I'm trying to restrict the set of the containers to collect metrics from, by using autodiscover, exactly like this:
metricbeat.autodiscover:
providers:
- type: docker
templates:
- condition:
equals:
docker.container.labels.com.docker.stack.namespace: 'logging'
config:
- module: docker
hosts: ["unix:///var/run/docker.sock"]
period: 10s
output.elasticsearch:
hosts:
- "http://elasticsearch-monitoring-1:9200"
- "http://elasticsearch-monitoring-2:9200"
- "http://elasticsearch-monitoring-3:9200"
The condition seems to work, and in the Discover tab I see only events with the specified label.
However, all the events has the same container.id per host.name where the beat is running and the number of the events is significantly lagrer than when using docker module without autodiscovery (~200/minute without autodiscovery vs ~8000/minute with it).
Some more details.
The events seem to be grouped by the timestamp, host.name and event.dataset fields, and the size of such a group equals to the total number of containers on the specific docker host, even if they do not match the label condition. The events in such a group are not exactly the same, for example, the event.duration field looks unique for all events.
The metricbeat itself is running inside a container with the docker.sock mounted.
The entire Elastic Stack is of 7.2.0 version.
So, for me it looks like a bug, but maybe docker module is not supposed to be used within the autodiscover context at all? What do you think?