You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+25-2Lines changed: 25 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,6 +26,10 @@ Authentication towards the Cloudflare API can be done in two ways:
26
26
The preferred way of authenticating is with an API token, for which the scope can be configured at the Cloudflare
27
27
dashboard.
28
28
29
+
**Important**: Cloudflare supports two types of API tokens:
30
+
-**User-level tokens**: Can access all accounts the user has permissions for. These tokens auto-discover all accessible accounts.
31
+
-**Account-scoped tokens**: Scoped to a specific account. When using account-scoped tokens, you **must** set the `CF_ACCOUNTS` environment variable with your account ID(s).
32
+
29
33
Required authentication scopes:
30
34
31
35
-`Zone/Analytics:Read` is required for zone-level metrics
-`Account:Load Balancing: Monitors and Pools:Read` is required to fetch pools origin health status `cloudflare_pool_origin_health_status` metric
38
42
-`Cloudflare Tunnel Read` is required to fetch Cloudflare Tunnel (Cloudflare Zero Trust) metrics
39
43
40
-
To authenticate this way, only set `CF_API_TOKEN` (omit `CF_API_EMAIL` and `CF_API_KEY`)
44
+
**To authenticate with a user-level token**:
45
+
- Set `CF_API_TOKEN` (omit `CF_API_EMAIL` and `CF_API_KEY`)
46
+
- The exporter will auto-discover all accounts you have access to
47
+
-[Shortcut to create the API token](https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22account_analytics%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22account_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22analytics%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22firewall_services%22%2C%22type%22%3A%22read%22%7D%5D&name=Cloudflare+Exporter&accountId=*&zoneId=all)
41
48
42
-
[Shortcut to create the API token](https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22account_analytics%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22account_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22analytics%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22firewall_services%22%2C%22type%22%3A%22read%22%7D%5D&name=Cloudflare+Exporter&accountId=*&zoneId=all)
49
+
**To authenticate with an account-scoped token**:
50
+
- Set `CF_API_TOKEN` with your account-scoped token
51
+
- Set `CF_ACCOUNTS` with your account ID (find it in the Cloudflare dashboard URL: `https://dash.cloudflare.com/<ACCOUNT_ID>/...`)
52
+
- Example: `CF_ACCOUNTS=abc123def456` or for multiple accounts: `CF_ACCOUNTS=abc123,def456`
43
53
44
54
### User email + API key
45
55
@@ -57,6 +67,7 @@ The exporter can be configured using env variables or command flags.
57
67
|`CF_API_EMAIL`| user email (see <https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys>) |
58
68
|`CF_API_KEY`| API key associated with email (`CF_API_EMAIL` is required if this is set)|
59
69
|`CF_API_TOKEN`| API authentication token (recommended before API key + email. Version 0.0.5+. see <https://developers.cloudflare.com/analytics/graphql-api/getting-started/authentication/api-token-auth>) |
70
+
|`CF_ACCOUNTS`| (Required for account-scoped tokens) Cloudflare account IDs to monitor, comma delimited list. When using account-scoped API tokens, this must be set. User-level tokens can omit this to auto-discover all accessible accounts. |
60
71
|`CF_ZONES`| (Optional) cloudflare zones to export, comma delimited list of zone ids. If not set, all zones from account are exported |
61
72
|`CF_EXCLUDE_ZONES`| (Optional) cloudflare zones to exclude, comma delimited list of zone ids. If not set, no zones from account are excluded |
62
73
|`CF_TIMEOUT`| Set cloudflare request timeout. Default 10 seconds |
@@ -67,6 +78,7 @@ The exporter can be configured using env variables or command flags.
67
78
|`SCRAPE_INTERVAL`| scrape interval in seconds (will query cloudflare every SCRAPE_INTERVAL seconds), default `60`|
68
79
|`METRICS_DENYLIST`| (Optional) cloudflare-exporter metrics to not export, comma delimited list of cloudflare-exporter metrics. If not set, all metrics are exported |
69
80
|`ENABLE_PPROF`| (Optional) enable pprof profiling endpoints at `/debug/pprof/`. Accepts `true` or `false`, default `false`. **Warning**: Only enable in development/debugging environments |
81
+
|`ENABLE_EDGE_ERRORS_BY_PATH`| (Optional) enable edge errors by path metric. Accepts `true` or `false`, default `false`. See [Edge Errors by Path Metric](#edge-errors-by-path-metric-opt-in)|
70
82
|`ZONE_<NAME>`|`DEPRECATED since 0.0.5` (optional) Zone ID. Add zones you want to scrape by adding env vars in this format. You can find the zone ids in Cloudflare dashboards. |
71
83
|`LOG_LEVEL`| Set loglevel. Options are error, warn, info, debug. default `error`|
72
84
@@ -76,6 +88,7 @@ Corresponding flags:
76
88
-cf_api_email="": cloudflare api email, works with api_key flag
77
89
-cf_api_key="": cloudflare api key, works with api_email flag
78
90
-cf_api_token="": cloudflare api token (version 0.0.5+, preferred)
91
+
-cf_accounts="": cloudflare accounts to monitor, comma delimited list (required for account-scoped API tokens)
79
92
-cf_zones="": cloudflare zones to export, comma delimited list
80
93
-cf_exclude_zones="": cloudflare zones to exclude, comma delimited list
@@ -119,6 +133,7 @@ Note: `ZONE_<name>` configuration is not supported as flag.
119
133
# HELP cloudflare_zone_requests_status_country_host Count of requests for zone per edge HTTP status per country per host
120
134
# HELP cloudflare_zone_requests_browser_map_page_views_count Number of successful requests for HTML pages per zone
121
135
# HELP cloudflare_zone_requests_total Number of requests for zone
136
+
# HELP cloudflare_zone_edge_errors_by_path Number of edge errors (4xx and 5xx) by request path
122
137
# HELP cloudflare_zone_threats_country Threats per zone per country
123
138
# HELP cloudflare_zone_threats_total Threats per zone
124
139
# HELP cloudflare_zone_uniques_total Uniques per zone
@@ -131,6 +146,14 @@ Note: `ZONE_<name>` configuration is not supported as flag.
131
146
# HELP cloudflare_r2_storage_total_bytes Total storage used by R2
132
147
```
133
148
149
+
### Edge Errors by Path Metric (Opt-in)
150
+
151
+
The `cloudflare_zone_edge_errors_by_path` metric tracks edge errors (4xx/5xx) by request path. This enables path-based filtering in alerts to exclude known-noisy endpoints while catching real issues.
152
+
153
+
**Disabled by default** due to high cardinality. Enable with `ENABLE_EDGE_ERRORS_BY_PATH=true`.
154
+
155
+
Paths are normalized to reduce cardinality (e.g., `/users/123` → `/users/:id`, UUIDs → `:uuid`).
156
+
134
157
## Helm chart repository
135
158
136
159
To deploy the exporter into Kubernetes, we recommend using our manager Helm repository:
0 commit comments