Fix autodiscover for docker in filebeat #10862
Conversation
|
@jsoriano I think this is ready for review :-) Seems like we do need to add dedot in docker autodiscover after all. Otherwise when https://github.com/elastic/beats/blob/master/libbeat/processors/add_docker_metadata/add_docker_metadata.go#L188 happens, the labels will get both the dedotted version and the original version with dots. Please correct me if this doesn't make sense to you at all.... I'm still trying to figure out the inner connections :-) Thanks! |
|
@kaiyan-sheng thanks for doing this, I have been testing it and I found that dedotting was being applied to selectors, so conditions on labels with dots stopped working, as well as hints with dots. I am continuing with #10898 to address these issues. I have opened also a backport (#10899) so dedotting of autodiscover labels is available also in 6.7, but disabled by default. |
Fields injected by docker autodiscover provider were being placed in alias fields introduced for ECS, change them to the new location and add selectors accordingly. This PR includes #10862 and #10758 As a summary: * Autodiscover selectors using ECS structure are added to autodiscover events, old selectors are kept for backwards compatibility * Autodiscover generated metadata follows ECS * Dedotting of labels is added, enabled by default, will be backported for 6.7, but disabled `docker.containers.labels` is not migrated, as it wasn't for `add_docker_metadata` (see #9412) Fixes #10757 Co-Authored-By: kaiyan-sheng <kaiyan.sheng@elastic.co> Co-Authored-By: Nicolas Ruflin <spam@ruflin.com>
|
Merged as part of #10898 |
Fields injected by docker autodiscover provider were being placed in alias fields introduced for ECS, change them to the new location and add selectors accordingly. This PR includes elastic#10862 and elastic#10758 As a summary: * Autodiscover selectors using ECS structure are added to autodiscover events, old selectors are kept for backwards compatibility * Autodiscover generated metadata follows ECS * Dedotting of labels is added, enabled by default, will be backported for 6.7, but disabled `docker.containers.labels` is not migrated, as it wasn't for `add_docker_metadata` (see elastic#9412) Fixes elastic#10757 Co-Authored-By: kaiyan-sheng <kaiyan.sheng@elastic.co> Co-Authored-By: Nicolas Ruflin <spam@ruflin.com> (cherry picked from commit 1bf8087)
Fields injected by docker autodiscover provider were being placed in alias fields introduced for ECS, change them to the new location and add selectors accordingly. This PR includes #10862 and #10758 As a summary: * Autodiscover selectors using ECS structure are added to autodiscover events, old selectors are kept for backwards compatibility * Autodiscover generated metadata follows ECS * Dedotting of labels is added, enabled by default, will be backported for 6.7, but disabled `docker.containers.labels` is not migrated, as it wasn't for `add_docker_metadata` (see #9412) Fixes #10757 (cherry picked from commit 1bf8087) Co-Authored-By: kaiyan-sheng <kaiyan.sheng@elastic.co> Co-Authored-By: Nicolas Ruflin <spam@ruflin.com>
Both |
|
@ainiml for this case you can use hints-based autodiscover, with the advantage of being able to add fine-grained configuration to specific pods and containers if you need it. |
|
@jsoriano thanks! Going with the least effort was the initial goal, just to get enough information into logstash to do some filtering |
This PR is based on #10758
Results from autodiscover for docker with filebeat have
docker.container.idfields instead of the ECS fieldscontainer.id.Turned out the container information in filebeat output came from
docker autodiscover. Without dedot in autodiscover, labels in output json will not be dedotted. If processoradd_docker_metadatais enabled, then the labels in json output will be duplicated: one set of labels without dedotting (from autodiscover) and another set of labels after dedotting (from add_docker_metadata).Please see results in pictures below.
add_docker_metadata labels.dedot=truebut no dedot for autodiscover (docker.autodiscover labels.dedot=false):
You can see same labels showed up twice, once with dots and the other without.docker.autodiscover labels.dedot=true:
You can see there is no duplicate labels.