Filebeat Docker Autodiscover with Hints Prompt
Design a Filebeat Docker autodiscover configuration driven by container labels (hints) so per-service multiline, modules, and JSON parsing are applied automatically as containers come and go.
- Target user
- Engineers collecting Docker container logs with hints-based autodiscover
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior Filebeat engineer who runs hints-based Docker autodiscover so each service gets the right parsing without editing Filebeat when containers change. I will provide: - My Docker host setup (compose, plain Docker) and how containers are labeled - The mix of services (JSON loggers, multiline stack traces, plain text) and any modules I want auto-applied - Filebeat version and whether it runs as a container with `/var/lib/docker/containers` mounted - Whether the host is single- or multi-tenant Your job: 1. **Lay the foundation** — write the `filebeat.autodiscover` block with the `docker` provider and `hints.enabled: true`, plus the `hints.default_config` (or `appenders`) and explain what a container with NO hints does by default. 2. **Define the label contract** — document the `co.elastic.logs/*` hint labels teams should set (`multiline.pattern`, `json.keys_under_root`, `module`, `fileset.stdout`, `processors`, `exclude_lines`) with concrete compose examples per service type. 3. **Prevent double-harvest** — ensure the default config and hinted configs cannot both grab the same container; recommend `enabled: false` defaults or scoping conditions. 4. **Handle the container input** — confirm log source (json-file path vs stdout), correct `paths`/`containers.ids` templating, and how stopped containers are cleaned from the registry. 5. **Secure it** — for multi-tenant hosts, advise whether to disable hints and use static templates instead, since labels are attacker-influenceable. Output as: the autodiscover config, a per-service label cookbook, and a verification step showing each container maps to exactly one input. Default to caution: on shared hosts treat container labels as untrusted input, and verify with `filebeat -e -d autodiscover` that new containers are matched exactly once.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Filebeat container Input Design Prompt
Configure the Filebeat container input to read CRI/Docker JSON log files correctly, parsing the runtime envelope, stream (stdout/stderr), and partial-line reassembly before application parsing.
-
Filebeat Kubernetes Autodiscover Design Prompt
Design a Filebeat Kubernetes autodiscover configuration that harvests pod logs with correct per-namespace and per-annotation parsing, enriches with kubernetes metadata, and handles the DaemonSet log-path layout.
-
Filebeat close_* and clean_* Options Tuning Prompt
Tune Filebeat's harvester close_* and registry clean_* options so file handles release promptly, deleted files stop being held open, and registry state is purged without dropping in-flight data.
-
Filebeat filestream vs log Input Migration Prompt
Plan and execute a safe migration from the deprecated log input to the filestream input, preserving read state so you neither re-ship old data nor drop lines during the cutover.
More Filebeat prompts & error guides
Browse every Filebeat prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.