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)

nodata_or_nullvalues

Defines how Grafana handles nodata or null values in alerting. Options are alerting, no_data, keep_state, and ok. Default is no_data.

concurrent_render_limit

Alert notifications can include images, but rendering many images at the same time can overload the server. This limit protects the server from render overloading and ensures notifications are sent out quickly. Default value is 5.

evaluation_timeout_seconds

Sets the alert calculation timeout. Default value is 30.

notification_timeout_seconds

Sets the alert notification timeout. Default value is 30.

max_attempts

Sets a maximum limit on attempts to sending alert notifications. Default value is 3.

min_interval_seconds

Sets the minimum interval between rule evaluations. Default value is 1.

Note. This setting has precedence over each individual rule frequency. If a rule frequency is lower than this value, then this value is enforced.

max_annotation_age =

Configures for how long alert annotations are stored. Default is 0, which keeps them forever. This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).

max_annotations_to_keep =

Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.

[annotations]

cleanupjob_batchsize

Configures the batch size for the annotation clean-up job. This setting is used for dashboard, API, and alert annotations.

[annotations.dashboard]

Dashboard annotations means that annotations are associated with the dashboard they are created on.

max_age

Configures how long dashboard annotations are stored. Default is 0, which keeps them forever. This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).

max_annotations_to_keep

Configures max number of dashboard annotations that Grafana stores. Default value is 0, which keeps all dashboard annotations.

[annotations.api]

API annotations means that the annotations have been created using the API without any association with a dashboard.

max_age

Configures how long Grafana stores API annotations. Default is 0, which keeps them forever. This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).

max_annotations_to_keep

Configures max number of API annotations that Grafana keeps. Default value is 0, which keeps all API annotations.

[explore]

For more information about this feature, refer to Explore.

enabled

Enable or disable the Explore section. Default is enabled.

[metrics]

For detailed instructions, refer to Internal Grafana metrics.

enabled

Enable metrics reporting. defaults true. Available via HTTP API <URL>/metrics.

interval_seconds

Flush/write interval when sending metrics to external TSDB. Defaults to 10.

disable_total_stats

If set to true, then total stats generation (stat_totals_* metrics) is disabled. Default is false.

basic_auth_username and basic_auth_password

If both are set, then basic authentication is required to access the metrics endpoint.

[metrics.environment_info]

Adds dimensions to the grafana_environment_info metric, which can expose more information about the Grafana instance.

; exampleLabel1 = exampleValue1
; exampleLabel2 = exampleValue2

[metrics.graphite]

Use these options if you want to send internal Grafana metrics to Graphite.

address

Enable by setting the address. Format is <Hostname or ip>:port.

prefix

Graphite metric prefix. Defaults to prod.grafana.%(instance_name)s.

[grafana_net]

url

Default is https://grafana.com.

[grafana_com]

url

Default is https://grafana.com.

[tracing.jaeger]

Configure Grafana’s Jaeger client for distributed tracing.

You can also use the standard JAEGER_* environment variables to configure Jaeger. See the table at the end of https://www.jaegertracing.io/docs/1.16/client-features/ for the full list. Environment variables will override any settings provided here.

address

The host:port destination for reporting spans. (ex: localhost:6831)

Can be set with the environment variables JAEGER_AGENT_HOST and JAEGER_AGENT_PORT.

always_included_tag

Comma-separated list of tags to include in all new spans, such as tag1:value1,tag2:value2.

Can be set with the environment variable JAEGER_TAGS (use = instead of : with the environment variable).

sampler_type

Default value is const.

Specifies the type of sampler: const, probabilistic, ratelimiting, or remote.

Refer to https://www.jaegertracing.io/docs/1.16/sampling/#client-sampling-configuration for details on the different tracing types.

Can be set with the environment variable JAEGER_SAMPLER_TYPE.

sampler_param

Default value is 1.

This is the sampler configuration parameter. Depending on the value of sampler_type, it can be 0, 1, or a decimal value in between.

For const sampler, 0 or 1 for always false/true respectively
For probabilistic sampler, a probability between 0 and 1.0
For rateLimiting sampler, the number of spans per second
For remote sampler, param is the same as for probabilistic and indicates the initial sampling rate before the actual one is received from the mothership

May be set with the environment variable JAEGER_SAMPLER_PARAM.

sampling_server_url

sampling_server_url is the URL of a sampling manager providing a sampling strategy.

zipkin_propagation

Default value is false.

Controls whether or not to use Zipkin’s span propagation format (with x-b3- HTTP headers). By default, Jaeger’s format is used.

Can be set with the environment variable and value JAEGER_PROPAGATION=b3.

disable_shared_zipkin_spans

Default value is false.

Setting this to true turns off shared RPC spans. Leaving this available is the most common setting when using Zipkin elsewhere in your infrastructure.

[external_image_storage]

These options control how images should be made public so they can be shared on services like Slack or email message.

provider

Options are s3, webdav, gcs, azure_blob, local). If left empty, then Grafana ignores the upload action.

[external_image_storage.s3]

endpoint

Optional endpoint URL (hostname or fully qualified URI) to override the default generated S3 endpoint. If you want to keep the default, just leave this empty. You must still provide a region value if you specify an endpoint.

path_style_access

Set this to true to force path-style addressing in S3 requests, i.e., http://s3.amazonaws.com/BUCKET/KEY, instead of the default, which is virtual hosted bucket addressing when possible (http://BUCKET.s3.amazonaws.com/KEY).

Note: This option is specific to the Amazon S3 service.

bucket_url

(for backward compatibility, only works when no bucket or region are configured) Bucket URL for S3. AWS region can be specified within URL or defaults to ‘us-east-1’, e.g.

bucket

Bucket name for S3. e.g. grafana.snapshot.

region

Region name for S3. e.g. ‘us-east-1’, ‘cn-north-1’, etc.

path

Optional extra path inside bucket, useful to apply expiration policies.

access_key

Access key, e.g. AAAAAAAAAAAAAAAAAAAA.

Access key requires permissions to the S3 bucket for the ‘s3:PutObject’ and ‘s3:PutObjectAcl’ actions.

secret_key

Secret key, e.g. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.

[external_image_storage.webdav]

url

URL where Grafana sends PUT request with images.

username

Basic auth username.

password

Basic auth password.

public_url

Optional URL to send to users in notifications. If the string contains the sequence ${file}, it is replaced with the uploaded filename. Otherwise, the file name is appended to the path part of the URL, leaving any query string unchanged.

[external_image_storage.gcs]

key_file

Optional path to JSON key file associated with a Google service account to authenticate and authorize. If no value is provided it tries to use the application default credentials. Service Account keys can be created and downloaded from https://console.developers.google.com/permissions/serviceaccounts.

Service Account should have “Storage Object Writer” role. The access control model of the bucket needs to be “Set object-level and bucket-level permissions”. Grafana itself will make the images public readable when signed urls are not enabled.

bucket

Bucket Name on Google Cloud Storage.

path

Optional extra path inside bucket.

enable_signed_urls

If set to true, Grafana creates a signed URL for the image uploaded to Google Cloud Storage.

signed_url_expiration

Sets the signed URL expiration, which defaults to seven days.

[external_image_storage.azure_blob]

account_name

Storage account name.

account_key

Storage account key

container_name

Container name where to store “Blob” images with random names. Creating the blob container beforehand is required. Only public containers are supported.

[external_image_storage.local]

This option does not require any configuration.

[rendering]

Options to configure a remote HTTP image rendering service, e.g. using https://github.com/grafana/grafana-image-renderer.

server_url

URL to a remote HTTP image renderer service, e.g. http://localhost:8081/render, will enable Grafana to render panels and dashboards to PNG-images using HTTP requests to an external service.

callback_url

If the remote HTTP image renderer service runs on a different server than the Grafana server you may have to configure this to a URL where Grafana is reachable, e.g. http://grafana.domain/.

concurrent_render_request_limit

Concurrent render request limit affects when the /render HTTP endpoint is used. Rendering many images at the same time can overload the server, which this setting can help protect against by only allowing a certain number of concurrent requests. Default is 30.

[panels]

enable_alpha

Set to true if you want to test alpha panels that are not yet ready for general usage. Default is false.

disable_sanitize_html

If set to true Grafana will allow script tags in text panels. Not recommended as it enables XSS vulnerabilities. Default is false. This setting was introduced in Grafana v6.0.

[plugins]

enable_alpha

Set to true if you want to test alpha plugins that are not yet ready for general usage. Default is false.

allow_loading_unsigned_plugins

Enter a comma-separated list of plugin identifiers to identify plugins to load even if they are unsigned. Plugins with modified signatures are never loaded.

We do not recommend using this option. For more information, refer to Plugin signatures.

plugin_admin_enabled

Available to Grafana administrators only, enables installing / uninstalling / updating plugins directly from the Grafana UI. Set to true by default. Setting it to false will hide the install / uninstall / update controls.

For more information, refer to Plugin catalog.

plugin_admin_external_manage_enabled

Set to true if you want to enable external management of plugins. Default is false. This is only applicable to Grafana Cloud users.

plugin_catalog_url

Custom install/learn more URL for enterprise plugins. Defaults to https://grafana.com/grafana/plugins/.

plugin_catalog_hidden_plugins

Enter a comma-separated list of plugin identifiers to hide in the plugin catalog.

[live]

max_connections

Note: Available in Grafana v8.0 and later versions.

The max_connections option specifies the maximum number of connections to the Grafana Live WebSocket endpoint per Grafana server instance. Default is 100.

Refer to Grafana Live configuration documentation if you specify a number higher than default since this can require some operating system and infrastructure tuning.

0 disables Grafana Live, -1 means unlimited connections.

allowed_origins

Note: Available in Grafana v8.0.4 and later versions.

The allowed_origins option is a comma-separated list of additional origins (Origin header of HTTP Upgrade request during WebSocket connection establishment) that will be accepted by Grafana Live.

If not set (default), then the origin is matched over root_url which should be sufficient for most scenarios.

Origin patterns support wildcard symbol “*”.

For example:

[live]
allowed_origins = "https://*.example.com"

ha_engine

Note: Available in Grafana v8.1 and later versions.

Experimental

The high availability (HA) engine name for Grafana Live. By default, it’s not set. The only possible value is “redis”.

For more information, refer to Configure Grafana Live HA setup.

ha_engine_address

Note: Available in Grafana v8.1 and later versions.

Experimental

Address string of selected the high availability (HA) Live engine. For Redis, it’s a host:port string. Example:

[live]
ha_engine = redis
ha_engine_address = 127.0.0.1:6379

[plugin.grafana-image-renderer]

For more information, refer to Image rendering.

rendering_timezone

Instruct headless browser instance to use a default timezone when not provided by Grafana, e.g. when rendering panel image of alert. See ICUs metaZones.txt for a list of supported timezone IDs. Fallbacks to TZ environment variable if not set.

rendering_language

Instruct headless browser instance to use a default language when not provided by Grafana, e.g. when rendering panel image of alert. Refer to the HTTP header Accept-Language to understand how to format this value, e.g. ‘fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5’.

rendering_viewport_device_scale_factor

Instruct headless browser instance to use a default device scale factor when not provided by Grafana, e.g. when rendering panel image of alert. Default is 1. Using a higher value will produce more detailed images (higher DPI), but requires more disk space to store an image.

rendering_ignore_https_errors

Instruct headless browser instance whether to ignore HTTPS errors during navigation. Per default HTTPS errors are not ignored. Due to the security risk, we do not recommend that you ignore HTTPS errors.

rendering_verbose_logging

Instruct headless browser instance whether to capture and log verbose information when rendering an image. Default is false and will only capture and log error messages.

When enabled, debug messages are captured and logged as well.

For the verbose information to be included in the Grafana server log you have to adjust the rendering log level to debug, configure [log].filter = rendering:debug.

rendering_dumpio

Instruct headless browser instance whether to output its debug and error messages into running process of remote rendering service. Default is false.

It can be useful to set this to true when troubleshooting.

rendering_args

Additional arguments to pass to the headless browser instance. Defaults are --no-sandbox,--disable-gpu. The list of Chromium flags can be found at (https://peter.sh/experiments/chromium-command-line-switches/). Separate multiple arguments with commas.

rendering_chrome_bin

You can configure the plugin to use a different browser binary instead of the pre-packaged version of Chromium.

Please note that this is not recommended. You might encounter problems if the installed version of Chrome/Chromium is not compatible with the plugin.

rendering_mode

Instruct how headless browser instances are created. Default is default and will create a new browser instance on each request.

Mode clustered will make sure that only a maximum of browsers/incognito pages can execute concurrently.

Mode reusable will have one browser instance and will create a new incognito page on each request.

rendering_clustering_mode

When rendering_mode = clustered, you can instruct how many browsers or incognito pages can execute concurrently. Default is browser and will cluster using browser instances.

Mode context will cluster using incognito pages.

rendering_clustering_max_concurrency

When rendering_mode = clustered, you can define the maximum number of browser instances/incognito pages that can execute concurrently. Default is 5.

rendering_clustering_timeout

Note: Available in grafana-image-renderer v3.3.0 and later versions.

When rendering_mode = clustered, you can specify the duration a rendering request can take before it will time out. Default is 30 seconds.

rendering_viewport_max_width

Limit the maximum viewport width that can be requested.

rendering_viewport_max_height

Limit the maximum viewport height that can be requested.

rendering_viewport_max_device_scale_factor

Limit the maximum viewport device scale factor that can be requested.

grpc_host

Change the listening host of the gRPC server. Default host is 127.0.0.1.

grpc_port

Change the listening port of the gRPC server. Default port is 0 and will automatically assign a port not in use.

[enterprise]

For more information about Grafana Enterprise, refer to Grafana Enterprise.

[feature_toggles]

enable

Keys of alpha features to enable, separated by space.

[date_formats]

Note: The date format options below are only available in Grafana v7.2+.

This section controls system-wide defaults for date formats used in time ranges, graphs, and date input boxes.

The format patterns use Moment.js formatting tokens.

full_date

Full date format used by time range picker and in other places where a full date is rendered.

intervals

These intervals formats are used in the graph to show only a partial date or time. For example, if there are only minutes between Y-axis tick labels then the interval_minute format is used.

Defaults

interval_second = HH:mm:ss
interval_minute = HH:mm
interval_hour = MM/DD HH:mm
interval_day = MM/DD
interval_month = YYYY-MM
interval_year = YYYY

use_browser_locale

Set this to true to have date formats automatically derived from your browser location. Defaults to false. This is an experimental feature.

default_timezone

Used as the default time zone for user preferences. Can be either browser for the browser local time zone or a time zone name from the IANA Time Zone database, such as UTC or Europe/Amsterdam.

default_week_start

Set the default start of the week, valid values are: saturday, sunday, monday or browser to use the browser locale to define the first day of the week. Default is browser.

[expressions]

Note: This feature is available in Grafana v7.4 and later versions.

enabled

Set this to false to disable expressions and hide them in the Grafana UI. Default is true.

[geomap]

This section controls the defaults settings for Geomap Plugin.

default_baselayer_config

The json config used to define the default base map. Four base map options to choose from are carto, esriXYZTiles, xyzTiles, standard. For example, to set cartoDB light as the default base layer:

default_baselayer_config = `{
  "type": "xyz",
  "config": {
    "attribution": "Open street map",
    "url": "https://tile.openstreetmap.org/{z}/{x}/{y}.png"
  }
}`

enable_custom_baselayers

Set this to true to disable loading other custom base maps and hide them in the Grafana UI. Default is false.

Configure Grafana Docker image

Sat, 04 Apr 2026 12:26:57 +0000

Configure a Grafana Docker image

If you are running Grafana in a Docker image, then you configure Grafana using environment variables rather than directly editing the configuration file. If you want to save your data, then you also need to designate persistent storage or bind mounts for the Grafana container.

Note: These examples use the Grafana Enterprise docker image. You can use the Grafana Open Source edition by changing the docker image to grafana/grafana-oss.

Save your Grafana data

If you do not designate a location for information storage, then all your Grafana data disappears as soon as you stop your container. To save your data, you need to set up persistent storage or bind mounts for your container.

Run Grafana container with persistent storage (recommended)

# create a persistent volume for your data in /var/lib/grafana (database and plugins)
docker volume create grafana-storage

# start grafana
docker run -d -p 3000:3000 --name=grafana -v grafana-storage:/var/lib/grafana grafana/grafana-enterprise

Run Grafana container using bind mounts

You may want to run Grafana in Docker but use folders on your host for the database or configuration. When doing so, it becomes important to start the container with a user that is able to access and write to the folder you map into the container.

mkdir data # creates a folder for your data
ID=$(id -u) # saves your user id in the ID variable

# starts grafana with your user id and using the data folder
docker run -d --user $ID --volume "$PWD/data:/var/lib/grafana" -p 3000:3000 grafana/grafana-enterprise:8.2.1

Default paths

The following settings are hard-coded when launching the Grafana Docker container and can only be overridden using environment variables, not in conf/grafana.ini.

Setting	Default value
GF_PATHS_CONFIG	/etc/grafana/grafana.ini
GF_PATHS_DATA	/var/lib/grafana
GF_PATHS_HOME	/usr/share/grafana
GF_PATHS_LOGS	/var/log/grafana
GF_PATHS_PLUGINS	/var/lib/grafana/plugins
GF_PATHS_PROVISIONING	/etc/grafana/provisioning

Logging

Logs in the Docker container go to standard out by default, as is common in the Docker world. Change this by setting a different log mode.

Example:

# Run Grafana while logging to both standard out and /var/log/grafana/grafana.log
docker run -p 3000:3000 -e "GF_LOG_MODE=console file" grafana/grafana-enterprise

Configure Grafana with Docker Secrets

Only available in Grafana v5.2 and later.

It’s possible to supply Grafana with configuration through files. This works well with Docker Secrets as the secrets by default gets mapped into /run/secrets/<name of secret> of the container.

You can do this with any of the configuration options in conf/grafana.ini by setting GF_<SectionName>_<KeyName>__FILE to the path of the file holding the secret.

For example, you could set the admin password this way:

Admin password secret: /run/secrets/admin_password
Environment variable: GF_SECURITY_ADMIN_PASSWORD__FILE=/run/secrets/admin_password

Configure AWS credentials for CloudWatch Support

docker run -d \
-p 3000:3000 \
--name=grafana \
-e "GF_AWS_PROFILES=default" \
-e "GF_AWS_default_ACCESS_KEY_ID=YOUR_ACCESS_KEY" \
-e "GF_AWS_default_SECRET_ACCESS_KEY=YOUR_SECRET_KEY" \
-e "GF_AWS_default_REGION=us-east-1" \
grafana/grafana-enterprise

You may also specify multiple profiles to GF_AWS_PROFILES (e.g. GF_AWS_PROFILES=default another).

Supported variables:

GF_AWS_${profile}_ACCESS_KEY_ID: AWS access key ID (required).
GF_AWS_${profile}_SECRET_ACCESS_KEY: AWS secret access key (required).
GF_AWS_${profile}_REGION: AWS region (optional).

Grafana CLI

Sat, 04 Apr 2026 12:26:57 +0000

Grafana CLI

Grafana CLI is a small executable that is bundled with Grafana server. It can be executed on the same machine Grafana server is running on. Grafana CLI has plugins and admin commands, as well as global options.

To list all commands and options:

grafana-cli -h

Invoking Grafana CLI

To invoke Grafana CLI, add the path to the grafana binaries in your PATH environment variable. Alternately, if your current directory is the bin directory, use ./grafana-cli. Otherwise, you can specify full path to the CLI. For example, on Linux /usr/share/grafana/bin/grafana-cli and on Windows C:\Program Files\GrafanaLabs\grafana\bin\grafana-cli.exe.

Note: Some commands, such as installing or removing plugins, require sudo on Linux. If you are on Windows, run Windows PowerShell as Administrator.

Grafana CLI command syntax

The general syntax for commands in Grafana CLI is:

grafana-cli [global options] command [command options] [arguments...]

Global options

Grafana CLI allows you to temporarily override certain Grafana default settings. Except for --help and --version, most global options are only used by developers.

Each global option applies only to the command in which it is used. For example, --pluginsDir value does not permanently change where Grafana saves plugins. It only changes it for command in which you apply the option.

Display Grafana CLI help

--help or -h displays the help, including default paths and Docker configuration information.

Example:

grafana-cli -h

Display Grafana CLI version

--version or -v prints the version of Grafana CLI currently running.

Example:

grafana-cli -v

Override default plugin directory

--pluginsDir value overrides the path to where your local Grafana instance stores plugins. Use this option if you want to install, update, or remove a plugin somewhere other than the default directory ("/var/lib/grafana/plugins") [$GF_PLUGIN_DIR].

Example:

grafana-cli --pluginsDir "/var/lib/grafana/devplugins" plugins install <plugin-id>

Override default plugin repo URL

--repo value allows you to download and install or update plugins from a repository other than the default Grafana repo.

Example:

grafana-cli --repo "https://example.com/plugins" plugins install <plugin-id>

Override default plugin .zip URL

--pluginUrl value allows you to download a .zip file containing a plugin from a local URL instead of downloading it from the default Grafana source.

Example:

grafana-cli --pluginUrl https://company.com/grafana/plugins/<plugin-id>-<plugin-version>.zip plugins install <plugin-id>

Override Transport Layer Security

Warning: Turning off TLS is a significant security risk. We do not recommend using this option.

--insecure allows you to turn off Transport Layer Security (TLS) verification (insecure). You might want to do this if you are downloading a plugin from a non-default source.

Example:

grafana-cli --insecure --pluginUrl https://company.com/grafana/plugins/<plugin-id>-<plugin-version>.zip plugins install <plugin-id>

Enable debug logging

--debug or -d enables debug logging. Debug output is returned and shown in the terminal.

Example:

grafana-cli --debug plugins install <plugin-id>

Override a configuration setting

--configOverrides is a command line argument that acts like an environmental variable override.

For example, you can use it to redirect logging to another file (maybe to log plugin installations in Grafana Cloud) or when resetting the admin password and you have non-default values for some important configuration value (like where the database is located).

Example:

grafana-cli --configOverrides cfg:default.paths.log=/dev/null plugins install <plugin-id>

Override homepath value

Sets the path for the Grafana install/home path, defaults to working directory. You do not need to use this if you are in the Grafana installation directory when using the CLI.

Example:

grafana-cli --homepath "/usr/share/grafana" admin reset-admin-password <new password>

Override config file

--config value overrides the default location where Grafana expects the configuration file. Refer to Configuration for more information about configuring Grafana and default configuration file locations.

Example:

grafana-cli --config "/etc/configuration/" admin reset-admin-password mynewpassword

Plugins commands

Grafana CLI allows you to install, upgrade, and manage your Grafana plugins. For more information about installing plugins, refer to plugins page.

All listed commands apply to the Grafana default repositories and directories. You can override the defaults with Global Options.

List available plugins

grafana-cli plugins list-remote

Install the latest version of a plugin

grafana-cli plugins install <plugin-id>

Install a specific version of a plugin

grafana-cli plugins install <plugin-id> <version>

List installed plugins

grafana-cli plugins ls

Update all installed plugins

grafana-cli plugins update-all

Update one plugin

grafana-cli plugins update <plugin-id>

Remove one plugin

grafana-cli plugins remove <plugin-id>

Admin commands

Admin commands are only available in Grafana 4.1 and later.

Show all admin commands

grafana-cli admin

Reset admin password

grafana-cli admin reset-admin-password <new password> resets the password for the admin user using the CLI. You might need to do this if you lose the admin password.

If there are two flags being used to set the homepath and the config file path, then running the command returns this error:

Could not find config defaults, make sure homepath command line parameter is set or working directory is homepath

To correct this, use the --homepath global option to specify the Grafana default homepath for this command:

grafana-cli --homepath "/usr/share/grafana" admin reset-admin-password <new password>

If you have not lost the admin password, we recommend that you change the user password either in the User Preferences or in the Server Admin > User tab.

If you need to set the password in a script, then you can use the Grafana User API.

Migrate data and encrypt passwords

data-migration runs a script that migrates or cleans up data in your database.

encrypt-datasource-passwords migrates passwords from unsecured fields to secure_json_data field. Returns ok unless there is an error. Safe to execute multiple times.

Example:

grafana-cli admin data-migration encrypt-datasource-passwords

Database encryption

Sat, 04 Apr 2026 12:26:57 +0000

Grafana database encryption

Grafana’s database contains secrets, which are used to query data sources, send alert notifications and perform other functions within Grafana.

Grafana encrypts these secrets before they are written to the database, by using a symmetric-key encryption algorithm called Advanced Encryption Standard (AES), and using a secret key that you can change when you configure a new Grafana instance.

You can choose to use envelope encryption, which adds a layer of indirection to the encryption process.

Note: In Grafana Enterprise, you can also choose to encrypt secrets in AES-GCM mode instead of AES-CFB.

Envelope encryption

In Grafana, you can choose to use envelope encryption. Instead of encrypting all secrets with a single key, Grafana uses a set of keys called data encryption keys (DEKs) to encrypt them. These data encryption keys are themselves encrypted with a single key encryption key (KEK).

To turn on envelope encryption, add the term envelopeEncryption to the list of feature toggles in your Grafana configuration.

Note: Avoid turning off envelope encryption once you have turned it on, and back up your database before turning it on for the first time. If you turn envelope encryption on, create new secrets or update your existing secrets (for example, by creating a new data source or alert notification channel), and then turn envelope encryption off, then those data sources, alert notification channels, and other resources using envelope encryption will stop working and you will experience errors. This is because the secrets encrypted with envelope encryption cannot be decrypted or used by Grafana when envelope encryption is turned off.

KMS integration

With KMS integrations, you can choose to encrypt secrets stored in the Grafana database using a key from a KMS, which is a secure central storage location that is designed to help you to create and manage cryptographic keys and control their use across many services.

Note: KMS integration is available in Grafana Enterprise. For more information, refer to Enterprise Encryption in Grafana Enterprise.

Security

Sat, 04 Apr 2026 12:26:57 +0000

Security

If you run non-Grafana web services on your Grafana server or within its local network, then they might be vulnerable to exploitation through the Grafana data source proxy or other methods.

To prevent this type of exploitation from happening, we recommend that you apply one or more of the precautions listed below.

Limit IP addresses/hostnames for data source URL

You can configure Grafana to only allow certain IP addresses or hostnames to be used as data source URLs and proxied through the Grafana data source proxy. Refer to data_source_proxy_whitelist for usage instructions.

Request security

The request security configuration option allows users to limit requests from the Grafana server. It targets requests that are generated by users. For more information, refer to Request security in Grafana Enterprise.

Note: Request security is available in Grafana Enterprise v7.4 and later versions.

Firewall rules

Configure a firewall to restrict Grafana from making network requests to sensitive internal web services.

There are many firewall tools available, refer to the documentation for your specific security tool. For example, Linux users can use iptables.

Proxy server

Require all network requests being made by Grafana to go through a proxy server.

Limit Viewer query permissions

Users with the Viewer role can enter any possible query in any of the data sources available in the organization, not just the queries that are defined on the dashboards for which the user has Viewer permissions.

For example: In a Grafana instance with one data source, one dashboard, and one panel that has one query defined, you might assume that a Viewer can only see the result of the query defined in that panel. Actually, the Viewer has access to send any query to the data source. With a command-line tool like curl (there are lots of tools for this), the Viewer can make their own query to the data source and potentially access sensitive data.

To address this vulnerability, you can restrict data source query access in the following ways:

Create multiple data sources with some restrictions added in data source configuration that restrict access (like database name or credentials). Then use the Data Source Permissions Enterprise feature to restrict user access to the data source in Grafana.
Create a separate Grafana organization, and in that organization, create a separate data source. Make sure the data source has some option/user/credentials setting that limits access to a subset of the data. Not all data sources have an option to limit access.

Implications of enabling anonymous access to dashboards

When you enable anonymous access to a dashboard, it is publicly available. This section lists the security implications of enabling Anonymous access.

Anyone with the URL can access the dashboard.
Anyone can make view calls to the API and list all folders, dashboards, and data sources.
Anyone can make arbitrary queries to any data source that the Grafana instance is configured with.

Provisioning

Sat, 04 Apr 2026 12:26:57 +0000

Provisioning Grafana

In previous versions of Grafana, you could only use the API for provisioning data sources and dashboards. But that required the service to be running before you started creating dashboards and you also needed to set up credentials for the HTTP API. In v5.0 we decided to improve this experience by adding a new active provisioning system that uses config files. This will make GitOps more natural as data sources and dashboards can be defined via files that can be version controlled. We hope to extend this system to later add support for users, orgs and alerts as well.

Config File

Check out the configuration page for more information on what you can configure in grafana.ini

Config File Locations

Default configuration from $WORKING_DIR/conf/defaults.ini
Custom configuration from $WORKING_DIR/conf/custom.ini
The custom configuration file path can be overridden using the --config parameter

Note: If you have installed Grafana using the deb or rpm packages, then your configuration file is located at /etc/grafana/grafana.ini. This path is specified in the Grafana init.d script using --config file parameter.

Using Environment Variables

It is possible to use environment variable interpolation in all 3 provisioning configuration types. Allowed syntax is either $ENV_VAR_NAME or ${ENV_VAR_NAME} and can be used only for values not for keys or bigger parts of the configurations. It is not available in the dashboard’s definition files just the dashboard provisioning configuration. Example:

datasources:
  - name: Graphite
    url: http://localhost:$PORT
    user: $USER
    secureJsonData:
      password: $PASSWORD

If you have a literal $ in your value and want to avoid interpolation, $$ can be used.

Configuration Management Tools

Currently we do not provide any scripts/manifests for configuring Grafana. Rather than spending time learning and creating scripts/manifests for each tool, we think our time is better spent making Grafana easier to provision. Therefore, we heavily rely on the expertise of the community.

Tool	Project
Puppet	https://forge.puppet.com/puppet/grafana
Ansible	https://github.com/cloudalchemy/ansible-grafana
Chef	https://github.com/JonathanTron/chef-grafana
Saltstack	https://github.com/salt-formulas/salt-formula-grafana
Jsonnet	https://github.com/grafana/grafonnet-lib/

Data sources

This feature is available from v5.0

It’s possible to manage data sources in Grafana by adding one or more YAML config files in the provisioning/datasources directory. Each config file can contain a list of datasources that will get added or updated during start up. If the data source already exists, then Grafana updates it to match the configuration file. The config file can also contain a list of data sources that should be deleted. That list is called deleteDatasources. Grafana will delete data sources listed in deleteDatasources before inserting/updating those in the datasource list.

Running Multiple Grafana Instances

If you are running multiple instances of Grafana you might run into problems if they have different versions of the datasource.yaml configuration file. The best way to solve this problem is to add a version number to each datasource in the configuration and increase it when you update the config. Grafana will only update datasources with the same or lower version number than specified in the config. That way, old configs cannot overwrite newer configs if they restart at the same time.

Example data source Config File

# config file version
apiVersion: 1

# list of datasources that should be deleted from the database
deleteDatasources:
  - name: Graphite
    orgId: 1

# list of datasources to insert/update depending
# what's available in the database
datasources:
  # <string, required> name of the datasource. Required
  - name: Graphite
    # <string, required> datasource type. Required
    type: graphite
    # <string, required> access mode. proxy or direct (Server or Browser in the UI). Required
    access: proxy
    # <int> org id. will default to orgId 1 if not specified
    orgId: 1
    # <string> custom UID which can be used to reference this datasource in other parts of the configuration, if not specified will be generated automatically
    uid: my_unique_uid
    # <string> url
    url: http://localhost:8080
    # <string> Deprecated, use secureJsonData.password
    password:
    # <string> database user, if used
    user:
    # <string> database name, if used
    database:
    # <bool> enable/disable basic auth
    basicAuth:
    # <string> basic auth username
    basicAuthUser:
    # <string> Deprecated, use secureJsonData.basicAuthPassword
    basicAuthPassword:
    # <bool> enable/disable with credentials headers
    withCredentials:
    # <bool> mark as default datasource. Max one per org
    isDefault:
    # <map> fields that will be converted to json and stored in jsonData
    jsonData:
      graphiteVersion: '1.1'
      tlsAuth: true
      tlsAuthWithCACert: true
    # <string> json object of data that will be encrypted.
    secureJsonData:
      tlsCACert: '...'
      tlsClientCert: '...'
      tlsClientKey: '...'
      # <string> database password, if used
      password:
      # <string> basic auth password
      basicAuthPassword:
    version: 1
    # <bool> allow users to edit datasources from the UI.
    editable: false

Custom Settings per Datasource

Please refer to each datasource documentation for specific provisioning examples.

Datasource	Misc
Elasticsearch	Elasticsearch uses the `database` property to configure the index for a datasource

JSON Data

Since not all datasources have the same configuration settings we only have the most common ones as fields. The rest should be stored as a json blob in the jsonData field. Here are the most common settings that the core datasources use.

Note: Datasources tagged with HTTP* below denotes any data source which communicates using the HTTP protocol, e.g. all core data source plugins except MySQL, PostgreSQL and MSSQL.

Name	Type	Datasource	Description
tlsAuth	boolean	HTTP*, MySQL	Enable TLS authentication using client cert configured in secure json data
tlsAuthWithCACert	boolean	HTTP*, MySQL, PostgreSQL	Enable TLS authentication using CA cert
tlsSkipVerify	boolean	HTTP*, MySQL, PostgreSQL, MSSQL	Controls whether a client verifies the server’s certificate chain and host name.
serverName	string	HTTP*, MSSQL	Optional. Controls the server name used for certificate common name/subject alternative name verification. Defaults to using the data source URL.
timeout	string	HTTP*	Request timeout in seconds. Overrides dataproxy.timeout option
graphiteVersion	string	Graphite	Graphite version
timeInterval	string	Prometheus, Elasticsearch, InfluxDB, MySQL, PostgreSQL and MSSQL	Lowest interval/step value that should be used for this data source.
httpMode	string	Influxdb	HTTP Method. ‘GET’, ‘POST’, defaults to GET
maxSeries	number	Influxdb	Max number of series/tables that Grafana processes
httpMethod	string	Prometheus	HTTP Method. ‘GET’, ‘POST’, defaults to POST
customQueryParameters	string	Prometheus	Query parameters to add, as a URL-encoded string.
manageAlerts	boolean	Prometheus and Loki	Manage alerts via Alerting UI
esVersion	string	Elasticsearch	Elasticsearch version (E.g. `7.0.0`, `7.6.1`)
timeField	string	Elasticsearch	Which field that should be used as timestamp
interval	string	Elasticsearch	Index date time format. nil(No Pattern), ‘Hourly’, ‘Daily’, ‘Weekly’, ‘Monthly’ or ‘Yearly’
logMessageField	string	Elasticsearch	Which field should be used as the log message
logLevelField	string	Elasticsearch	Which field should be used to indicate the priority of the log message
maxConcurrentShardRequests	number	Elasticsearch	Maximum number of concurrent shard requests that each sub-search request executes per node. Defaults to 5 if esVersion is greater than or equals 7.0.0. When the esVersion is less than 7.0.0 and greater than or equals 5.6.0, then the default value is 256. Option is ignored when esVersion is less than 5.6.0.
sigV4Auth	boolean	Elasticsearch and Prometheus	Enable usage of SigV4
sigV4AuthType	string	Elasticsearch and Prometheus	SigV4 auth provider. default/credentials/keys
sigV4ExternalId	string	Elasticsearch and Prometheus	Optional SigV4 External ID
sigV4AssumeRoleArn	string	Elasticsearch and Prometheus	Optional SigV4 ARN role to assume
sigV4Region	string	Elasticsearch and Prometheus	SigV4 AWS region
sigV4Profile	string	Elasticsearch and Prometheus	Optional SigV4 credentials profile
authType	string	Cloudwatch	Auth provider. default/credentials/keys
externalId	string	Cloudwatch	Optional External ID
assumeRoleArn	string	Cloudwatch	Optional ARN role to assume
defaultRegion	string	Cloudwatch	Optional default AWS region
customMetricsNamespaces	string	Cloudwatch	Namespaces of Custom Metrics
profile	string	Cloudwatch	Optional credentials profile
tsdbVersion	string	OpenTSDB	Version
tsdbResolution	string	OpenTSDB	Resolution
sslmode	string	PostgreSQL	SSLmode. ‘disable’, ‘require’, ‘verify-ca’ or ‘verify-full’
tlsConfigurationMethod	string	PostgreSQL	SSL Certificate configuration, either by ‘file-path’ or ‘file-content’
sslRootCertFile	string	PostgreSQL, MSSQL	SSL server root certificate file, must be readable by the Grafana user
sslCertFile	string	PostgreSQL	SSL client certificate file, must be readable by the Grafana user
sslKeyFile	string	PostgreSQL	SSL client key file, must be readable by only the Grafana user
encrypt	string	MSSQL	Connection SSL encryption handling. ‘disable’, ‘false’ or ’true’
postgresVersion	number	PostgreSQL	Postgres version as a number (903/904/905/906/1000) meaning v9.3, v9.4, …, v10
timescaledb	boolean	PostgreSQL	Enable usage of TimescaleDB extension
maxOpenConns	number	MySQL, PostgreSQL and MSSQL	Maximum number of open connections to the database (Grafana v5.4+)
maxIdleConns	number	MySQL, PostgreSQL and MSSQL	Maximum number of connections in the idle connection pool (Grafana v5.4+)
connMaxLifetime	number	MySQL, PostgreSQL and MSSQL	Maximum amount of time in seconds a connection may be reused (Grafana v5.4+)
keepCookies	array	HTTP*	Cookies that needs to be passed along while communicating with datasources

Secure Json Data

{"authType":"keys","defaultRegion":"us-west-2","timeField":"@timestamp"}

Secure json data is a map of settings that will be encrypted with secret key from the Grafana config. The purpose of this is only to hide content from the users of the application. This should be used for storing TLS Cert and password that Grafana will append to the request on the server side. All of these settings are optional.

Note: Datasources tagged with HTTP* below denotes any data source which communicates using the HTTP protocol, e.g. all core data source plugins except MySQL, PostgreSQL and MSSQL.

Name	Type	Datasource	Description
tlsCACert	string	HTTP*, MySQL, PostgreSQL	CA cert for out going requests
tlsClientCert	string	HTTP*, MySQL, PostgreSQL	TLS Client cert for outgoing requests
tlsClientKey	string	HTTP*, MySQL, PostgreSQL	TLS Client key for outgoing requests
password	string	HTTP*, MySQL, PostgreSQL, MSSQL	password
basicAuthPassword	string	HTTP*	password for basic authentication
accessKey	string	Cloudwatch	Access key for connecting to Cloudwatch
secretKey	string	Cloudwatch	Secret key for connecting to Cloudwatch
sigV4AccessKey	string	Elasticsearch and Prometheus	SigV4 access key. Required when using keys auth provider
sigV4SecretKey	string	Elasticsearch and Prometheus	SigV4 secret key. Required when using keys auth provider

Custom HTTP headers for datasources

Data sources managed by Grafanas provisioning can be configured to add HTTP headers to all requests going to that datasource. The header name is configured in the jsonData field and the header value should be configured in secureJsonData.

apiVersion: 1

datasources:
  - name: Graphite
    jsonData:
      httpHeaderName1: 'HeaderName'
      httpHeaderName2: 'Authorization'
    secureJsonData:
      httpHeaderValue1: 'HeaderValue'
      httpHeaderValue2: 'Bearer XXXXXXXXX'

Plugins

This feature is available from v7.1

You can manage plugins in Grafana by adding one or more YAML config files in the provisioning/plugins directory. Each config file can contain a list of apps that will be updated during start up. Grafana updates each app to match the configuration file.

Example plugin configuration file

apiVersion: 1

apps:
  # <string> the type of app, plugin identifier. Required
  - type: raintank-worldping-app
    # <int> Org ID. Default to 1, unless org_name is specified
    org_id: 1
    # <string> Org name. Overrides org_id unless org_id not specified
    org_name: Main Org.
    # <bool> disable the app. Default to false.
    disabled: false
    # <map> fields that will be converted to json and stored in jsonData. Custom per app.
    jsonData:
      # key/value pairs of string to object
      key: value
    # <map> fields that will be converted to json, encrypted and stored in secureJsonData. Custom per app.
    secureJsonData:
      # key/value pairs of string to string
      key: value

Dashboards

You can manage dashboards in Grafana by adding one or more YAML config files in the provisioning/dashboards directory. Each config file can contain a list of dashboards providers that load dashboards into Grafana from the local filesystem.

The dashboard provider config file looks somewhat like this:

apiVersion: 1

providers:
  # <string> an unique provider name. Required
  - name: 'a unique provider name'
    # <int> Org id. Default to 1
    orgId: 1
    # <string> name of the dashboard folder.
    folder: ''
    # <string> folder UID. will be automatically generated if not specified
    folderUid: ''
    # <string> provider type. Default to 'file'
    type: file
    # <bool> disable dashboard deletion
    disableDeletion: false
    # <int> how often Grafana will scan for changed dashboards
    updateIntervalSeconds: 10
    # <bool> allow updating provisioned dashboards from the UI
    allowUiUpdates: false
    options:
      # <string, required> path to dashboard files on disk. Required when using the 'file' type
      path: /var/lib/grafana/dashboards
      # <bool> use folder names from filesystem to create folders in Grafana
      foldersFromFilesStructure: true

When Grafana starts, it will update/insert all dashboards available in the configured path. Then later on poll that path every updateIntervalSeconds and look for updated json files and update/insert those into the database.

Note: Dashboards are provisioned to the General folder if the folder option is missing or empty.

Making changes to a provisioned dashboard

It’s possible to make changes to a provisioned dashboard in the Grafana UI. However, it is not possible to automatically save the changes back to the provisioning source. If allowUiUpdates is set to true and you make changes to a provisioned dashboard, you can Save the dashboard then changes will be persisted to the Grafana database.

Note: If a provisioned dashboard is saved from the UI and then later updated from the source, the dashboard stored in the database will always be overwritten. The version property in the JSON file will not affect this, even if it is lower than the existing dashboard.

If a provisioned dashboard is saved from the UI and the source is removed, the dashboard stored in the database will be deleted unless the configuration option disableDeletion is set to true.

If allowUiUpdates is configured to false, you are not able to make changes to a provisioned dashboard. When you click Save, Grafana brings up a Cannot save provisioned dashboard dialog. The screenshot below illustrates this behavior.

Grafana offers options to export the JSON definition of a dashboard. Either Copy JSON to Clipboard or Save JSON to file can help you synchronize your dashboard changes back to the provisioning source.

Note: The JSON definition in the input field when using Copy JSON to Clipboard or Save JSON to file will have the id field automatically removed to aid the provisioning workflow.

Reusable Dashboard URLs

If the dashboard in the JSON file contains an UID, Grafana forces insert/update on that UID. This allows you to migrate dashboards between Grafana instances and provisioning Grafana from configuration without breaking the URLs given because the new dashboard URL uses the UID as identifier. When Grafana starts, it updates/inserts all dashboards available in the configured folders. If you modify the file, then the dashboard is also updated. By default, Grafana deletes dashboards in the database if the file is removed. You can disable this behavior using the disableDeletion setting.

Note: Provisioning allows you to overwrite existing dashboards which leads to problems if you re-use settings that are supposed to be unique. Be careful not to re-use the same title multiple times within a folder or uid within the same installation as this will cause weird behaviors.

Provision folders structure from filesystem to Grafana

If you already store your dashboards using folders in a git repo or on a filesystem, and also you want to have the same folder names in the Grafana menu, you can use foldersFromFilesStructure option.

For example, to replicate these dashboards structure from the filesystem to Grafana,

/etc/dashboards
├── /server
│   ├── /common_dashboard.json
│   └── /network_dashboard.json
└── /application
    ├── /requests_dashboard.json
    └── /resources_dashboard.json

you need to specify just this short provision configuration file.

apiVersion: 1

providers:
  - name: dashboards
    type: file
    updateIntervalSeconds: 30
    options:
      path: /etc/dashboards
      foldersFromFilesStructure: true

server and application will become new folders in Grafana menu.

Note: folder and folderUid options should be empty or missing to make foldersFromFilesStructure work.

Note: To provision dashboards to the General folder, store them in the root of your path.

Alert Notification Channels

Alert Notification Channels can be provisioned by adding one or more YAML config files in the provisioning/notifiers directory.

Each config file can contain the following top-level fields:

notifiers, a list of alert notifications that will be added or updated during start up. If the notification channel already exists, Grafana will update it to match the configuration file.
delete_notifiers, a list of alert notifications to be deleted before inserting/updating those in the notifiers list.

Provisioning looks up alert notifications by uid, and will update any existing notification with the provided uid.

By default, exporting a dashboard as JSON will use a sequential identifier to refer to alert notifications. The field uid can be optionally specified to specify a string identifier for the alert name.

{
  ...
      "alert": {
        ...,
        "conditions": [...],
        "frequency": "24h",
        "noDataState": "ok",
        "notifications": [
           {"uid": "notifier1"},
           {"uid": "notifier2"},
        ]
      }
  ...
}

Example Alert Notification Channels Config File

notifiers:
  - name: notification-channel-1
    type: slack
    uid: notifier1
    # either
    org_id: 2
    # or
    org_name: Main Org.
    is_default: true
    send_reminder: true
    frequency: 1h
    disable_resolve_message: false
    # See `Supported Settings` section for settings supported for each
    # alert notification type.
    settings:
      recipient: 'XXX'
      uploadImage: true
      token: 'xoxb' # legacy setting since Grafana v7.2 (stored non-encrypted)
      url: https://slack.com # legacy setting since Grafana v7.2 (stored non-encrypted)
    # Secure settings that will be encrypted in the database (supported since Grafana v7.2). See `Supported Settings` section for secure settings supported for each notifier.
    secure_settings:
      token: 'xoxb'
      url: https://slack.com

delete_notifiers:
  - name: notification-channel-1
    uid: notifier1
    # either
    org_id: 2
    # or
    org_name: Main Org.
  - name: notification-channel-2
    # default org_id: 1

Supported Settings

The following sections detail the supported settings and secure settings for each alert notification type. Secure settings are stored encrypted in the database and you add them to secure_settings in the YAML file instead of settings.

Note: Secure settings is supported since Grafana v7.2.

Alert notification `pushover`

Name	Secure setting
apiToken	yes
userKey	yes
device
priority
okPriority
retry
expire
sound
okSound

Alert notification `discord`

Name	Secure setting
url	yes
avatar_url
content
use_discord_username

Alert notification `slack`

Name	Secure setting
url	yes
recipient
username
icon_emoji
icon_url
uploadImage
mentionUsers
mentionGroups
mentionChannel
token	yes

Alert notification `victorops`

Name
url
autoResolve

Alert notification `kafka`

Name
kafkaRestProxy
kafkaTopic

Alert notification `LINE`

Name	Secure setting
token	yes

Alert notification `pagerduty`

Name	Secure setting
integrationKey	yes
autoResolve

Alert notification `sensu`

Name	Secure setting
url
source
handler
username
password	yes

Alert notification `sensugo`

Name	Secure setting
url
apikey	yes
entity
check
handler
namespace

Alert notification `prometheus-alertmanager`

Name	Secure setting
url
basicAuthUser
basicAuthPassword	yes

Alert notification `teams`

Name
url

Alert notification `dingding`

Name
url

Alert notification `email`

Name
singleEmail
addresses

Alert notification `hipchat`

Name
url
apikey
roomid

Alert notification `opsgenie`

Name	Secure setting
apiKey	yes
apiUrl
autoClose
overridePriority
sendTagsAs

Alert notification `telegram`

Name	Secure setting
bottoken	yes
chatid
uploadImage

Alert notification `threema`

Name	Secure setting
gateway_id
recipient_id
api_secret	yes

Alert notification `webhook`

Name	Secure setting
url
httpMethod
username
password	yes

Alert notification `googlechat`

Name
url

Grafana Enterprise

Grafana Enterprise supports provisioning for the following resources:

Access Control Provisioning

Jaeger instrumentation

Sat, 04 Apr 2026 12:26:57 +0000

Jaeger instrumentation

Grafana supports Jaeger tracing.

Grafana can emit Jaeger traces for its HTTP API endpoints and propagate Jaeger trace information to data sources. All HTTP endpoints are logged evenly (annotations, dashboard, tags, and so on). When a trace ID is propagated, it is reported with operation ‘HTTP /datasources/proxy/:id/*’.

Refer to Configuration for information about enabling Jaeger tracing.

Set up Grafana for high availability

Sat, 04 Apr 2026 12:26:57 +0000

Set up Grafana for high availability

Setting up Grafana for high availability is fairly simple. You just need a shared database for storing dashboard, users, and other persistent data. So the default embedded SQLite database will not work, you will have to switch to MySQL or Postgres.

Configure multiple servers to use the same database

First, you need to set up MySQL or Postgres on another server and configure Grafana to use that database. You can find the configuration for doing that in the [database] section in the Grafana config. Grafana will now persist all long term data in the database. How to configure the database for high availability is out of scope for this guide. We recommend finding an expert on the database you’re using.

Alerting

Grafana 8 alerts

Grafana 8 Alerts provides a new highly-available model under the hood. It preserves the previous semantics by executing all alerts on every server and notifications are sent only once per alert. There is no support for load distribution between servers at this time.

For configuration, follow the guide.

Legacy dashboard alerts

Legacy Grafana alerting supports a limited form of high availability. Alert notifications are deduplicated when running multiple servers. This means all alerts are executed on every server but alert notifications are only sent once per alert. Grafana does not support load distribution between servers.

Grafana Live

Grafana Live works with limitations in highly available setup. For details, refer to the Grafana Live documentation.

User sessions

Grafana uses auth token strategy with database by default. This means that a load balancer can send a user to any Grafana server without having to log in on each server.