Multiple conditions with autodiscover & docker containers

Hi!

I've just set up our ELK stack and I'm struggling with selecting the right containers for the autodiscover setting. I have a application consisting of around 20+ different containers. And around 10 of these containers have interesting logs I'd like to forward to Logstash.

This works;

   filebeat.autodiscover:
      providers:
      - type: docker
        templates:
        - condition:
            contains:
              docker.container.image: **SOMETHING**

But, unfortunately, 'SOMETHING' covers a lot of containers. And I wanted to exclude some Docker containers. For example exclude container with the name 'SOMETHING/SOMETHING_ELSE'

I thought (and kinda hoped) this would work.

    filebeat.autodiscover:
       providers:
       - type: docker
         templates:
         - condition:
             contains:
               docker.container.image: **SOMETHING**
               and.not.contains:
                 docker.container.image: **SOMETHING_ELSE**

What is the correct syntax to exclude/include container images? Just being able to include more then 1 containername would be sufficient for now. Like;

   contains:
      docker.container.image: **A**, **B**,**C**

Fyi; this is my first post here, I tried to use the right markdown and such, but please do correct me if I missed something

Kind regards!

Filebeat version 6.4.1

conditions syntax is more 'lisp-style', due to the YAML config file format.

E.g. your condition with 'and.not' must look like:

- condition.and:
  - contains: 
      docker.container.image: **SOMETHING**
  - not.contains:
      docker.container.image: **SOMETHING_ELSE**

The and operator gets a list of conditionals that must match. It's similar to "ALL".

P.S.: Thank you for taking the time and properly formatting your question on your first try

Awesome, it works!

Thanks for the help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.