Documentation

Chronograf

chronograf - Chronograf server

The chronograf daemon starts and manages all the processes associated with the Chronograf server and includes options that manage many aspects of Chronograf security.

Usage

chronograf [flags]

Flags

Chronograf server flags

FlagDescriptionEnv. Variable
--hostIP the Chronograf service listens on. By default, 0.0.0.0HOST
--portPort the Chronograf service listens on for insecure connections. By default, 8888PORT
-b--bolt-pathFile path to the BoltDB file. By default, ./chronograf-v1.dbBOLT_PATH
-c--canned-pathFile path to the directory of canned dashboard files. By default, /usr/share/chronograf/cannedCANNED_PATH
--resources-pathPath to directory of canned dashboards, sources, Kapacitor connections, and organizations. By default, /usr/share/chronograf/resourcesRESOURCES_PATH
-p--basepathURL path prefix under which all Chronograf routes will be mounted.BASE_PATH
--status-feed-urlURL of JSON feed to display as a news feed on the client status page. By default, https://www.influxdata.com/feed/jsonSTATUS_FEED_URL
-v--versionDisplays the version of the Chronograf service
-h--host-page-disabledDisables the hosts pageHOST_PAGE_DISABLED

InfluxDB connection flags

FlagDescriptionEnv. Variable
--influxdb-urlInfluxDB URL, including the protocol, IP address, and portINFLUXDB_URL
--influxdb-usernameInfluxDB usernameINFLUXDB_USERNAME
--influxdb-passwordInfluxDB passwordINFLUXDB_PASSWORD
--influxdb-orgInfluxDB 2.x or InfluxDB Cloud organization nameINFLUXDB_ORG
--influxdb-tokenInfluxDB 2.x or InfluxDB Cloud authentication tokenINFLUXDB_TOKEN

Kapacitor connection flags

FlagDescriptionEnv. Variable
--kapacitor-urlLocation of your Kapacitor instance, including http://, IP address, and portKAPACITOR_URL
--kapacitor-usernameUsername for your Kapacitor instanceKAPACITOR_USERNAME
--kapacitor-passwordPassword for your Kapacitor instanceKAPACITOR_PASSWORD

TLS (Transport Layer Security) flags

FlagDescriptionEnv. Variable
--certFile path to PEM-encoded public key certificateTLS_CERTIFICATE
--keyFile path to private key associated with given certificateTLS_PRIVATE_KEY
--tls-ciphersComma-separated list of supported cipher suites. Use help to print available ciphers.TLS_CIPHERS
--tls-min-versionMinimum version of the TLS protocol that will be negotiated. (default: 1.2)TLS_MIN_VERSION
--tls-max-versionMaximum version of the TLS protocol that will be negotiated.TLS_MAX_VERSION

Other server option flags

FlagDescriptionEnv. Variable
--custom-auto-refreshAdd custom auto-refresh options using semicolon-separated list of label=milliseconds pairsCUSTOM-AUTO-REFRESH
--custom-linkAdd a custom link to Chronograf user menu options using <display_name>:<link_address> syntax. For multiple custom links, include multiple flags.
-d--developRun the Chronograf service in developer mode
-h--helpDisplay command line help for Chronograf
-l--log-levelSet the logging level. Valid values include info (default), debug, and errorLOG_LEVEL
-r--reporting-disabledDisable reporting of usage statistics. Usage statistics reported once every 24 hours include: OS, arch, version, cluster_id, and uptime.REPORTING_DISABLED

Authentication option flags

General authentication flags

FlagDescriptionEnv. Variable
-t--token-secretSecret for signing tokensTOKEN_SECRET
--auth-durationTotal duration, in hours, of cookie life for authentication. Default value is 720h.AUTH_DURATION
--public-urlPublic URL required to access Chronograf using a web browser. For example, if you access Chronograf using the default URL, the public URL value would be http://localhost:8888. Required for Google OAuth 2.0 authentication. Used for Auth0 and some generic OAuth 2.0 authentication providers.PUBLIC_URL
—-htpasswdPath to password file for use with HTTP basic authentication. See NGINX documentation for more on password files.HTPASSWD

GitHub-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--github-urlGitHub base URL. Default is https://github.com. Required if using GitHub EnterpriseGH_URL
-i--github-client-idGitHub client ID value for OAuth 2.0 supportGH_CLIENT_ID
-s--github-client-secretGitHub client secret value for OAuth 2.0 supportGH_CLIENT_SECRET
-o--github-organizationRestricts authorization to users from specified GitHub organizations. To add more than one organization, add multiple flags. Optional.GH_ORGS

Google-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--google-client-idGoogle client ID value for OAuth 2.0 supportGOOGLE_CLIENT_ID
--google-client-secretGoogle client secret value for OAuth 2.0 supportGOOGLE_CLIENT_SECRET
--google-domainsRestricts authorization to users from specified Google email domain. To add more than one domain, add multiple flags. Optional.GOOGLE_DOMAINS

Auth0-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--auth0-domainSubdomain of your Auth0 client. Available on the configuration page for your Auth0 client.AUTH0_DOMAIN
--auth0-client-idAuth0 client ID value for OAuth 2.0 supportAUTH0_CLIENT_ID
--auth0-client-secretAuth0 client secret value for OAuth 2.0 supportAUTH0_CLIENT_SECRET
--auth0-organizationsRestricts authorization to users specified Auth0 organization. To add more than one organization, add multiple flags. Optional. Organizations are set using an organization key in the user’s app_metadata.AUTH0_ORGS

Heroku-specific OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--heroku-client-idHeroku client ID value for OAuth 2.0 supportHEROKU_CLIENT_ID
--heroku-secretHeroku secret for OAuth 2.0 supportHEROKU_SECRET
--heroku-organizationRestricts authorization to users from specified Heroku organization. To add more than one organization, add multiple flags. Optional.HEROKU_ORGS

Generic OAuth 2.0 authentication flags

FlagDescriptionEnv. Variable
--generic-nameGeneric OAuth 2.0 name presented on the login pageGENERIC_NAME
--generic-client-idGeneric OAuth 2.0 client ID value. Can be used for a custom OAuth 2.0 service.GENERIC_CLIENT_ID
--generic-client-secretGeneric OAuth 2.0 client secret valueGENERIC_CLIENT_SECRET
--generic-scopesScopes requested by provider of web clientGENERIC_SCOPES
--generic-domainsEmail domain required for user email addressesGENERIC_DOMAINS
--generic-auth-urlAuthorization endpoint URL for the OAuth 2.0 providerGENERIC_AUTH_URL
--generic-token-urlToken endpoint URL for the OAuth 2.0 providerGENERIC_TOKEN_URL
--generic-api-urlURL that returns OpenID UserInfo-compatible informationGENERIC_API_URL
--oauth-no-pkceDisable OAuth PKCEOAUTH_NO_PKCE

etcd flags

FlagDescriptionEnv. Variable
-e--etcd-endpointsetcd endpoint URL (include multiple flags for multiple endpoints)ETCD_ENDPOINTS
--etcd-usernameetcd usernameETCD_USERNAME
--etcd-passwordetcd passwordETCD_PASSWORD
--etcd-dial-timeoutTotal time to wait before timing out while connecting to etcd endpoints (0 means no timeout, default: -1s)ETCD_DIAL_TIMEOUT
--etcd-request-timeoutTotal time to wait before timing out the etcd view or update (0 means no timeout, default: -1s)ETCD_REQUEST_TIMEOUT
--etcd-certPath to PEM-encoded TLS public key certificate for use with TLSETCD_CERTIFICATE
--etcd-keyPath to private key associated with given certificate for use with TLSETCD_PRIVATE_KEY
--etcd-root-caPath to root CA certificate for TLS verificationETCD-ROOT-CA

Was this page helpful?

Thank you for your feedback!

© 2026 InfluxData, Inc.

Where are you running InfluxDB?

Select your InfluxDB Cloud region and cluster or your InfluxDB OSS URL and we’ll customize code examples for you. Identify your InfluxDB Cloud cluster.

  • InfluxDB Cloud
  • InfluxDB OSS or Enterprise
AWS

  • US West (Oregon)

GCP
Azure
Default
Custom

For more information, see InfluxDB Cloud regions or InfluxDB OSS URLs.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

InfluxDB 3.9: Performance upgrade preview

InfluxDB 3 Enterprise 3.9 includes a beta of major performance upgrades with faster single-series queries, wide-and-sparse table support, and more.

InfluxDB 3 Enterprise 3.9 includes a beta of major performance and feature updates.

Key improvements:

  • Faster single-series queries
  • Consistent resource usage
  • Wide-and-sparse table support
  • Automatic distinct value caches for reduced latency with metadata queries

Preview features are subject to breaking changes.

For more information, see:

Telegraf Enterprise now in public beta

Get early access to the Telegraf Controller and provide feedback to help shape the future of Telegraf Enterprise.

See the Blog Post

The upcoming Telegraf Enterprise offering is for organizations running Telegraf at scale and is comprised of two key components:

  • Telegraf Controller: A control plane (UI + API) that centralizes Telegraf configuration management and agent health visibility.
  • Telegraf Enterprise Support: Official support for Telegraf Controller and Telegraf plugins.

Join the Telegraf Enterprise beta to get early access to the Telegraf Controller and provide feedback to help shape the future of Telegraf Enterprise.

For more information:

InfluxDB Docker latest tag changing to InfluxDB 3 Core

On May 27, 2026, the latest tag for InfluxDB Docker images will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments.

If using Docker to install and run InfluxDB, the latest tag will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments. For example, if using Docker to run InfluxDB v2, replace the latest version tag with a specific version tag in your Docker pull command–for example:

docker pull influxdb:2