All Vault telemetry metrics

For completeness, we provide a full list of available metrics below in alphabetic order by name.

Full metric list

database.Close

database.Close.error

database.CreateUser

database.CreateUser.error

database.Initialize

database.Initialize.error

database.{NAME}.Close

database.{NAME}.Close.error

database.{NAME}.CreateUser

database.{NAME}.CreateUser.error

database.{NAME}.Initialize

database.{NAME}.Initialize.error

database.{NAME}.RenewUser

database.{NAME}.RenewUser.error

database.{NAME}.RevokeUser

database.{NAME}.RevokeUser.error

database.RenewUser

database.RenewUser.error

database.RevokeUser

database.RevokeUser.error

secrets.pki.tidy.cert_store_current_entry

secrets.pki.tidy.cert_store_deleted_count

secrets.pki.tidy.cert_store_total_entries_remaining

secrets.pki.tidy.cert_store_total_entries

secrets.pki.tidy.duration

secrets.pki.tidy.failure

secrets.pki.tidy.revoked_cert_current_entry

secrets.pki.tidy.revoked_cert_deleted_count

secrets.pki.tidy.revoked_cert_total_entries_fixed_issuers

secrets.pki.tidy.revoked_cert_total_entries_incorrect_issuers

secrets.pki.tidy.revoked_cert_total_entries_remaining

secrets.pki.tidy.revoked_cert_total_entries

secrets.pki.tidy.start_time_epoch

The start time metric reports a value of 0 if the PKI tidy operation is not currently active.

secrets.pki.tidy.success

vault.audit.{DEVICE}.log_request

vault.audit.{DEVICE}.log_response

vault.audit.log_request_failure

The number of request failures is a crucial metric.

A non-zero value for vault.audit.log_request_failure indicates that all your configured audit devices failed to log a request (or response). If Vault cannot properly audit a request, or the response to a request, the original request will fail.

Refer to the Vault logs and any device-specific metrics to troubleshoot the failing audit log device.

vault.audit.log_request

vault.audit.log_response_failure

The number of request failures is a crucial metric.

A non-zero value for vault.audit.log_response_failure indicates that all of the configured audit log devices failed to log a response to a request to Vault. If Vault cannot properly audit a request, or the response to a request, the original request will fail.

Refer to the device-specific metrics and logs to troubleshoot the failing audit log device.

vault.audit.log_response

vault.autopilot.failure_tolerance

The failure tolerance indicates how many currently healthy nodes can fail without losing quorum.

vault.autopilot.healthy

• A value of 1 on the gauge means that Autopilot deems all nodes healthy.
• A value of 0 on the gauge means that Autopilot deems at least 1 node unhealthy.

vault.autopilot.node.healthy

• A value of 1 on the gauge means that Autopilot deems the node indicated by node_id is healthy.
• A value of 0 on the gauge means that Autopilot cannot communicate with the node indicated by node_id, or deems the node unhealthy.

vault.autosnapshots.last.success.time

vault.autosnapshots.percent.maxspace.used

Vault only populates the vault.autosnapshots.percent.maxspace.used metric when the storage type for autosnapshot is local. The percentage of used space is relative to the maximum allocated space for snapshots, not the total available space on local storage.

vault.autosnapshots.rotate.duration

Vault deletes snapshots to adhere to the configured retention period. The rotation metric specifically measures the time taken to delete the snapshot once the retention period expires.

vault.autosnapshots.save.duration

vault.autosnapshots.save.errors

vault.autosnapshots.snapshot.size

vault.autosnapshots.total.snapshot.size

Vault only populates the vault.autosnapshots.total.snapshot.size metric when the storage type for autosnapshot is local.

vault.azure.delete

vault.azure.get

vault.azure.list

vault.azure.put

vault.barrier.delete

vault.barrier.get

vault.barrier.list

vault.barrier.put

vault.cache.delete

vault.cache.hit

vault.cache.miss

vault.cache.write

vault.cassandra.delete

vault.cassandra.get

vault.cassandra.list

vault.cassandra.put

vault.cockroachdb.delete

vault.cockroachdb.get

vault.cockroachdb.list

vault.cockroachdb.put

vault.consul.delete

vault.consul.get

vault.consul.list

vault.consul.put

vault.consul.transaction

vault.core.active

• A value of 1 indicates that the node is active.
• A value of 0 indicates that the node is in standby.

vault.core.activity.fragment_size

The fragment size metric includes labels to indicate if the objects counted were entities or tokens.

vault.core.activity.segment_write

vault.core.check_token

vault.core.fetch_acl_and_token

vault.core.handle_login_request

vault.core.handle_request

vault.core.in_flight_requests

vault.core.leadership_lost

Leadership time updates occur whenever leadership changes. Frequent updates to vault.core.leadership_lost with low leadership times indicates flapping as leader status rotates between nodes.

vault.core.leadership_setup_failed

Setup failure time is an important health metric for your high-availability Vault installation. We strongly recommend that you closely monitor vault.core.leadership_setup_failed and set alerts that keep you informed of the overall cluster leadership status.

vault.core.license.expiration_time_epoch

vault.core.locked_users

The number of locked users refreshes every 15 minutes.

vault.core.mount_table.num_entries

Mountpoint count metrics include labels to indicate whether the relevant table is an authentication table or a logical table and whether the table is replicated or local.

vault.core.mount_table.size

Table size metrics include labels to indicate whether the relevant table is an authentication table or a logical table and whether the table is replicated or local.

vault.core.performance_standby

• A value of 1 indicates the node is a performance standby
• A value of 0 indicates the node is not a performance standby

vault.core.post_unseal

vault.core.pre_seal

vault.core.replication.dr.primary

• A value of 1 indicates that the node is a disaster recovery primary.
• A value of 0 indicates that the node is not a disaster recovery primary.

vault.core.replication.dr.secondary

• A value of 1 indicates that the node is a disaster recovery secondary.
• A value of 0 indicates that the node is not a disaster recovery secondary.

vault.core.replication.performance.primary

• A value of 1 indicates that the node is a performance primary.
• A value of 0 indicates that the node is not a performance primary.

vault.core.replication.performance.secondary

• A value of 1 indicates that the node is a performance secondary.
• A value of 0 indicates that the node is not a performance secondary.

vault.core.replication.write_undo_logs

• A value of 1 indicates that Vault is generating undo logs.
• A value of 0 indicates that Vault is not generating undo logs.

vault.core.seal-internal

vault.core.seal-with-request

vault.core.step_down

vault.core.unseal

vault.core.unsealed

• A value of 1 indicates Vault is currently unsealed and clients can read secrets.
• A value of 0 indicates Vault is currently sealed and clients cannot read secrets.

vault.couchdb.delete

vault.couchdb.get

vault.couchdb.list

vault.couchdb.put

vault.dynamodb.delete

vault.dynamodb.get

vault.dynamodb.list

vault.dynamodb.put

vault.etcd.delete

vault.etcd.get

vault.etcd.list

vault.etcd.put

vault.expire.fetch-lease-times-by-token

vault.expire.fetch-lease-times

vault.expire.job_manager.queue_length

The queue ID in the queue_id label indicates the mount accessor associated with the expiring lease. For example, the secrets engine or authentication method.

vault.expire.job_manager.total_jobs

vault.expire.lease_expiration

vault.expire.lease_expiration.error

vault.expire.lease_expiration.time_in_queue

vault.expire.leases.by_expiration

The relevant time intervals are defined in the telemetry stanza for your Vault server configuration with the following parameters:

• lease_metrics_epsilon: 1 hour (default)
• num_lease_metrics_buckets: 168 hours (default)
• add_lease_metrics_namespace_labels: false (default)

Vault reports the number of leases due to expire every lease_metrics_epsilon interval in the time period current_time + num_lease_metrics_buckets.

vault.expire.num_irrevocable_leases

vault.expire.num_leases

vault.expire.register-auth

vault.expire.register

vault.expire.renew-token

vault.expire.renew

vault.expire.revoke-by-token

vault.expire.revoke-force

vault.expire.revoke-prefix

vault.expire.revoke

vault.gcs.delete

vault.gcs.get

vault.gcs.list

vault.gcs.lock.lock

vault.gcs.lock.unlock

vault.gcs.lock.value

vault.gcs.put

vault.ha.rpc.client.echo

vault.ha.rpc.client.echo.errors

vault.ha.rpc.client.forward

vault.ha.rpc.client.forward.errors

vault.identity.entity.active.monthly

Vault reports vault.identity.entity.active.monthly at the start of each month when client counting is enabled.

vault.identity.entity.active.partial_month

Vault reports vault.identity.entity.active.partial_month periodically during the month when client counting is enabled.

vault.identity.entity.active.reporting_period

Vault reports vault.identity.entity.active.reporting_period at the start of each month when client counting is enabled.

vault.identity.entity.alias.count

Vault updates the alias count every usage_gauge_period interval.

vault.identity.entity.count

vault.identity.entity.creation

vault.identity.num_entities

vault.identity.upsert_entity_txn

vault.identity.upsert_group_txn

vault.logshipper.buffer.length

vault.logshipper.buffer.max_length

vault.logshipper.buffer.max_size

vault.logshipper.buffer.size

vault.logshipper.streamWALs.guard_found

vault.logshipper.streamWALs.missing_guard

vault.logshipper.streamWALs.scanned_entries

vault.merkle.flushDirty

vault.merkle.flushDirty.num_pages

vault.merkle.flushDirty.outstanding_pages

vault.merkle.saveCheckpoint

vault.merkle.saveCheckpoint.num_dirty

vault.metrics.collection

vault.metrics.collection.error

vault.metrics.collection.interval

vault.mssql.delete

vault.mssql.get

vault.mssql.list

vault.mssql.put

vault.mysql.delete

vault.mysql.get

vault.mysql.list

vault.mysql.put

vault.policy.delete_policy

vault.policy.get_policy

vault.policy.list_policies

vault.policy.set_policy

vault.postgres.delete

vault.postgres.get

vault.postgres.list

vault.postgres.put

vault.quota.lease_count.counter

The number of leases reported is specific to the quota rule listed in the name label, not the number of leases in general. For example, if the named rule allows for 50 leases max and there are currently 40 leases in the scope of that quota rule, the value of vault.quota.lease_count.counter is 40 even if there are 1000 other leases that are unscoped or in the scope of other quota rules.

vault.quota.lease_count.max

vault.quota.lease_count.violation

vault.quota.rate_limit.violation

vault.raft_storage.bolt.cursor.count

vault.raft_storage.bolt.freelist.allocated_bytes

vault.raft_storage.bolt.freelist.free_pages

vault.raft_storage.bolt.freelist.pending_pages

vault.raft_storage.bolt.freelist.used_bytes

vault.raft_storage.bolt.node.count

vault.raft_storage.bolt.node.dereferences

vault.raft_storage.bolt.page.bytes_allocated

vault.raft_storage.bolt.page.count

vault.raft_storage.bolt.rebalance.count

vault.raft_storage.bolt.rebalance.time

vault.raft_storage.bolt.spill.count

vault.raft_storage.bolt.spill.time

vault.raft_storage.bolt.split.count

vault.raft_storage.bolt.transaction.currently_open_read_transactions

vault.raft_storage.bolt.transaction.started_read_transactions

vault.raft_storage.bolt.write.count

vault.raft_storage.bolt.write.time

vault.raft_storage.follower.applied_index_delta

vault.raft_storage.follower.last_heartbeat_ms

vault.raft_storage.stats.applied_index

vault.raft_storage.stats.commit_index

vault.raft_storage.stats.fsm_pending

vault.raft-storage.delete

vault.raft-storage.entry_size

vault.raft-storage.get

vault.raft-storage.list

vault.raft-storage.put

vault.raft-storage.transaction

vault.raft.apply

The vault.raft.apply metric is generally a good indicator of the write load on your raft internal storage.

vault.raft.barrier

A node starts the barrier by issuing a blocking call when it wants to ensure that all pending operations that need to be applied to the finite state machine are properly queued.

vault.raft.candidate.electSelf

vault.raft.commitNumLogs

vault.raft.commitTime

vault.raft.compactLogs

vault.raft.fsm.apply

vault.raft.fsm.applyBatch

vault.raft.fsm.applyBatchNum

vault.raft.fsm.enqueue

vault.raft.fsm.restore

vault.raft.fsm.snapshot

vault.raft.fsm.store_config

vault.raft.get

vault.raft.leader.dispatchLog

vault.raft.leader.dispatchNumLogs

vault.raft.leader.lastContact

vault.raft.list

vault.raft.peers

vault.raft.replication.appendEntries.log

vault.raft.replication.appendEntries.rpc

vault.raft.replication.heartbeat

vault.raft.replication.installSnapshot

Only nodes currently in the follower state report vault.raft.replication.installSnapshot metrics.

vault.raft.restore

In the context of raft storage, a restore operation refers to the process where raft consumes an external snapshot to restore its state.

vault.raft.restoreUserSnapshot

vault.raft.rpc.appendEntries

vault.raft.rpc.appendEntries.processLogs

vault.raft.rpc.appendEntries.storeLogs

vault.raft.rpc.installSnapshot

Only nodes currently in the follower state report vault.raft.rpc.installSnapshot metrics.

vault.raft.rpc.processHeartbeat

vault.raft.rpc.requestVote

vault.raft.snapshot.create

vault.raft.snapshot.persist

vault.raft.snapshot.takeSnapshot

In most cases, vault.raft.snapshot.takeSnapshot is approximately equal to vault.raft.snapshot.create + vault.raft.snapshot.persist.

vault.raft.state.candidate

vault.raft.state.follower

Nodes transition to follower state under the following conditions:

• when the node joins the cluster
• when a leader is elected, but the node was not elected leader

vault.raft.state.leader

vault.raft.transition.heartbeat_timeout

vault.raft.transition.leader_lease_timeout

vault.raft.verify_leader

vault.replication.fetchRemoteKeys

vault.replication.fsm.last_remote_wal

vault.replication.merkle.commit_index

vault.replication.merkleDiff

vault.replication.merkleSync

vault.replication.rpc.client.conflicting_pages

vault.replication.rpc.client.create_token_register_auth_lease

vault.replication.rpc.client.fetch_keys

vault.replication.rpc.client.forward

vault.replication.rpc.client.guard_hash

vault.replication.rpc.client.persist_alias

vault.replication.rpc.client.register_auth

vault.replication.rpc.client.register_lease

vault.replication.rpc.client.save_mfa_response_auth

vault.replication.rpc.client.stream_wals

vault.replication.rpc.client.sub_page_hashes

vault.replication.rpc.client.sync_counter

vault.replication.rpc.client.upsert_group

vault.replication.rpc.client.wrap_in_cubbyhole

vault.replication.rpc.dr.server.echo

vault.replication.rpc.dr.server.fetch_keys_request

vault.replication.rpc.server.auth_request

vault.replication.rpc.server.bootstrap_request

vault.replication.rpc.server.conflicting_pages_request

vault.replication.rpc.server.echo

vault.replication.rpc.server.forwarding_request

vault.replication.rpc.server.guard_hash_request

vault.replication.rpc.server.persist_alias_request

vault.replication.rpc.server.persist_persona_request

vault.replication.rpc.server.save_mfa_response_auth

vault.replication.rpc.server.stream_wals_request

vault.replication.rpc.server.sub_page_hashes_request

vault.replication.rpc.server.sync_counter_request

vault.replication.rpc.server.upsert_group_request

vault.replication.rpc.standby.server.create_token_register_auth_lease_request

vault.replication.rpc.standby.server.echo

vault.replication.rpc.standby.server.register_auth_request

vault.replication.rpc.standby.server.register_lease_request

vault.replication.rpc.standby.server.wrap_token_request

vault.replication.wal.gc

vault.replication.wal.last_dr_wal

vault.replication.wal.last_performance_wal

vault.replication.wal.last_wal

vault.rollback.attempt.{MOUNTPOINT}

vault.rollback.attempt

vault.rollback.inflight

vault.rollback.queued

vault.rollback.waiting

vault.route.create.{MOUNTPOINT}

vault.route.delete.{MOUNTPOINT}

vault.route.list.{MOUNTPOINT}

vault.route.read.{MOUNTPOINT}

vault.route.rollback.{MOUNTPOINT}

Vault automatically schedules and performs mount point rollback operations to clean up partial errors.

vault.route.rollback

Vault automatically schedules and performs mount point rollback operations to clean up partial errors.

vault.runtime.alloc_bytes

The number of allocated bytes may peak from time to time, but should always return to a steady state value in a health Vault installation.

vault.runtime.free_count

vault.runtime.gc_pause_ns

vault.runtime.heap_objects

The vault.runtime.heap_objects metric is a good memory pressure indicator. We recommend monitoring vault.runtime.heap_objects to establish an accurate baseline and thresholds for alerting on the health of your Vault installation.

vault.runtime.malloc_count

vault.runtime.num_goroutines

The vault.runtime.num_goroutines metric is a good system load indicator. We recommend monitoring vault.runtime.num_goroutines to establish an accurate baseline and thresholds for alerting on the health of your Vault installation.

vault.runtime.sys_bytes

The total number of allocated system bytes includes space currently used by the heap plus space that has been reclaimed by, but not returned to, the operating system.

vault.runtime.total_gc_pause_ns

vault.runtime.total_gc_runs

vault.s3.delete

vault.s3.get

vault.s3.list

vault.s3.put

vault.secret.kv.count