Agent v2.11.0

January 5, 2026

New Features

• EDXLookup Pattern Matching: Extended the EDXLookup OTTL function with pattern matching capabilities including regex, contain, prefix, and suffix match modes, case-insensitive matching, and the ability to return multiple matches from lookup tables.
• Excluded Paths for HTTP Input: Added an excluded_paths field to HTTP input nodes, allowing you to filter out specific paths from processing while using wildcard includes.
• Splunk HEC Acknowledgment Endpoint: Implemented the acknowledgment endpoint for Splunk HEC input nodes, completing support for Splunk indexer acknowledgment protocol.
• JSON Unroll for Array Bodies: Extended JSON unroll functionality to work on message bodies containing arrays of JSON objects, enabling individual processing of each array element.

Improvements

• Live Tail Settings Configuration: Moved live tail and sampling settings from environment variables to pipeline configuration, providing easier access while still supporting environment variable overrides when needed.
• Self Log Flush Interval Configuration: Added the self log flush interval to agent settings, allowing configuration through the pipeline interface instead of requiring environment variables.
• Prometheus Input Service Name: Fixed the Prometheus input node to correctly populate the job field as service.name, enabling proper identification of metric sources without requiring additional transformations.
• Probabilistic Sample Processor: Extended the probabilistic sample processor to handle any data type for hash calculation, supporting object types and manipulated body fields beyond strings, integers, and floats.
• OTTL Transform Error Modes: Added configurable error modes to the OTTL transform processor with silent mode for parsing processors and strict mode for others, providing appropriate error handling based on processor type.
• Parse Processor Error Handling: Introduced a configurable error_mode field for parse processors (ParseJSON, Grok, ExtractJSONField, JSONUnroll) with silent mode as default to reduce unnecessary error logs, and strict mode for when validation errors should be reported.
• Kafka Library Upgrade: Updated the Kafka client library to v0.4.35, incorporating upstream fixes for improved reliability in coordinator relay services.
• Filebeat Node Rename: Renamed the Elastic API input node to Filebeat to better reflect its purpose of receiving data from Filebeat agents.
• Kafka Source Validation: Added proper validation to mark endpoint and topic fields as required in the Kafka source node configuration.

Bug Fixes

• GCS Write Request Optimization: Fixed a regression introduced in v2.8.0 that caused excessive GCS write requests.
• S3 Input URL Decoding: Fixed S3 input failing to download objects with special characters in keys by properly URL-decoding object keys from SQS notifications, resolving NoSuchKey errors for files with characters like colons or plus signs.
• HTTP Input NDJSON Parsing: Fixed HTTP input incorrectly treating newline-delimited JSON (NDJSON) as a single message, enabling proper splitting of multiple JSON objects in the request body.
• Local Storage Destination Fixes: Fixed the Local Storage destination node to honor the configured path prefix and respect the compression setting instead of using hardcoded values.
• Compactor Client Event Subscription: Fixed unnecessary warning logs for compactor client status change events when no compactor component is subscribed, now conditionally unsubscribing based on component presence.
• Kubernetes Metrics Nil Pointer: Fixed a nil pointer exception in the Kubernetes metrics input node that could occur when pod information is not found in the agent cache while using node_labels.
• Cloud Fleet Secret Handling: Added secret dereferencing for cloud fleet configurations after retrieval, ensuring secrets are properly resolved when connecting through the backend coordinator.
• Coordinator Connection Reset: Fixed coordinator client to properly reset the connection on ping failures, preventing stale connections and associated error logs.

Security

• CVE-2025-68156: Updated github.com/expr-lang/expr to v1.17.7 to address a high severity vulnerability where deeply nested or cyclic data structures could cause stack overflow panics in builtin functions.