Configuration Variables
Below is an alphabetical list of all of the Configuration Parameters (environment variables) used to configure LogScale on your Infrastructure. These are parameters that are exclusively related to LogScale software, as well as options that are related to other systems that integrate with LogScale (e.g., Amazon AWS, Google Cloud). Click on the name of a variable below for more details on it, along with related and similar options.
Use a simple text editor to open the LogScale configuration file,
server.conf in the
/etc/humio directory, and to change
any of these variables on an installation of LogScale software. Once
you've finished making changes, be sure to restart LogScale,
depending on how you deployed it, for the server — or for each node
affected in a cluster, if not all nodes. It is a good idea to make these
changes during a regular maintenance window to avoid unnecessary downtime.
Table: Configuration Parameters Table
| Variable | Default Value | Availability | Description |
|---|---|---|---|
ALERT_DESPITE_WARNINGS | false | Alerts are activated even with warnings from the alert query | |
ALERT_DISCLAIMER | Disclaimer to notify that alerts are sent from a given view or repository | ||
ALERT_MAX_THROTTLE_FIELD_VALUES_STORED | 100 | Maximum number of field values stored for each standard alert | |
ALLOW_CHANGE_REPO_ON_EVENTS | false | HEC allows ingest to any specified repository | |
ALLOW_XML_DOCTYPE_DECL | false | ALLOW_XML_DOCTYPE_DECL Environment Variable | |
ALLOWED_REDIRECT_TARGET_DOMAINS | Specifies which domains are permitted as redirect targets after authentication or other redirect operations. This security setting prevents open redirect vulnerabilities by restricting where users can be redirected after login or other operations. | ||
API_EXPLORER_ENABLED | true | Enables or disables the API GraphQL Explorer functionality (see Accessing GraphQL using API Explorer). | |
AUDITLOG_SENSITIVE_RETENTION_DAYS | 200 * 365 days | Specifies when sensitive logs are deleted by retention in humio-audit repository | |
AUTH_ALLOW_SIGNUP | true | AUTH_ALLOW_SIGNUP Environment Variable | |
AUTH_BY_PROXY_HEADER_NAME | none | Specifies usernames in header for the proxy | |
AUTHENTICATION_METHOD | single-user | Enables a standard LDAP bind method | |
AUTO_CREATE_USER_ON_SUCCESSFUL_LOGIN | false | Automatically creates users in LogScale if they logged in with external authentication methods | |
AUTO_UPDATE_GROUP_MEMBERSHIPS_ON_SUCCESSFUL_LOGIN | false | Allows to transfer group membership rules at login | |
AUTO_UPDATE_IP_LOCATION_DB | true | deprecated in 1.19 |
Deprecated and replaced by AUTO_UPDATE_MAXMIND
|
AUTO_UPDATE_MAXMIND | true | Enables automatic update of MaxMind GeoLite2 database | |
AUTOSHARDING_MAX | 131,072 shards | Controls the maximum number of data sources (shards) that LogScale's auto-sharding mechanism can create to distribute data across the cluster. This setting directly impacts query performance, memory usage, and data distribution efficiency. | |
AWS_ACCESS_KEY_ID | Sets the access key for AWS. For more information about AWS configuration for bucket storage and archiving, see Amazon Bucket Storage and S3 Archiving. | ||
AWS_KMS_KEY_ARN |
Amazon Resource Name (ARN) of the Key Management Service (KMS) key
for Amazon Web Services (AWS). This parameter enables secure
encryption/decryption operations and can be used as an alternative
authentication method to AWS_ACCESS_KEY_ID when
integrated with IAM roles.
| ||
AWS_SECRET_ACCESS_KEY | Sets the secret access key for AWS. For more information about AWS configuration for bucket storage and archiving, see Amazon Bucket Storage and S3 Archiving. | ||
INGEST_FEED_AZURE_TENANT_ID | Sets the tenant ID to use to access Azure. | ||
BACKUP_DIR | humio-backup | deprecated in 1.57 | Specifies the directory where to write a backup of the data files |
BACKUP_KEY | developer | Specifies the secret key used for encryption for data files backup | |
BACKUP_NAME | none | deprecated in 1.57 | Names the backup of the data files |
BITBUCKET_OAUTH_CLIENT_ID | none | The Key from your BitBucket OAuth Consumer | |
BITBUCKET_OAUTH_CLIENT_SECRET | none | The Secret from your BitBucket OAuth Consumer | |
BLOCK_CLOUD_SIGNUPS | true | Boolean flag that controls whether new user signups for cloud instances are blocked. When set to true, new user registration will be disabled, preventing the creation of new accounts. Useful for maintenance periods or when you want to control access to the system. | |
BLOCK_SIGNUP | true | Boolean flag that controls whether new user signups are blocked. When set to true, new user registration will be disabled, preventing the creation of new accounts. Useful for maintenance periods or when you want to control access to the system. | |
BLOCK_SIZE_MAX_KB | 1,024 KB | Maximum size in KB to target for blocks in a single segment | |
BLOCK_SIZE_MIN_KB | 384 KB | Minimum size in KB to target for blocks in a single segment | |
BLOCKS_PER_MINISEGMENT | 300 | Desired number of blocks in a mini-segment | |
BLOCKS_PER_SEGMENT | 30,000 | Desired number of blocks in a final segment | |
BOOTSTRAP_HOST_ID | 0 | Sets an ID for the server at first start up | |
BOOTSTRAP_HOST_UUID_COOKIE | none | Sets a unique identifier of the local filesystem contents | |
BOOTSTRAP_ROOT_TOKEN_HASHED | (not set) | Specifies the hashed root token for a LogScale instance | |
BUCKET_STORAGE_IGNORE_ETAG_UPLOAD | false | For bucket storage to work with MinIO, disables checksum matching while uploading the file | |
BUCKET_STORAGE_INFREQUENT_ACCESS_CLASS | INTELLIGENT_TIERING | Specify which storage class to use for infrequently accessed data in S3 buckets. | |
BUCKET_STORAGE_MESSAGE_DIGEST | MD5 | Specifies which cryptographic hash algorithm (the message digest algorithm) is used for data integrity verification in bucket storage. | |
BUCKET_STORAGE_MULTIPLE_ENDPOINTS | false | Proxy configuration applied to all bucket storage backends or not | |
BUCKET_STORAGE_SSE_COMPATIBLE | Makes bucket storage not verify checksums of raw objects after uploading to an S3 | ||
CLUSTER_PING_TIMEOUT_SECONDS | 90 | Sets amount of time to wait for response from nodes when checking node responsiveness. | |
COMPRESSION_TYPE | high | Sets default compression levels for segments and minisegments | |
COOKIE_DOMAIN | Sets the domain when configuring session cookies | ||
COOKIE_PATH | Indicates a URL path that must exist in the requested URL in order to send the cookie header | ||
COOKIE_SAMESITE | Sets whether the cookie should be restricted to first-party or same-site context | ||
COOKIE_SECURE | Indicates that the cookie is sent to the server only when the request is made with the https: scheme | ||
CORES | Available Processors | Specifies the number of CPU cores for the machine running LogScale | |
CORRELATE_CONSTELLATION_TICK_LIMIT | 5 | Maximum number of processing ticks allowed in correlation constellation operations. This setting helps prevent excessive resource consumption in complex correlation operations. Higher values allow more complex correlations but consume more computational resources. | |
CORRELATE_CONSTRAINT_LIMIT | 5 | Maximum number of constraints allowed in correlation operations. This setting limits the complexity of correlation queries to prevent excessive resource consumption. Higher values allow more complex constraints but may increase memory usage and processing time. | |
CORRELATE_LINK_VALUES_LIMIT | 100 | Maximum number of link values allowed in correlation operations. This setting limits the total number of values that can be linked across events during correlation. Higher values allow for more comprehensive correlation results but require more memory. | |
CORRELATE_LINK_VALUES_MAX_BYTE_SIZE | 1,024 | Maximum total byte size allowed for link values in correlation operations. This setting limits the memory footprint of linked values during correlation processing. Specified in bytes, this limit prevents excessive memory consumption when correlating events with large field values. | |
CORRELATE_MIN_ITERATIONS | 2 | Minimum number of iterations that the correlation algorithm will perform. This setting ensures correlation operations run for at least the specified number of iterations, allowing time for patterns to emerge even if early convergence criteria are met. | |
CORRELATE_NUMBER_OF_TIME_BUCKETS | 100,000 | Number of time buckets to use when performing correlation analysis. This setting controls how the time range is divided into discrete intervals for temporal correlation. Higher values provide finer time granularity but require more computational resources. | |
CORRELATE_QUERY_EVENT_LIMIT | 100,000 | Maximum number of events allowed in correlation query operations. | |
CORRELATE_QUERY_LIMIT | 5 | Maximum number of queries allowed in correlation operations. | |
CORS_ALLOWED_ORIGINS | true | Websites or IP addresses that allow Cross-Origin Resource Sharing | |
CREATE_HUMIO_SEARCH_ALL | false | Allows creation of humio-search-all view | |
CS_ANALYTICS_URL | The default CrowdStrike analytics URL to use. | ||
DAYS_BEFORE_TOMBSTONE_DELETION | 14 |
Sets the restorability of deleted repositories or views, but not
the data within them. For information about the configuration that
sets the time in which you can restore data from the dataspace,
see DELETE_BACKUP_AFTER_MILLIS.
| |
DEBUG_AUDIT_REQUEST_TRACE | true | Controls whether to enable debug tracing for audit requests. | |
DEFAULT_ALLOW_REBALANCE_EXISTING_SEGMENTS | true | Sets whether or not the existing segment decider will run | |
DEFAULT_ALLOW_UPDATE_DESIRED_DIGESTERS | true | Enables automatic management of the digest partition table | |
DEFAULT_DIGEST_REPLICATION_FACTOR | 3 | Allows configuration of the replication factor used for the digest partitions table | |
DEFAULT_GROUPS | List of default groups that users belong to | ||
DEFAULT_MIN_HOST_ALIVE_PERCENTAGE_TO_ENABLE_CLUSTER_REBALANCING | 25 | Sets the minimum percentage of cluster hosts that must be alive and operational before cluster rebalancing operations are permitted. This safety threshold prevents rebalancing activities during cluster outages or instability. | |
DEFAULT_PARSER_NAME | Name of default global parser. | ||
DEFAULT_PDF_RENDER_SERVICE_URL | URL of the default PDF render service for LogScale. | ||
DEFAULT_SEGMENT_REPLICATION_FACTOR | 1 | Sets the number of replicas each segment file will have. | |
DEFAULT_USER_INPUT_REGEX_ENGINE | Specifies which regular expression (regex) engine to use by default for user-provided regex patterns. | ||
DELETE_BACKUP_AFTER_MILLIS | 604,800,000 ms | Configures when data files backup must be deleted | |
DELETE_DUPLICATED_NAME_VIEWS_AFTER_MERGING | false | Controls whether to delete views with duplicate names after merging. | |
DELETE_ON_INGEST_QUEUE | true | Deletes events from the ingest queue | |
DIGEST_EXECUTOR_CORES | CORES Divided by 2 | Internal configuration to half the number of CPU cores set in CORES variable | |
DIRECTORY | humio-data | Data directory for LogScale | |
DISABLE_ANALYTICS_JOB | true | Controls whether analytics jobs are disabled. | |
DISABLE_PERMISSION_CACHE | false | Controls whether the system's permission caching mechanism is enabled or disabled. | |
DISABLE_USER_TRACKING | true | Controls whether user tracking is disabled. | |
DISABLE_VIEW_WITH_SAME_NAME_CLEANUP | true | Disable views with the same name during clean-up. | |
DUMP_THREADS_SECONDS | Specifies the interval thread dumps are written with | ||
ELASTIC_PORT | Sets the port for ElasticSearch bulk endpoint | ||
EMAIL_ACTION_DISCLAIMER | Disclaimer in every email to clarify alerts or scheduled searches are sent as LogScale actions | ||
EMERGENCY_USERS | false | Enables emergency users in case of issues with identity provider | |
ENABLE_ALERTS | true | Enables/disables all alerts | |
ENABLE_BEARER_TOKEN_AUTHORIZATION | false | Using less secure bearer token instead of secure cookies | |
ENABLE_EVENT_FORWARDING | false | Enables/disables event forwarding | |
ENABLE_FDR_POLLING_ON_NODE | true | Enables polling and ingest of FDR data on the LogScale node | |
ENABLE_GLOBAL_JSON_STATS_LOGGER | false | Controls whether the global JSON statistics logger is enabled. | |
ENABLE_IOC_SERVICE | true | Enables the IOC database service. | |
ENABLE_ORGANIZATIONS | false | Whether organizations are enabled for a cluster. | |
ENABLE_PERSONAL_API_TOKENS | true | Enables/disables use of personal API tokens | |
ENABLE_QUERY_LOAD_BALANCING | true | Allows queries to execute locally on the node that receives the requests | |
ENABLE_SANDBOXES | true | Enables/disables sandbox repositories | |
ENABLE_SCHEDULED_SEARCHES | false | Sets whether scheduled searches should be executed | |
ENABLEINTERNALLOGGER | true | ENABLEINTERNALLOGGER Environment Variable | |
ENFORCE_AUDITABLE | false | Sets permissions and enforce Auditable mode for root access | |
EXTERNAL_CALL_SERVICE_URL | Specifies the URL endpoint for the external call service. This is the URL of the server configured to accept requests. | ||
EXTERNAL_FUNCTION_REQUEST_RESPONSE_EVENT_COUNT_LIMIT | 10,000 | Maximum number of events allowed in an external function response. | |
EXTERNAL_FUNCITON_REQUEST_RESPONSE_SIZE_LIMIT_BYTES | 10,485,760 | Maximum size in bytes allowed for an external function response. | |
EXTERNAL_URL | http://localhost:PORT | URL that other hosts can use to reach this server | |
FALCON_DATA_CONNECTOR_URL | URL for Falcon Data Connector. | ||
FDR_MAX_NODES_PER_FEED | 5 | Maximum number of nodes allowed per feed for FDR. | |
FDR_S3_FILE_SIZE_MAX | 250,000,000 | Maximum file size in bytes for S3 files in FDR. | |
FDR_USE_PROXY | Makes the FDR job use the proxy settings specified with HTTP_PROXY_* environment variables | ||
FDR_VISIBILITY_TIMEOUT | 15 m | Visibility timeout of SQS messages read by FDR integration | |
FILE_REPLICATION_FACTOR | 5 | Replication factor for files in the cluster. | |
FILTER_ALERT_EMAIL_TRIGGER_LIMIT | 15 | Sets a maximum limit on the number of email actions that can be triggered by a single filter alert within a specific time window. Filter alerts are limited to a maximum of 15 triggers per minute for email actions. | |
FILTER_ALERT_NON_EMAIL_TRIGGER_LIMIT | 100 triggers/minute | Sets the maximum number of triggers per minute for any action other than email actions (such as webhooks, Slack messages, PagerDuty alerts, etc.) in filter alerts. Filter alerts are limited to a maximum of 100 triggers per minute for non-email actions. | |
FLUSH_BLOCK_SECONDS | 900 seconds | How long a mini-segment can stay open | |
FORWARDING_BREAKER_EXP_BACKOFF_FACTOR | 2.0 | Increase reset time after each new failure | |
FORWARDING_BREAKER_FAILURES | 50 | Failures before stopping all events in event forwarding | |
FORWARDING_BREAKER_MAX_RESET | 60 seconds | Max reset time in event forwarding | |
FORWARDING_BREAKER_RESET | 1 second | Awaiting time before a new event in event forwarding | |
FORWARDING_BREAKER_TIMEOUT | 10 | Timeout before a call is considered a failure | |
FORWARDING_MAX_CONCURRENCY | 50,000 | Max number of events waiting to be forwarded | |
GC_KILL_THRESHOLD_MILLIS | Threshold for timeSpentOnGC that makes LogScale exit when exceeded | ||
GCP_ARCHIVING_ACCOUNT_JSON_FILE | Path to the JSON configuration file for Google cloud storage archiving | ||
GCP_ARCHIVING_BUCKET | Sets the name of the bucket to use for archiving | ||
GCP_ARCHIVING_ENCRYPTION_KEY | Sets the encryption key for Google cloud storage for archiving | ||
GCP_ARCHIVING_ENDPOINT_BASE | Sets the URL for pointing to your own non-Google Cloud storage endpoint for archiving | ||
GCP_ARCHIVING_OBJECT_KEY_PREFIX | Allows nodes to share a bucket | ||
GCP_EXPORT_BUCKET | | Specifies the bucket where exports are sent for Google Cloud Storage. | |
GCP_EXPORT_WORKLOAD_IDENTITY | Uses Workload Identity for exporting to bucket of query results | ||
GCP_STORAGE_ACCOUNT_JSON_FILE | Path to the JSON configuration file for Google cloud storage | ||
GCP_STORAGE_BUCKET | Sets the name of the bucket to use | ||
GCP_STORAGE_ENCRYPTION_KEY | Sets the encryption key of the bucket to use | ||
GCP_STORAGE_ENDPOINT_BASE | Sets the URL for pointing to your own non-Google Cloud storage endpoint for storage | ||
GCP_STORAGE_OBJECT_KEY_PREFIX | Allows nodes to share a bucket | ||
GCP_STORAGE_PREFERRED_COPY_SOURCE | false | Sets how to download segments from bucket storage when prefetching | |
GCP_STORAGE_USE_HTTP_PROXY | true | Enables/disables HTTP proxy for communicating with Google Cloud Bucket Storage | |
GCP_STORAGE_WORKLOAD_IDENTITY | Uses Workload Identity for bucket storage | ||
GITHUB_OAUTH_CLIENT_ID | GITHUB_OAUTH_CLIENT_ID Environment Variable | ||
GITHUB_OAUTH_CLIENT_SECRET | GITHUB_OAUTH_CLIENT_SECRET Environment Variable | ||
GITHUB_USER | GitHub username | ||
GLOB_ALLOW_LIST_EMAIL_ACTIONS | Allow all | Blocks recipients of email actions that are not in the provided allow list. | |
GLOB_MATCH_LIMIT | 20,000 | Sets the maximum number of rows for csv_file in match() function | |
GLOBAL_THROTTLE_PERCENTAGE | 20 | Percentage of time allowed for a global publishing thread before other transactions of that type are throttled | |
GOOGLE_OAUTH_CLIENT_ID | The client_id from your Google OAuth App | ||
GOOGLE_OAUTH_CLIENT_SECRET | The client_secret from your GitHub OAuth App | ||
GRACE_PERIOD_BEFORE_DELETING_DEAD_EPHEMERAL_HOSTS_MS | 100 | Grace period in milliseconds before dead ephemeral hosts are deleted. | |
GRACEFUL_SHUTDOWN_CONSIDERED_ALIVE_SECONDS | 300 | Number of seconds a server is considered alive during graceful shutdown. | |
GRAPHQL_ALIAS_COUNT_LIMIT | 100 | Maximum number of aliases allowed in a GraphQL query. | |
GRAPHQL_DIRECTIVE_COUNT_LIMIT | 100 | Maximum number of directives allowed in a GraphQL query. | |
GRAPHQL_QUERY_ANALYSIS_DISABLED | true | Controls whether GraphQL query analysis is disabled. | |
HEALTH_CHECK__CLUSTER_TIME_SKEW__WARN_THRESHOLD_MS | 15,000 ms | Sets the threshold for the difference in time between cluster nodes to indicate when the cluster-time-skew health check should trigger a WARN. | |
HEALTH_CHECK__EVENT_LATENCY_P99__WARN_THRESHOLD_SEC | 30 sec | Sets the threshold for latency for events. This latency is measured from the time an event in received by LogScale and until the digest phase is done processing that event (running live searches and persisting to disk). This value indicates when the event-latency-p99 health check should trigger a WARN. | |
HEALTH_CHECK__GLOBAL_TOPIC_LATENCY_P50__WARN_THRESHOLD_MSEC | 50 ms | Sets the threshold for latency in the global-events topic that is the shared communications channel in a cluster. This threshold indicates when the global-topic-latency-median health check should trigger a WARN. | |
HEALTH_CHECK__PRIMARY_DISK_USAGE__WARN_THRESHOLD_SEC | 90 sec | Used when configuring the primary-disk-usage health check to set the percentage threshold for when to trigger a WARN. | |
HEALTH_CHECK__SECONDARY_DISK_USAGE__WARN_THRESHOLD_SEC | 90 sec | Used when configuring the secondary-disk-usage health check to set the percentage threshold for when to trigger a WARN. | |
HTTP_PROXY_HOST | Configures the HTTP proxy host used by connections from LogScale | ||
HTTP_PROXY_ALLOW_ACTIONS_NOT_USE | false | Allows actions not to use HTTP proxy | |
HTTP_PROXY_ALLOW_NOTIFIERS_NOT_USE | false | deprecated in 1.19 | Configures alert notifiers not to use HTTP proxy |
HTTP_PROXY_PASSWORD | Sets the password for HTTP proxy configuration | ||
HTTP_PROXY_PORT | 3,129 | Sets the port for HTTP proxy configuration | |
HTTP_PROXY_USERNAME | Sets the username for HTTP proxy configuration | ||
HUMIO_AUDITLOG_DIR | /data/logs |
Sets the directory in which to store audit logs. When using
containers this is set to be
On bare-metal it is set to | |
HUMIO_DEBUGLOG_DIR | /data/logs |
Sets the directory in which to store debug logs. When using
containers this is set to be
On bare-metal it is set to | |
HUMIO_HTTP_BIND | HUMIO_SOCKET_BIND | IP to bind the http listening socket to | |
HUMIO_KAFKA_TOPIC_PREFIX | Adds a prefix to the topic names in Kafka | ||
HUMIO_LOG4J_CONFIGURATION | Sets the path for the log4j2-custom-config file | ||
HUMIO_PORT | Sets the TCP port to listen for HTTP traffic | ||
HUMIO_SOCKET_BIND | 0.0.0.0 | Sets the IP address to bind the UDP/TCP/HTTP listening sockets | |
HUMIO_THREADNAME_PREFIX |
LogScale prefix for threadnames. Must either be empty or
contain only word characters (such as, a-z,A-Z, and 0-9, plus
non-leading '-' or '_'). If empty, LogScale defaults to
humio.
| ||
IDLE_POLL_TIME_BEFORE_DASHBOARD_QUERY_IS_CANCELLED_MINUTES | 4,320 minutes | Time in minutes dashboard queries keep running when not polled | |
INGEST_FEED_AZURE_CLIENT_SECRET | Sets the secret access key for azure | ||
INGEST_FEED_AZURE_CREDENTIAL_RETRIEVAL_TIMEOUT | 10 | Controls the maximum time allowed for retrieving Azure credentials during the authentication process for Azure-based data ingestion. | |
INGEST_FEED_AZURE_USE_PROXY | true |
Controls whether the system routes Azure service connections
through a proxy server during data ingestion. When set to
true, instructs LogScale to use
configured proxy settings for Azure connections.
| |
INGEST_FEED_JOB_SETTINGS_POLL_INTERVAL | 10 | Controls how frequently the system checks for changes to ingestion feed job settings. | |
INGEST_REQUEST_MAX_QUEUE_SECS | 25 | Controls the maximum time that ingestion requests can spend waiting in the queue before processing. | |
INITIAL_FEATURE_FLAGS | empty | Configures feature flags within LogScale | |
IOC_CROWDSTRIKE_API_CLIENT_ID | Sets the client ID for CrowdStrike Intel API | ||
IOC_CROWDSTRIKE_API_CLIENT_SECRET | Sets the client secret for CrowdStrike Intel API | ||
IOC_CROWDSTRIKE_API_URL | CrowdStrike API server URL for IOCs database download | ||
IOC_UPDATE_SERVER_URL | https://ioc.humio.com | API server URL for IOCs database download | |
IOC_USE_HTTP_PROXY | true | Allows to choose HTTP_PROXY for IOCs database update | |
IP_FILTER_ACTIONS | IP-based access control list (ACL) for outgoing connections made by actions. Replaces IP_FILTER_NOTIFIERS | ||
IP_FILTER_NOTIFIERS | IP-based access control list (ACL) for outgoing connections made by notifiers. Replaced by IP_FILTER_NOTIFIERS | ||
IP_FILTER_RDNS | |
IP filter for filtering which IP addresses may be queried with the
rdns() function or
reverseDns() function.
| |
IP_FILTER_RDNS_SERVER | |
IP filter for filtering which DNS servers may be specified in the
rdns() function or
reverseDns() function.
| |
IP_FILTER_ROOT_USERS | allow all | Controls IP address filtering for root (administrative) user access to the system. This setting helps LogScale maintain a strong security posture by limiting administrative access to trusted network locations based on the IP addresses, significantly reducing the risk of unauthorized privileged access even if credentials are compromised. | |
IPFIX_PEN_FILE | Name and location of CSV file where private enterprise elements of IPFIX configuration are specified. | ||
JOIN_DEFAULT_LIMIT | 100,000 | Default limit for join operations in queries. | |
JVM_LOG_DIR | /data/logs |
Sets the directory in which to store Java logs. When using
containers this is set to be
On bare-metal it is set to | |
JVM_TMP_DIR | /data/humio-data/jvm-tmp |
Sets the directory in which to store temporary Java data. When
using containers this is set to be
| |
JWKS_REFRESH_INTERVAL | 3,600,000 | JWKS_REFRESH_INTERVAL Environment Variable | |
KAFKA_CLIENT_RACK | added in 1.86 |
Specifies the client.rack value
directly.
| |
KAFKA_CLIENT_RACK_ENV_VAR | ZONE | added in 1.86 |
Finds the name of the variable that holds the value of
client.rack.
|
KAFKA_EGRESS_CONSUMER_GROUP_PREFIX | Defines a prefix that will be applied to Kafka consumer group IDs used for egress (outbound) operations. A consumer group prefix is used to identify which groups should be considered when deleting data from the ingest queue topic. | ||
KAFKA_EGRESS_EVENT_FORWARDER_TOPICS_TO_DISABLE | Controls which Kafka topics should be excluded from the event forwarding mechanism. | ||
KAFKA_MANAGED_BY_HUMIO | true | Set/unset LogScale to create topics and manage replicas in Kafka | |
KAFKA_SERVERS | Kafka bootstrap servers list | ||
LDAP_AUTH_PRINCIPAL | Allows to transform LogScale login usernames so to enable LDAP authentication | ||
LDAP_AUTH_PRINCIPALS_REGEX | Separates multiple patterns with users in more locations within LDAP | ||
LDAP_AUTH_PROVIDER_CERT | The certification for key exchange to connect for LDAP authentication | ||
LDAP_AUTH_PROVIDER_URL | The URL to connect to for LDAP authentication | ||
LDAP_DOMAIN_NAME | Allows users to login with their username and not domain name | ||
LDAP_GROUP_BASE_DN | The query to perform to get the user's groups for LDAP | ||
LDAP_GROUP_FILTER | LDAP_GROUP_FILTER Environment Variable | ||
LDAP_GROUP_SEARCH_BIND_FOR_LOOKUP | false | LDAP_GROUP_SEARCH_BIND_FOR_LOOKUP Environment Variable | |
LDAP_GROUPNAME_ATTRIBUTE | Allows using an alternate attribute on the group record in LDAP as the group name in LogScale RBAC configuration | ||
LDAP_SEARCH_BASE_DN | Sets the base DN search prefix for LDAP-Search authentication method | ||
LDAP_SEARCH_BIND_NAME | Sets the bind principal for LDAP-Search authentication method | ||
LDAP_SEARCH_BIND_PASSWORD | Sets the bind password for LDAP-Search authentication method | ||
LDAP_SEARCH_DOMAIN_NAME | LDAP_SEARCH_DOMAIN_NAME Environment Variable | ||
LDAP_SEARCH_FILTER | LDAP_SEARCH_FILTER Environment Variable | ||
LDAP_USERNAME_ATTRIBUTE | Allows choosing some attribute in the LDAP user record as the username in LogScale | ||
LDAP_VERBOSE_LOGGING | false | If true, emit log messages when users sign in using LDAP authentication. | |
LIVEQUERY_CANCEL_COST_PERCENTAGE | 10 | Backlog allowed before canceling the queries with the highest cost | |
LIVEQUERY_CANCEL_TRIGGER_DELAY_MS | 20,000 ms | Sets cancelling of the most consuming live queries | |
LOCAL_STORAGE_MIN_AGE_DAYS | Minimum number of days to keep a fresh segment file before it is deleted locally | ||
LOCAL_STORAGE_PERCENTAGE | 85 % | Sets a limit to the percentage of disk full | |
LOG_COLLECTOR_FLEET_MANAGEMENT_URL | Specifies the URL endpoint for the Log Collector Fleet Management service. | ||
LOG_COLLECTOR_UPDATE_SERVER | https://lc-update.humio.com | Specifies the URL endpoint for the Log Collector Update Server, which provides software updates for deployed log collectors. | |
LOGSCALE_SAML_IDP_REQUIRE_MATCHING_EMAIL_DOMAIN | false | Whether the email domain is required to match | |
MAX_ACCUMULATED_POLL_SECONDS | 3 | Controls the maximum amount of time that can accumulate for polling operations before triggering resource management actions. | |
MAX_BUCKET_POINTS | 10,000 | MAX_BUCKET_POINTS Environment Variable | |
MAX_CHARS_TO_FIND_TIMESTAMP |
Sets the number of characters searched by the
findTimestamp() function
| ||
MAX_CONCURRENT_EXPORTS_PER_VIEW | 10 | MAX_CONCURRENT_EXPORTS_PER_VIEW Environment Variable | |
MAX_CONCURRENT_QUERIES_ON_WORKER | 1,000 | Maximum number of historic queries that can be executed on a single worker node. This limit does not apply to live parts of queries. | |
MAX_DISTINCT_TAG_VALUES | 1,000 | Allows auto-grouping of tags | |
MAX_EVENT_FIELD_COUNT | 8,000 fields | Sets the enforced maximum number of fields in an event in the ingest phase | |
MAX_EVENT_SIZE | 1 MiB | Specifies the maximum allowed event size | |
MAX_FILEUPLOAD_SIZE | 104,857,600 bytes | Specifies the maximum size of uploaded files. | |
MAX_GRAPHQL_QUERY_DEPTH | 13 | MAX_GRAPHQL_QUERY_DEPTH Environment Variable | |
MAX_HOURS_SEGMENT_OPEN | 24 hours | The maximum number of hours a merge target will remain open for writing before being closed. | |
MAX_INGEST_DELAY_SECONDS | 3,600 seconds | Events backlog allowed before LogScale starts responding on http interfaces | |
MAX_INGEST_EVENTS_PER_TIMEOUT | 1,024 | Controls the maximum number of events that can be processed in a single ingestion batch before a timeout check is performed. | |
MAX_INGEST_REQUEST_SIZE | 33,554,432 bytes | Size limit of ingest requests after content-encoding has been applied. | |
MAX_JITREX_BACKTRACK | 1,000 | Limits CPU resources spent in a regex match | |
MAX_JOIN_LIMIT | 200,000 rows |
Sets the limit parameter of the join()
function.
| |
MAX_NUMBER_OF_GLOBALDATA_DUMPS_TO_KEEP | 20 data dumps | Maximum number of global data dumps | |
MAX_OFFSETS_AFTER_KAFKA_RESET | | Controls the maximum number of Kafka offsets that will be tracked after a consumer group reset operation. | |
MAX_POLL_CONCURRENCY_AT_SOURCE | 2,500 | Controls the maximum number of concurrent polling operations that can be performed against a single data source. | |
MAX_POLL_CONCURRENCY_AT_TARGET | 2,500 | Controls the maximum number of concurrent polling operations that can be directed at a single target repository or destination. | |
MAX_POLLS_PER_SECOND | 2,000 | Controls the maximum rate at which polling operations can be initiated across the entire system. | |
MAX_QUERY_PENALTY_CREDIT_FOR_BLOCKED_QUERIES_FACTOR | 5.0 | Maximum factor for penalty credit given for blocked queries. | |
MAX_QUERY_POLLS_FOR_WORKER | 100 | Maximum number of worker polls (across all workers) scheduled per second. | |
MAX_REGEX_REPETITIONS | 100 | Controls the maximum number of repetitions allowed in regular expression patterns used in queries and parsers. | |
MAX_SECS_WAIT_FOR_SYNC_WHEN_CHANGING_DIGEST_LEADER | 5 minutes | Specifies when digest coordination will permit a node that is not in sync | |
MAX_SERIES_LIMIT | 500 series | Determines the max amount of series in a bucket and/or timechart. | |
MAX_SERIES_MEMLIMIT | Determines the maximum memory for a series in a bucket and/or timechart. | ||
MAX_WORLD_MAP_BUCKETS | 65,536 | Controls the maximum number of data buckets (points or regions) that can be displayed on world map visualizations. | |
MAXMIND_ACCOUNT_ID | true | Sets automatic update of MaxMind IP location database | |
MAXMIND_BASE_URL | Enables to change the base path to download MaxMind from | ||
MAXMIND_EDITION_ID | deprecated in 1.19 | Deprecated, replaced by MAXMIND_IP_LOCATION_EDITION_ID | |
MAXMIND_IP_LOCATION_EDITION_ID | Allows to use an alternative MaxMind database for IP location information (optional) | ||
MAXMIND_LICENSE_KEY | Where to specify the license key for your account if you have a MaxMind license | ||
MIN_QUERY_PERMITS_FACTOR | 1.0 | Minimum factor for query permits allocation. | |
MINI_SEGMENT_MAX_MERGE_DELAY_MS_BEFORE_WARNING | 48 ms | Logs a warning if mini segment is not merged | |
MINIMUM_HUMIO_VERSION | 1.0.0 | Minimum version of Humio (LogScale) required for the cluster. | |
MULTI_PASS_DEFAULT_ITERATION_LIMIT | 10 | Default limit for the number of iterations in multi-pass operations. | |
MULTI_PASS_MAX_ITERATION_LIMIT | 50 | Maximum limit for the number of iterations in multi-pass operations. | |
NODE_ROLES | all | Select the logical roles for a node within the LogScale cluster | |
OIDC_AUDIENCE | Audience to expect in a JWT | ||
OIDC_AUTHORIZATION_ENDPOINT | URL to endpoint user is redirected to when authorizing | ||
OIDC_CACHE_USERINFO_MS | 600,000 ms | How long user info is cached on a LogScale node | |
OIDC_ENABLE_DIRECT_TOKEN_AUTH | false | Whether direct token authorization is enabled. | |
OIDC_GROUPS_CLAIM | humio-groups | Claim name to interpret as the groups in LogScale | |
OIDC_JWKS_URI | URL to JWKS endpoint for keys to validate tokens | ||
OIDC_MULTI_ORG_CLAIM | Claim name when running with multiple organizations in LogScale | ||
OIDC_OAUTH_CLIENT_ID | Client ID of OpenID application | ||
OIDC_OAUTH_CLIENT_SECRET | Client secret of OpenID application | ||
OIDC_ORGANIZATION_CLAIM | Specifies which claim in the OIDC token should be used to determine the user's organization within LogScale. | ||
OIDC_PROVIDER | URL to the OpenID Connect provider | ||
OIDC_REGISTRATION_ENDPOINT | Specifies the endpoint URL where LogScale can dynamically register itself as a client with the OIDC provider. Not supported by all OIDC providers. | ||
OIDC_REQUIRE_ISSUER_MATCH | true | Whether issuer match is required. | |
OIDC_SCOPES | OIDC_SCOPES Environment Variable | ||
OIDC_SERVICE_NAME | OpenID Connect | OIDC provider name displayed at sign in | |
OIDC_SUBDOMAIN_FROM_REQUEST_URL | false | Whether subdomain from request URL is permitted. | |
OIDC_TOKEN_ENDPOINT | URL to token endpoint used to exchange authentication code to an access token | ||
OIDC_TOKEN_ENDPOINT_AUTH_METHOD | Authorization method for a token endpoint | ||
OIDC_USE_HTTP_PROXY | true | Whether to use the HTTP proxy for calling OIDC | |
OIDC_USERINFO_ENDPOINT | URL to user info endpoint to retrieve user information from an access token | ||
OIDC_USERNAME_CLAIM | humio-user | Name of the claim to interpret as username in LogScale | |
ONLY_CREATE_USER_IF_SYNCED_GROUPS_HAVE_ACCESS | false | Configures whether users are created if synced groups have access to the sandbox and system repositories | |
PARSER_THROTTLING_ALLOC_FACTOR | 1.0 | Factor used to determine the allocation of resources for parser throttling. Controls the fraction of resources dedicated to parsing operations to prevent overload. | |
POSTMARK_FROM | Send emails using the Postmark service | ||
POSTMARK_SERVER_SECRET | Sets the values for your server's token when using the Postmark service | ||
PRIMARY_STORAGE_MAX_FILL_PERCENTAGE | Primary segment files' storage limit | ||
PRIMARY_STORAGE_PERCENTAGE | Primary segment files' storage limit | ||
PROMETHEUS_METRICS_PORT | Enables Prometheus to scrape metrics from LogScale | ||
PROXY_PREFIX_URL | Specifies a URL prefix to be used when LogScale is deployed behind a reverse proxy or load balancer. Helps LogScale correctly generate URLs when it's not directly accessible at the root path of a domain. | ||
PUBLIC_URL | Public URL where LogScale instance is reachable from a browser | ||
QUERY_CACHE_MIN_COST | 1,000L | Enables/disables caching when using features that store a copy of live search results to the local disk | |
QUERY_CACHE_STORAGE_MAX_USE_PERCENTAGE | 0.1 | Controls the maximum percentage of available storage that can be used for the query cache. | |
QUERY_COORDINATION_PARTITIONS | 1,024 | Determines the number of partitions used for query coordination across the cluster. | |
QUERY_EXECUTOR_CORES | Sets the number of CPU cores to reduce pressure on context switching due to hyper-threading | ||
QUERY_SPENT_FACTOR | 0.5 | Defines the weight of recent query costs when scheduling. Higher values mean that users with high recent query costs will see their queries penalized more during scheduling by the query scheduler. If set to 0, this weighting is disabled. | |
RDNS_DEFAULT_SERVER | |
Default server to use for reverse DNS queries using
rdns() function or
reverseDns() function.
| |
READ_GROUP_PERMISSIONS_FROM_FILE | false | Allows groups and roles to be converted to new RBAC model and visible under Administration in read-only | |
REGION_SELECT_CONFIG_URL | | Specifies the URL from which LogScale should fetch region selection configuration information. The default value is typically empty or null, which means region selection is not enabled. | |
REJECT_INGEST_ON_PARSER_EXCEEDING_FRACTION | 0.85 | Fraction threshold that determines when to reject ingest operations if a parser is exceeding its allocated resources. When parser resource usage exceeds this fraction of its allocation, new ingest operations will be rejected. | |
RUNTIME_KIND_NAME |
Specifies the type or "kind" of runtime environment in which
LogScale is operating. Values can be
onprem (for self-hosted),oncloud
(for Cloud), or oncommunity (for community
edition). Set during deployment and never changed.
| ||
S3_ARCHIVING_ACCESSKEY | Sets the S3 access keys for archiving ingested logs in export format | ||
S3_ARCHIVING_CLUSTER_WIDE_DISABLED | false | Boolean flag that controls whether S3 archiving is disabled across the entire cluster. When set to true, S3 archiving will be disabled for all repositories in the cluster regardless of individual settings. | |
S3_ARCHIVING_CLUSTER_WIDE_END_AT | 2099-12-31T23:59:59.999Z | End date and time for cluster-wide S3 archiving period. Specifies when to stop S3 archiving across the cluster. Value should be in ISO-8601 format (yyyy-MM-dd'T'HH:mm:ss.SSSZ). | |
S3_ARCHIVING_CLUSTER_WIDE_REGEX_FOR_REPO_NAME | .* | Regular expression pattern used to match repository names for cluster-wide S3 archiving. Only repositories with names matching this pattern will be included in cluster-wide S3 archiving. Use ".*" to match all repositories. | |
S3_ARCHIVING_CLUSTER_WIDE_START_FROM | 2020-01-01T00:00:00.000Z | Start date and time for cluster-wide S3 archiving period. Specifies when to begin S3 archiving across the cluster. Value should be in ISO-8601 format (yyyy-MM-dd'T'HH:mm:ss.SSSZ). | |
S3_ARCHIVING_ENDPOINT_BASE | Allows to point to a non-AWS endpoint for archiving | ||
S3_ARCHIVING_REQUIRE_ROLE | Sets whether S3 configuration is using an IAM user or IAM role (recommended). | ||
S3_ARCHIVING_SECRETKEY | Sets the S3 secret key for archiving of ingested logs in an export format | ||
S3_ARCHIVING_USE_HTTP_PROXY | true | Whether to use the globally configured HTTP proxy for communicating with S3 | |
S3_ARCHIVING_WORKERCOUNT | 1 | Sets the number of parallel workers for upload | |
S3_EXPORT_USE_HTTP_PROXY | true | Enables/disables HTTP proxy configured for exporting to Amazon S3 | |
S3_RECOVER_FROM_KMS_KEY_ARN | Arn to the KMS key when using server side encryption on a recovery bucket | ||
S3_STORAGE_2_KMS_KEY_ARN | ARN to the KMS key when using server side encryption on a 2nd bucket | ||
S3_STORAGE_ACCESSKEY | Sets the access key for S3 storage | ||
S3_STORAGE_BUCKET | Bucket storage S3 variant | ||
S3_STORAGE_ENCRYPTION_KEY | Sets the encryption key for S3 storage | ||
S3_STORAGE_ENDPOINT_BASE | Sets the URL for pointing to your own non-AWS endpoint for S3 storage | ||
S3_STORAGE_KMS_KEY_ARN | ARN to the KMS key when using server side encryption on a bucket | ||
S3_STORAGE_OBJECT_KEY_PREFIX | Sets the optional prefix for all object keys | ||
S3_STORAGE_PREFERRED_COPY_SOURCE | false | Sets how to download segments from bucket storage when prefetching | |
S3_STORAGE_REGION | S3_STORAGE_REGION Environment Variable | ||
S3_STORAGE_SECRETKEY | Sets Secret Key for S3 bucket storage | ||
S3_STORAGE_USE_HTTP_PROXY | true | Enables/disables HTTP proxy for communicating with Amazon Bucket Storage | |
SAML_ALTERNATIVE_IDP_CERTIFICATE | Provides an alternative certificate for authentication | ||
SAML_DEBUG | false | SAML_DEBUG Environment Variable | |
SAML_GROUP_MEMBERSHIP_ATTRIBUTE | Synchronizes the groups upon successful login in LogScale | ||
SAML_IDP_CERTIFICATE | Provides a certificate for authentication | ||
SAML_IDP_ENTITY_ID | IDP identifier used internally in the authentication flow | ||
SAML_IDP_SIGN_ON_URL | User accessing LogScale is redirected to this variable and authentication flow starts | ||
SAML_USER_ATTRIBUTE | Allows to set a different user attribute name | ||
SANGRIA_LOG_SLOW_MILLIS | SANGRIA_LOG_SLOW_MILLIS Environment Variable | ||
SCHEDULED_SEARCH_BACKFILL_LIMIT | 5 | Configures the global maximum backfill limit for scheduled searches | |
SCHEDULED_SEARCH_DESPITE_WARNINGS | false | Configures actions trigger in schedules searches in case of warnings | |
SEARCH_PIPELINE_MONITOR_QUERY | #kind=logs | count() | The query that runs by default on the search pipeline monitor. | |
SECONDARY_DATA_DIRECTORY | Enables a secondary file system to store segment files | ||
SECONDARY_STORAGE_MAX_FILL_PERCENTAGE | Sets the limit for secondary storage in percentage | ||
SEGMENTMOVER_EXECUTOR_CORES | coreCount / 2 | Controls the number of CPU cores allocated to the segment mover executor. | |
SELFJOIN_LIMIT | 10 | Maximum number of self-joins allowed in a query. Limits the complexity of queries to prevent excessive resource consumption from queries with too many self-joins. If 0 or less, then it is unlimited. | |
SEND_USER_INVITES | true | Sets whether to send email invitations | |
SERIES_ENABLED | true | Controls whether the time series functionality is enabled. | |
SHARED_DASHBOARDS_ENABLED | true | Allows to disable shared dashboards | |
SHUTDOWN_ABORT_FLUSH_TIMEOUT_MILLIS | 30,000 ms | How long the digest worker thread keeps working on flushing the contents of in-memory buffers at shutdown | |
SINGLE_USER_PASSWORD | Sets the password for single-user authentication mode | ||
SINGLE_USER_USERNAME | user | Sets the username for single-user authentication mode | |
SLACK_POST_MESSAGE_URL | https://slack.com/api/chat.postMessage | Specifies the URL endpoint for sending notifications to Slack. Used when LogScale is configured to send alerts or notifications to Slack channels. It defines the URL that LogScale uses to post messages to your Slack workspace. | |
SMTP_HOST | Allows to send emails using an SMTP server | ||
SMTP_PASSWORD | Sets the secret password when using an SMTP server for emails | ||
SMTP_PORT | Sets the port number when using an SMTP server for emails | ||
SMTP_SENDER_ADDRESS | Sets your sender address when using an SMTP server for emails | ||
SMTP_USE_STARTTLS | Enables/disables StartTLS when using an SMTP server for emails | ||
SMTP_USERNAME | Sets your username when using an SMTP server for emails | ||
STATIC_IMAGE_CONTENT_URL | Allows note widgets to display images from the configured URL | ||
STATIC_USERS | Used to define user accounts directly in the configuration rather than through an external authentication system. | ||
STREAMING_QUERY_KEEPALIVE_NEWLINES | false | Whether to emit a newline into streaming query responses | |
STREAMING_QUERY_KEEPALIVE_NEWLINES_ON_NODES | false | Whether to emit a newline into streaming query responses for internal requests | |
STREAMING_QUERY_KEEPALIVE_TIMEOUT | unset | The keep-alive duration to set on HTTP responses for streaming queries | |
TABLE_CACHE_MEMORY_ALLOWANCE_FRACTION | 0.2 | Specifies the maximum fraction of available memory for the table cache. Controls how much of the system's memory can be used for caching query result tables. It is specified as a fraction of the total memory available for files. | |
TAG_HASHING_BUCKETS | 32 | Used to support auto-grouping of tags | |
TCP_INGEST_MAX_TIMEOUT_SECONDS | Sets the timeout for TCP ingest listeners | ||
THREAD_SIZE_LOGGING_INTERVAL_SECONDS | THREAD_SIZE_LOGGING_INTERVAL_SECONDS Environment Variable | ||
TLS_CIPHER_SUITES | Used to set the allowed TLS protocols and cipher suites | ||
TLS_CLIENT_ALIAS | Alias of the key in the keystore to use when a client request is made from other LogScale instances or to a webhook notifier | ||
TLS_CLIENT_AUTH | false | Whether to require TLS client authentication | |
TLS_DEFAULT_ALIAS | Alias of the key in the keystore to use when serving a client without an SNI extension header | ||
TLS_DEFAULT_SERVER_ALIAS | The alias of the private key in the keystore to use when LogScale cannot determine a suitable private key using SNI. If not specified, an arbitrary private key is used. | ||
TLS_HOSTNAME_VERIFICATION_FILTER | Whether to perform hostname verification | ||
TLS_KEY_PASSWORD | The key password for TLS | ||
TLS_KEYSTORE_LOCATION | Path to the keystore | ||
TLS_KEYSTORE_TYPE | The type of keystore, either PKCS12 or JKS | ||
TLS_PROTOCOLS | Sets the TLS protocols to allow when communicating | ||
TLS_SERVER | Whether TLS should be used when serving the web interface | ||
TLS_TRUSTSTORE_LOCATION | Path to the truststore | ||
TLS_TRUSTSTORE_PASSWORD | Password to unlock the truststore, if any | ||
TLS_TRUSTSTORE_TYPE | The type of truststore, either PKCS12 or JKS | ||
TOP_K_MAX_MAP_SIZE_HISTORICAL | 32 * 1,024 bytes | TOP_K_MAX_MAP_SIZE_HISTORICAL Environment Variable | |
TOP_K_MAX_MAP_SIZE_LIVE | 8 * 1,024 bytes | TOP_K_MAX_MAP_SIZE_LIVE Environment Variable | |
TOPIC_MAX_MESSAGE_BYTES | 8,388,608 bytes |
When LogScale is managing Kafka, overrides the default message
size. Only applicable on initial creation of a topic. To customize
the behavior, use the scripts shipping with the Kafka install:
kafka/bin/kafka-configs.sh.
| |
UI_AUTH_FLOW | true | UI_AUTH_FLOW Environment Variable | |
USING_EPHEMERAL_DISKS | false | Whether to use ephemeral disks on all nodes | |
VALIDATE_BLOCK_CRCS_BEFORE_UPLOAD | true | Whether to validate block CRCs before uploading segment files to bucket storage. If false, the feature is disabled. | |
VALUE_DEDUP_LEVEL | Limits the CPU time spent on removing duplication of values | ||
VERBOSE_AUTH | false | VERBOSE_AUTH Environment Variable | |
WARN_ON_INGEST_DELAY_MILLIS | 120,000 ms | Warns when ingest is delayed | |
ZONE | When set, allows to spread spread partitions across the different zones |