otlp_http
Receive OpenTelemetry traces, logs, and metrics via OTLP/HTTP protocol.
Introduced in version 4.78.0.
Exposes an OpenTelemetry Collector HTTP receiver that accepts traces, logs, and metrics via HTTP.
Telemetry data is received in OTLP format (both protobuf and JSON) at standard OTLP endpoints and converted to individual Redpanda OTEL v1 protobuf messages. Each signal (span, log record, or metric) becomes a separate message with embedded Resource and Scope metadata, optimized for Kafka partitioning.
-
Common
-
Advanced
inputs:
label: ""
otlp_http:
encoding: json
address: 0.0.0.0:4318
rate_limit: ""inputs:
label: ""
otlp_http:
encoding: json
address: 0.0.0.0:4318
tls:
enabled: false
cert_file: ""
key_file: ""
auth_token: ""
read_timeout: 10s
write_timeout: 10s
max_body_size: 4194304
rate_limit: ""
tcp:
reuse_addr: false
reuse_port: false
schema_registry:
url: "" # No default (required)
timeout: 5s
tls:
enabled: false
skip_cert_verify: false
enable_renegotiation: false
root_cas: ""
root_cas_file: ""
client_certs: []
oauth2:
enabled: false
client_key: ""
client_secret: ""
token_url: ""
scopes: []
endpoint_params: {}
oauth:
enabled: false
consumer_key: ""
consumer_secret: ""
access_token: ""
access_token_secret: ""
basic_auth:
enabled: false
username: ""
password: ""
jwt:
enabled: false
private_key_file: ""
signing_method: ""
claims: {}
headers: {}
common_subject: ""
trace_subject: ""
log_subject: ""
metric_subject: ""Endpoints
This input exposes the following standard OTLP HTTP endpoints:
-
/v1/traces- OpenTelemetry traces -
/v1/logs- OpenTelemetry logs -
/v1/metrics- OpenTelemetry metrics
Protocols
This input supports OTLP/HTTP on the default port 4318. It accepts both:
-
application/x-protobuf- OTLP protobuf format -
application/json- OTLP JSON format
Output format
Each OTLP export request is unbatched into individual messages:
-
Traces: One message per span
-
Logs: One message per log record
-
Metrics: One message per metric
Messages are encoded in Redpanda OTEL v1 protobuf format.
Metadata
This input adds the following metadata fields to each message:
-
signal_type- The signal type: "trace", "log", or "metric"
You can access these metadata fields using function interpolation.
Authentication
When auth_token is configured, clients must include the token in the HTTP Authorization header.
Go client example
import (
"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp"
)
exporter, err := otlptracehttp.New(ctx,
otlptracehttp.WithEndpoint("localhost:4318"),
otlptracehttp.WithInsecure(), // or WithTLSClientConfig() for TLS
otlptracehttp.WithHeaders(map[string]string{
"Authorization": "Bearer your-token-here",
}),
)Rate limiting
An optional rate limit resource can be specified to throttle incoming requests. When the rate limit is breached, requests will receive a 429 (Too Many Requests) response.
Fields
auth_token
Optional bearer token for authentication. When set, requests must include 'Authorization: Bearer <token>' header.
|
This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. |
Type: string
Default: ""
encoding
Encoding format for messages in the batch. Options: 'protobuf' or 'json'.
Type: string
Default: json
Options: protobuf, json
schema_registry
Optional Schema Registry configuration for adding Schema Registry wire format headers to messages.
Type: object
schema_registry.basic_auth.enabled
Whether to use basic authentication in requests.
Type: bool
Default: false
schema_registry.basic_auth.password
A password to authenticate with.
|
This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. |
Type: string
Default: ""
schema_registry.common_subject
Schema subject name for the common protobuf schema. Only used when encoding is 'protobuf'. Defaults to 'redpanda-otel-common' for protobuf encoding or 'redpanda-otel-common-json' for JSON encoding.
Type: string
Default: ""
schema_registry.jwt.claims
A value used to identify the claims that issued the JWT.
Type: object
Default: {}
schema_registry.jwt.enabled
Whether to use JWT authentication in requests.
Type: bool
Default: false
schema_registry.jwt.private_key_file
A file with the PEM encoded via PKCS1 or PKCS8 as private key.
Type: string
Default: ""
schema_registry.jwt.signing_method
A method used to sign the token such as RS256, RS384, RS512 or EdDSA.
Type: string
Default: ""
schema_registry.log_subject
Schema subject name for log data. Defaults to 'redpanda-otel-logs' for protobuf encoding or 'redpanda-otel-logs-json' for JSON encoding.
Type: string
Default: ""
schema_registry.metric_subject
Schema subject name for metric data. Defaults to 'redpanda-otel-metrics' for protobuf encoding or 'redpanda-otel-metrics-json' for JSON encoding.
Type: string
Default: ""
schema_registry.oauth.access_token
A value used to gain access to the protected resources on behalf of the user.
Type: string
Default: ""
schema_registry.oauth.access_token_secret
A secret provided in order to establish ownership of a given access token.
|
This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. |
Type: string
Default: ""
schema_registry.oauth.consumer_key
A value used to identify the client to the service provider.
Type: string
Default: ""
schema_registry.oauth.consumer_secret
A secret used to establish ownership of the consumer key.
|
This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. |
Type: string
Default: ""
schema_registry.oauth2
Allows you to specify open authentication via OAuth version 2 using the client credentials token flow.
Type: object
schema_registry.oauth2.client_key
A value used to identify the client to the token provider.
Type: string
Default: ""
schema_registry.oauth2.client_secret
A secret used to establish ownership of the client key.
|
This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. |
Type: string
Default: ""
schema_registry.oauth2.enabled
Whether to use OAuth version 2 in requests.
Type: bool
Default: false
schema_registry.oauth2.endpoint_params
A list of optional endpoint parameters, values should be arrays of strings.
Type: object
Default: {}
# Examples:
endpoint_params:
audience:
- https://example.com
resource:
- https://api.example.comschema_registry.tls.client_certs[]
A list of client certificates to use. For each certificate either the fields cert and key, or cert_file and key_file should be specified, but not both.
Type: object
Default: []
# Examples:
client_certs:
- cert: foo
key: bar
# ---
client_certs:
- cert_file: ./example.pem
key_file: ./example.keyschema_registry.tls.client_certs[].cert_file
The path of a certificate to use.
Type: string
Default: ""
schema_registry.tls.client_certs[].key
A plain text certificate key to use.
|
This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. |
Type: string
Default: ""
schema_registry.tls.client_certs[].key_file
The path of a certificate key to use.
Type: string
Default: ""
schema_registry.tls.client_certs[].password
A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC algorithm is not supported for the PKCS#8 format.
Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.
|
This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. |
Type: string
Default: ""
# Examples:
password: foo
# ---
password: ${KEY_PASSWORD}schema_registry.tls.enable_renegotiation
Whether to allow the remote server to repeatedly request renegotiation. Enable this option if you’re seeing the error message local error: tls: no renegotiation.
Requires version 3.45.0 or later.
Type: bool
Default: false
schema_registry.tls.root_cas
An optional root certificate authority to use. This is a string, representing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate.
|
This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. |
Type: string
Default: ""
# Examples:
root_cas: |-
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----schema_registry.tls.root_cas_file
An optional path of a root certificate authority file to use. This is a file, often with a .pem extension, containing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate.
Type: string
Default: ""
# Examples:
root_cas_file: ./root_cas.pemschema_registry.tls.skip_cert_verify
Whether to skip server side certificate verification.
Type: bool
Default: false
schema_registry.trace_subject
Schema subject name for trace data. Defaults to 'redpanda-otel-traces' for protobuf encoding or 'redpanda-otel-traces-json' for JSON encoding.
Type: string
Default: ""
schema_registry.url
Schema Registry URL for schema operations.
Type: string
# Examples:
url: http://localhost:8081tcp.reuse_addr
Enable SO_REUSEADDR, allowing binding to ports in TIME_WAIT state. Useful for graceful restarts and config reloads where the server needs to rebind to the same port immediately after shutdown.
Type: bool
Default: false
