diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8d3e9594debf..aa09c98f9619 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -44,6 +44,8 @@ Main (unreleased)
 - Add a `file_watch` block in `loki.source.file` to configure how often to poll files from disk for changes via `min_poll_frequency` and `max_poll_frequency`.
   In static mode it can be configured in the global `file_watch_config` via `min_poll_frequency` and `max_poll_frequency`.  (@wildum)
 
+- Flow: In `prometheus.exporter.blackbox`, allow setting labels for individual targets. (@spartan0x117)
+
 ### Enhancements
 
 - Clustering: allow advertise interfaces to be configurable, with the possibility to select all available interfaces. (@wildum)
@@ -72,6 +74,10 @@ Main (unreleased)
   not consistent. (@rfratto)
 - Switch to `IBM/sarama` module. (@hainenber)
 
+### Bugfixes
+
+- Fixed a bug where `otelcol.processor.discovery` could modify the `targets` passed by an upstream component. (@ptodev)
+
 v0.36.1 (2023-09-06)
 --------------------
 
diff --git a/component/otelcol/processor/discovery/discovery.go b/component/otelcol/processor/discovery/discovery.go
index 5325800c6b10..989712355199 100644
--- a/component/otelcol/processor/discovery/discovery.go
+++ b/component/otelcol/processor/discovery/discovery.go
@@ -77,7 +77,6 @@ func (args *Arguments) Validate() error {
 
 // Component is the otelcol.exporter.discovery component.
 type Component struct {
-	cfg      Arguments
 	consumer *promsdconsumer.Consumer
 	logger   log.Logger
 }
@@ -134,18 +133,17 @@ func (c *Component) Run(ctx context.Context) error {
 // Update implements Component.
 func (c *Component) Update(newConfig component.Arguments) error {
 	cfg := newConfig.(Arguments)
-	c.cfg = cfg
 
 	hostLabels := make(map[string]discovery.Target)
 
-	for _, labels := range c.cfg.Targets {
+	for _, labels := range cfg.Targets {
 		host, err := promsdconsumer.GetHostFromLabels(labels)
 		if err != nil {
 			level.Warn(c.logger).Log("msg", "ignoring target, unable to find address", "err", err)
 			continue
 		}
-		promsdconsumer.CleanupLabels(labels)
-		hostLabels[host] = labels
+
+		hostLabels[host] = promsdconsumer.NewTargetsWithNonInternalLabels(labels)
 	}
 
 	err := c.consumer.UpdateOptions(promsdconsumer.Options{
diff --git a/component/prometheus/exporter/blackbox/blackbox.go b/component/prometheus/exporter/blackbox/blackbox.go
index 9457b054b84b..6cf006af2aa2 100644
--- a/component/prometheus/exporter/blackbox/blackbox.go
+++ b/component/prometheus/exporter/blackbox/blackbox.go
@@ -38,6 +38,10 @@ func buildBlackboxTargets(baseTarget discovery.Target, args component.Arguments)
 	a := args.(Arguments)
 	for _, tgt := range a.Targets {
 		target := make(discovery.Target)
+		// Set extra labels first, meaning that any other labels will override
+		for k, v := range tgt.Labels {
+			target[k] = v
+		}
 		for k, v := range baseTarget {
 			target[k] = v
 		}
@@ -62,9 +66,10 @@ var DefaultArguments = Arguments{
 
 // BlackboxTarget defines a target to be used by the exporter.
 type BlackboxTarget struct {
-	Name   string `river:",label"`
-	Target string `river:"address,attr"`
-	Module string `river:"module,attr,optional"`
+	Name   string            `river:",label"`
+	Target string            `river:"address,attr"`
+	Module string            `river:"module,attr,optional"`
+	Labels map[string]string `river:"labels,attr,optional"`
 }
 
 type TargetBlock []BlackboxTarget
diff --git a/component/prometheus/exporter/blackbox/blackbox_test.go b/component/prometheus/exporter/blackbox/blackbox_test.go
index 1fd149c821d9..ea871d775ba0 100644
--- a/component/prometheus/exporter/blackbox/blackbox_test.go
+++ b/component/prometheus/exporter/blackbox/blackbox_test.go
@@ -170,3 +170,47 @@ func TestBuildBlackboxTargets(t *testing.T) {
 	require.Equal(t, "http://example.com", targets[0]["__param_target"])
 	require.Equal(t, "http_2xx", targets[0]["__param_module"])
 }
+
+func TestBuildBlackboxTargetsWithExtraLabels(t *testing.T) {
+	baseArgs := Arguments{
+		ConfigFile: "modules.yml",
+		Targets: TargetBlock{{
+			Name:   "target_a",
+			Target: "http://example.com",
+			Module: "http_2xx",
+			Labels: map[string]string{
+				"env": "test",
+				"foo": "bar",
+			},
+		}},
+		ProbeTimeoutOffset: 1.0,
+	}
+	baseTarget := discovery.Target{
+		model.SchemeLabel:                   "http",
+		model.MetricsPathLabel:              "component/prometheus.exporter.blackbox.default/metrics",
+		"instance":                          "prometheus.exporter.blackbox.default",
+		"job":                               "integrations/blackbox",
+		"__meta_agent_integration_name":     "blackbox",
+		"__meta_agent_integration_instance": "prometheus.exporter.blackbox.default",
+	}
+	args := component.Arguments(baseArgs)
+	targets := buildBlackboxTargets(baseTarget, args)
+	require.Equal(t, 1, len(targets))
+	require.Equal(t, "integrations/blackbox/target_a", targets[0]["job"])
+	require.Equal(t, "http://example.com", targets[0]["__param_target"])
+	require.Equal(t, "http_2xx", targets[0]["__param_module"])
+
+	require.Equal(t, "test", targets[0]["env"])
+	require.Equal(t, "bar", targets[0]["foo"])
+
+	// Check that the extra labels do not override existing labels
+	baseArgs.Targets[0].Labels = map[string]string{
+		"job":      "test",
+		"instance": "test-instance",
+	}
+	args = component.Arguments(baseArgs)
+	targets = buildBlackboxTargets(baseTarget, args)
+	require.Equal(t, 1, len(targets))
+	require.Equal(t, "integrations/blackbox/target_a", targets[0]["job"])
+	require.Equal(t, "prometheus.exporter.blackbox.default", targets[0]["instance"])
+}
diff --git a/docs/Makefile b/docs/Makefile
index a7963e99934f..473f6bab03d7 100644
--- a/docs/Makefile
+++ b/docs/Makefile
@@ -11,11 +11,11 @@ include docs.mk
 docs: check-cloudwatch-integration
 
 check-cloudwatch-integration:
-	$(PODMAN) run -v $(shell git rev-parse --show-toplevel):/repo -v $(shell pwd):/docs -w /repo golang:1.19.4-bullseye go run pkg/integrations/cloudwatch_exporter/docs/doc.go check /docs/sources/static/configuration/integrations/cloudwatch-exporter-config.md
-	$(PODMAN) run -v $(shell git rev-parse --show-toplevel):/repo -v $(shell pwd):/docs -w /repo golang:1.19.4-bullseye go run pkg/integrations/cloudwatch_exporter/docs/doc.go check /docs/sources/flow/reference/components/prometheus.exporter.cloudwatch.md
+	$(PODMAN) run -v $(shell git rev-parse --show-toplevel):/repo -v $(shell pwd):/docs -w /repo golang:1.21-bullseye go run pkg/integrations/cloudwatch_exporter/docs/doc.go check /docs/sources/static/configuration/integrations/cloudwatch-exporter-config.md
+	$(PODMAN) run -v $(shell git rev-parse --show-toplevel):/repo -v $(shell pwd):/docs -w /repo golang:1.21-bullseye go run pkg/integrations/cloudwatch_exporter/docs/doc.go check /docs/sources/flow/reference/components/prometheus.exporter.cloudwatch.md
 
 generate-cloudwatch-integration:
-	$(PODMAN) run -v $(shell git rev-parse --show-toplevel):/repo -v $(shell pwd):/docs -w /repo golang:1.19.4-bullseye go run pkg/integrations/cloudwatch_exporter/docs/doc.go generate
+	$(PODMAN) run -v $(shell git rev-parse --show-toplevel):/repo -v $(shell pwd):/docs -w /repo golang:1.21-bullseye go run pkg/integrations/cloudwatch_exporter/docs/doc.go generate
 
 sources/assets/hierarchy.svg: sources/operator/hierarchy.dot
 	cat $< | $(PODMAN) run --rm -i nshine/dot dot -Tsvg > $@
diff --git a/docs/developer/windows/certificate_store/README.md b/docs/developer/windows/certificate_store/README.md
new file mode 100644
index 000000000000..b0d020c7477b
--- /dev/null
+++ b/docs/developer/windows/certificate_store/README.md
@@ -0,0 +1,143 @@
+# Guide to setting up a Windows Server for Certificate Testing
+
+This guide is used to set up a Windows Server for Windows Store Certificate Testing. This guide assumes you have downloaded a Windows 2022 Server ISO and have installed the Windows Server onto a virtual machine. Certificate Templates can only be installed on Windows Server and it must enabled as an Enterprise Certificate Authority. This guide is NOT meant to be a guide on how to set up a Windows Server for production use, and is meant only for setting up an environment to test the Grafana Agent and certificate store.
+
+## Prerequisites
+
+* The install should be fresh with no server roles defined or installed. 
+* You should be logged in via an administrator account.
+
+## Set up as domain controller
+
+1. Add `Active Directory Domain Services`.
+2. Add to a new forest, and when asked for a name, use `test.example.com`.
+3. Add a NETBIOS name `TESTCERT`.
+4. Continue the feature install until done.
+6. Reboot. If the set up succeeded, your username will be prefixed with `TESTCERT/` on login screen.
+
+
+## Set up certificate management
+
+For this setup we are using a one-node Domain Controller set up as the Enterprise CA.
+
+1. Go to the Server Management window.
+![](./images/initial.png)
+2. Click Add Roles.
+![](./images/addroles.png)
+3. Select `Active Directory Certificate Services`.
+![](./images/certificateservices.png)
+
+4. Select `Certificate Authority`, and `Certificate Authority Web Enrollment`. Note that we will need the `Certificate Web Enrollment Service`, but it must be installed after the `Certificate Authority`.
+
+5. Install and then select configure `Certificate Authority`.
+![](./images/configure_certificate_authority.png)
+
+6. Select `Enterprise CA`.
+![](./images/enterprise_ca.png)
+
+7. Select `Root CA`.
+![](./images/root_ca.png)
+
+8. Select `Create a new private key`.
+![](./images/private_key.png)
+
+9. Go with the defaults.
+![](./images/default_private_ky.png)
+
+10. Go with validity of 5 years.
+![](./images/validity.png)
+
+11. Install.
+12. When asked if you want to install additional services say yes.
+![](./images/additional_services.png)
+
+13. Select `Certificate Enrollment Web Service`.
+14. Use the default application pool identity.
+![](./images/default_identity.png)
+
+15. Choose existing SSL certificate.
+![](./images/default_certificate.png)
+
+16. Click through and complete.
+17. Reboot.
+
+## Creating a template
+
+1. From Server Management click Tools->Certificate Authority.
+![](./images/certificate_authority_click.png)
+
+2. Ensure `Certificate Templates` is available, if not then you are not set up as an Enterprise CA and go back to `Setup as domain controller`.
+![](./images/certificate_templates.png)
+
+3. Right-click on `Certificate Templates` and select `Manage`.
+![](./images/manage.png)
+
+4. This opens the `Certificate Templates Console`.
+5. Select `Authenticate Session` and `Duplicate`.
+6. Open `General` tab and change names to `Certstore Template`, set the Renewal Period to 32850 hours that is the max allowed.
+![](./images/template_general.png)
+
+7. Open `Cryptography` tab and select `Request can use any provider available on the subject's computer`.
+![](./images/availability.png)
+
+8. Open `Request Handling` tab and select `Allow private key to be exported`.
+![](./images/export_private_key.png)
+
+9. Open `Security` tab and give Administrator all the control.
+![](./images/give_control.png)
+
+10. Open `Extensions` tab click `Application Policies` click `Edit`, ensure `Any Purpose` is selected.
+![](./images/any_purpose.png)
+
+11. Close `Certificate Template Console`.
+12. Reopen `Certificate Authority` console.
+13. Right-click on `Certificate Templates`, select `New`, then `Certificate Template to Issue`.
+14. Select `Certstore Template`.
+15. It will now show in the Templates folder of Certificate Authority.
+
+## Creating a certificate from the template
+
+1. Open `certmgr` also called `Manage user certificates` from the Run button.
+2. Expand `Personal`, right-click on personal, select `All Tasks` , select `Request New Certificate`.
+3. Click through until you get the `Request Certificate` screen and select `Certstore Template`.
+![](./images/new_cert.png)
+
+4. Expand `Certstore Template` and select `Properties`.
+5. Give it a name  like `TestAuth` and ensure under `Private Key` -> `Key options` that the private key is exportable.
+![](./images/new_cert_exportable.png)
+
+6. Create Certificate.
+
+## Export the certificate
+
+1. From `certmgr` find the certificate you created and double click to open.
+2. Go to the `Details` tab and select `Copy to File...`.
+3. Ensure that `Allow private key to be exported` is selected.
+![](./images/export_private_key.png)
+
+4. Under `Export File Format` ensure that `Include all certificates in the certificate path if possible`.
+5. Export it to a file.
+
+## Setup Grafana Agent
+
+1. Open the Agent configuration file.
+2. Open `Certificate Templates Console`, right-click `Certstore Template` and find the Object identifier.
+![](./images/object_identifier.png)
+
+3. Copy the configuration file.
+4. Find the common name, it is `test-WIN-TF2GPD2VTOT-CA` in the screenshot.
+![](./images/common_name.png)
+
+5. Copy that to the configuration.
+6. Configuration should look like this.
+![](./images/config.png)
+
+7. Start Agent.
+
+## Copy certificate to browser
+
+1. Open browser.
+2. Find certificate management.
+3. Add certificate we exported in `Export the certificate`.
+4. Browse to `http://localhost:12345/metrics`, and it should work properly. You may need to tell it to trust the certificate though.
+
diff --git a/docs/developer/windows/certificate_store/images/additional_services.png b/docs/developer/windows/certificate_store/images/additional_services.png
new file mode 100644
index 000000000000..4c540a55d440
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/additional_services.png differ
diff --git a/docs/developer/windows/certificate_store/images/addroles.png b/docs/developer/windows/certificate_store/images/addroles.png
new file mode 100644
index 000000000000..dab1bad477f2
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/addroles.png differ
diff --git a/docs/developer/windows/certificate_store/images/any_purpose.png b/docs/developer/windows/certificate_store/images/any_purpose.png
new file mode 100644
index 000000000000..212d6be0af08
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/any_purpose.png differ
diff --git a/docs/developer/windows/certificate_store/images/availability.png b/docs/developer/windows/certificate_store/images/availability.png
new file mode 100644
index 000000000000..0a6d4fcbd6da
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/availability.png differ
diff --git a/docs/developer/windows/certificate_store/images/certificate_authority_click.png b/docs/developer/windows/certificate_store/images/certificate_authority_click.png
new file mode 100644
index 000000000000..8678cd6367b0
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/certificate_authority_click.png differ
diff --git a/docs/developer/windows/certificate_store/images/certificate_templates.png b/docs/developer/windows/certificate_store/images/certificate_templates.png
new file mode 100644
index 000000000000..7e7e487d40e8
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/certificate_templates.png differ
diff --git a/docs/developer/windows/certificate_store/images/certificateservices.png b/docs/developer/windows/certificate_store/images/certificateservices.png
new file mode 100644
index 000000000000..87f3dbfaa172
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/certificateservices.png differ
diff --git a/docs/developer/windows/certificate_store/images/common_name.png b/docs/developer/windows/certificate_store/images/common_name.png
new file mode 100644
index 000000000000..e191676b1852
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/common_name.png differ
diff --git a/docs/developer/windows/certificate_store/images/config.png b/docs/developer/windows/certificate_store/images/config.png
new file mode 100644
index 000000000000..65145e87077d
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/config.png differ
diff --git a/docs/developer/windows/certificate_store/images/configure_certificate_authority.png b/docs/developer/windows/certificate_store/images/configure_certificate_authority.png
new file mode 100644
index 000000000000..c860e01b4c1a
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/configure_certificate_authority.png differ
diff --git a/docs/developer/windows/certificate_store/images/default_certificate.png b/docs/developer/windows/certificate_store/images/default_certificate.png
new file mode 100644
index 000000000000..4977c8e6bf75
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/default_certificate.png differ
diff --git a/docs/developer/windows/certificate_store/images/default_identity.png b/docs/developer/windows/certificate_store/images/default_identity.png
new file mode 100644
index 000000000000..65803533fb71
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/default_identity.png differ
diff --git a/docs/developer/windows/certificate_store/images/default_private_ky.png b/docs/developer/windows/certificate_store/images/default_private_ky.png
new file mode 100644
index 000000000000..e7e1bba628e0
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/default_private_ky.png differ
diff --git a/docs/developer/windows/certificate_store/images/enterprise_ca.png b/docs/developer/windows/certificate_store/images/enterprise_ca.png
new file mode 100644
index 000000000000..e6812d721844
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/enterprise_ca.png differ
diff --git a/docs/developer/windows/certificate_store/images/export_private_key.png b/docs/developer/windows/certificate_store/images/export_private_key.png
new file mode 100644
index 000000000000..8627ea1f6b37
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/export_private_key.png differ
diff --git a/docs/developer/windows/certificate_store/images/exportable_key.png b/docs/developer/windows/certificate_store/images/exportable_key.png
new file mode 100644
index 000000000000..a3f4f979ff09
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/exportable_key.png differ
diff --git a/docs/developer/windows/certificate_store/images/give_control.png b/docs/developer/windows/certificate_store/images/give_control.png
new file mode 100644
index 000000000000..ee6e8aa3233f
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/give_control.png differ
diff --git a/docs/developer/windows/certificate_store/images/initial.png b/docs/developer/windows/certificate_store/images/initial.png
new file mode 100644
index 000000000000..5e08ae3af920
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/initial.png differ
diff --git a/docs/developer/windows/certificate_store/images/manage.png b/docs/developer/windows/certificate_store/images/manage.png
new file mode 100644
index 000000000000..1f8a0cdf6f0e
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/manage.png differ
diff --git a/docs/developer/windows/certificate_store/images/new_cert.png b/docs/developer/windows/certificate_store/images/new_cert.png
new file mode 100644
index 000000000000..e19752a800db
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/new_cert.png differ
diff --git a/docs/developer/windows/certificate_store/images/new_cert_exportable.png b/docs/developer/windows/certificate_store/images/new_cert_exportable.png
new file mode 100644
index 000000000000..037caa23dfd6
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/new_cert_exportable.png differ
diff --git a/docs/developer/windows/certificate_store/images/object_identifier.png b/docs/developer/windows/certificate_store/images/object_identifier.png
new file mode 100644
index 000000000000..f7b5125f0d45
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/object_identifier.png differ
diff --git a/docs/developer/windows/certificate_store/images/private_key.png b/docs/developer/windows/certificate_store/images/private_key.png
new file mode 100644
index 000000000000..74e14b5e4696
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/private_key.png differ
diff --git a/docs/developer/windows/certificate_store/images/root_ca.png b/docs/developer/windows/certificate_store/images/root_ca.png
new file mode 100644
index 000000000000..fcd74c3a4324
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/root_ca.png differ
diff --git a/docs/developer/windows/certificate_store/images/template_general.png b/docs/developer/windows/certificate_store/images/template_general.png
new file mode 100644
index 000000000000..5f062dbac0e5
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/template_general.png differ
diff --git a/docs/developer/windows/certificate_store/images/validity.png b/docs/developer/windows/certificate_store/images/validity.png
new file mode 100644
index 000000000000..f88486a4c2ec
Binary files /dev/null and b/docs/developer/windows/certificate_store/images/validity.png differ
diff --git a/docs/sources/flow/reference/components/otelcol.processor.discovery.md b/docs/sources/flow/reference/components/otelcol.processor.discovery.md
index 72064bb99363..f1ecd82ba89c 100644
--- a/docs/sources/flow/reference/components/otelcol.processor.discovery.md
+++ b/docs/sources/flow/reference/components/otelcol.processor.discovery.md
@@ -104,7 +104,7 @@ information.
 ## Examples
 
 ### Basic usage
-```
+```river
 discovery.http "dynamic_targets" {
     url              = "https://example.com/scrape_targets"
     refresh_interval = "15s"
@@ -123,7 +123,7 @@ otelcol.processor.discovery "default" {
 
 Outputs from more than one discovery process can be combined via the `concat` function.
 
-```
+```river
 discovery.http "dynamic_targets" {
     url              = "https://example.com/scrape_targets"
     refresh_interval = "15s"
@@ -149,7 +149,7 @@ It is not necessary to use a discovery component. In the example below, a `test_
 attribute will be added to a span if its IP address is "1.2.2.2". The `__internal_label__` will
 be not be added to the span, because it begins with a double underscore (`__`).
 
-```
+```river
 otelcol.processor.discovery "default" {
     targets = [{
         "__address__"        = "1.2.2.2", 
diff --git a/docs/sources/flow/reference/components/otelcol.processor.span.md b/docs/sources/flow/reference/components/otelcol.processor.span.md
index 5e12b647a4f5..174533a6679c 100644
--- a/docs/sources/flow/reference/components/otelcol.processor.span.md
+++ b/docs/sources/flow/reference/components/otelcol.processor.span.md
@@ -234,7 +234,7 @@ This example creates a new span name from the values of attributes `db.svc`,
 `operation`, and `id`, in that order, separated by the value `::`. 
 All attribute keys need to be specified in the span for the processor to rename it.
 
-```
+```river
 otelcol.processor.span "default" {
   name {
     separator        = "::"
@@ -247,9 +247,9 @@ otelcol.processor.span "default" {
 }
 ```
 
-For a span with the following attributes key/value pairs, the example
+For a span with the following attributes key/value pairs, the above
 Flow configuration will change the span name to `"location::get::1234"`:
-```
+```json
 { 
   "db.svc": "location", 
   "operation": "get", 
@@ -257,10 +257,10 @@ Flow configuration will change the span name to `"location::get::1234"`:
 }
 ```
 
-For a span with the following attributes key/value pairs, the example 
+For a span with the following attributes key/value pairs, the above 
 Flow configuration will not change the span name. 
 This is because the attribute key `operation` isn't set:
-```
+```json
 { 
   "db.svc": "location", 
   "id": "1234"
@@ -269,7 +269,7 @@ This is because the attribute key `operation` isn't set:
 
 ### Creating a new span name from attribute values (no separator)
 
-```
+```river
 otelcol.processor.span "default" {
   name {
     from_attributes = ["db.svc", "operation", "id"]
@@ -281,9 +281,9 @@ otelcol.processor.span "default" {
 }
 ```
 
-For a span with the following attributes key/value pairs, the example
+For a span with the following attributes key/value pairs, the above
 Flow configuration will change the span name to `"locationget1234"`:
-```
+```json
 { 
   "db.svc": "location", 
   "operation": "get", 
@@ -298,7 +298,7 @@ Example input and output using the Flow configuration below:
 2. The span name will be changed to `/api/v1/document/{documentId}/update`
 3. A new attribute `"documentId"="12345678"` will be added to the span.
 
-```
+```river
 otelcol.processor.span "default" {
   name {
     to_attributes {
@@ -321,7 +321,7 @@ if the span has the following properties:
 - The span name contains `/` anywhere in the string.
 - The span name is not `donot/change`.
 
-```
+```river
 otelcol.processor.span "default" {
   include {
     match_type = "regexp"
@@ -348,7 +348,7 @@ otelcol.processor.span "default" {
 
 This example changes the status of a span to "Error" and sets an error description.
 
-```
+```river
 otelcol.processor.span "default" {
   status {
     code        = "Error"
@@ -366,7 +366,7 @@ otelcol.processor.span "default" {
 This example sets the status to success only when attribute `http.status_code` 
 is equal to `400`.
 
-```
+```river
 otelcol.processor.span "default" {
   include {
     match_type = "strict"
diff --git a/docs/sources/flow/reference/components/prometheus.exporter.blackbox.md b/docs/sources/flow/reference/components/prometheus.exporter.blackbox.md
index e5103cab69c0..494dd273d0a6 100644
--- a/docs/sources/flow/reference/components/prometheus.exporter.blackbox.md
+++ b/docs/sources/flow/reference/components/prometheus.exporter.blackbox.md
@@ -87,7 +87,7 @@ debug metrics.
 ### Collect metrics using a blackbox exporter config file
 
 This example uses a [`prometheus.scrape` component][scrape] to collect metrics
-from `prometheus.exporter.blackbox`:
+from `prometheus.exporter.blackbox`. It adds an extra label, `env="dev"`, to the metrics emitted by the `grafana` target. The `example` target does not have any added labels.
 
 ```river
 prometheus.exporter.blackbox "example" {
@@ -101,6 +101,9 @@ prometheus.exporter.blackbox "example" {
   target "grafana" {
     address = "http://grafana.com"
     module  = "http_2xx"
+    labels = {
+      "env": "dev",
+    }
   }
 }
 
@@ -144,6 +147,9 @@ prometheus.exporter.blackbox "example" {
   target "grafana" {
     address = "http://grafana.com"
     module  = "http_2xx"
+    labels = {
+      "env": "dev",
+    }
   }
 }
 
@@ -171,4 +177,5 @@ Replace the following:
 - `USERNAME`: The username to use for authentication to the remote_write API.
 - `PASSWORD`: The password to use for authentication to the remote_write API.
 
+
 [scrape]: {{< relref "./prometheus.scrape.md" >}}
diff --git a/pkg/flow/logging/handler.go b/pkg/flow/logging/handler.go
index 718130534a36..aacfdb37e02f 100644
--- a/pkg/flow/logging/handler.go
+++ b/pkg/flow/logging/handler.go
@@ -58,7 +58,7 @@ func (h *handler) buildHandler() slog.Handler {
 	// Fast path: if our cached handler is still valid, immediately return it.
 	h.mut.RLock()
 	if h.currentFormat == expectFormat && h.inner != nil {
-		h.mut.RUnlock()
+		defer h.mut.RUnlock()
 		return h.inner
 	}
 	h.mut.RUnlock()
diff --git a/pkg/server/tls_certstore_windows.go b/pkg/server/tls_certstore_windows.go
index a16fe0b1b522..72c7ce0fd042 100644
--- a/pkg/server/tls_certstore_windows.go
+++ b/pkg/server/tls_certstore_windows.go
@@ -7,15 +7,18 @@ import (
 	"crypto/x509"
 	"encoding/asn1"
 	"fmt"
-	"github.com/github/smimesign/certstore"
-	"github.com/go-kit/log"
-	"github.com/go-kit/log/level"
 	"regexp"
 	"sort"
 	"sync"
 	"time"
+
+	"github.com/github/smimesign/certstore"
+	"github.com/go-kit/log"
+	"github.com/go-kit/log/level"
 )
 
+// Documentation on how to setup a certificate store can be found at docs/developer/windows
+
 // winCertStoreHandler handles the finding of certificates, validating them and injecting into the default TLS pipeline
 type winCertStoreHandler struct {
 	cfg          WindowsCertificateFilter
diff --git a/pkg/traces/promsdprocessor/consumer/consumer.go b/pkg/traces/promsdprocessor/consumer/consumer.go
index 7db93a0ec826..79df98fe7aa1 100644
--- a/pkg/traces/promsdprocessor/consumer/consumer.go
+++ b/pkg/traces/promsdprocessor/consumer/consumer.go
@@ -247,10 +247,12 @@ func GetHostFromLabels(labels discovery.Target) (string, error) {
 	return host, nil
 }
 
-func CleanupLabels(labels discovery.Target) {
-	for k := range labels {
-		if strings.HasPrefix(k, "__") {
-			delete(labels, k)
+func NewTargetsWithNonInternalLabels(labels discovery.Target) discovery.Target {
+	res := make(discovery.Target)
+	for k, v := range labels {
+		if !strings.HasPrefix(k, "__") {
+			res[k] = v
 		}
 	}
+	return res
 }
diff --git a/pkg/traces/promsdprocessor/prom_sd_processor.go b/pkg/traces/promsdprocessor/prom_sd_processor.go
index 70251f9515ba..8f7b208f18db 100644
--- a/pkg/traces/promsdprocessor/prom_sd_processor.go
+++ b/pkg/traces/promsdprocessor/prom_sd_processor.go
@@ -172,9 +172,7 @@ func (p *promServiceDiscoProcessor) syncTargets(jobName string, group *targetgro
 			continue
 		}
 
-		promsdconsumer.CleanupLabels(labels)
-
 		level.Debug(p.logger).Log("msg", "adding host to hostLabels", "host", host)
-		hostLabels[host] = labels
+		hostLabels[host] = promsdconsumer.NewTargetsWithNonInternalLabels(labels)
 	}
 }