elastic · vishaangelova · Nov 20, 2025 · Nov 18, 2025 · Nov 20, 2025 · bmorelli25
@@ -52,7 +52,7 @@ If the Docker daemon is restarted, the mounted socket will become invalid, and m
       #match_source: true
       #match_source_index: 4
       #match_short_id: true
-      #cleanup_timeout: 60
+      #cleanup_timeout: 60s
       #labels.dedot: false
       # To connect to Docker over TLS you must specify a client and CA certificate.
       #ssl:

@@ -95,5 +95,5 @@ If `host.*` fields already exist in the event, they are overwritten by default u
 | `geo.city_name` | No |  | Name of the city. |
 | `geo.country_iso_code` | No |  | ISO country code. |
 | `geo.region_iso_code` | No |  | ISO region code. |
-| `replace_fields` | No | `true` | Whether to replace original host fields from the event. If set `false`, original host fields from the event are not replaced by host fields from `add_host_metadata`. |
+| `replace_fields` | No | `true` | Whether to replace existing host fields in the event. If `true` (default), the processor always runs and overwrites any existing `host.*` fields with metadata from `add_host_metadata`. If `false`, the processor only adds metadata when no `host.*` fields exist in the event or when only `host.name` is present. If other host fields exist, the processor is skipped entirely. |
 
@@ -63,7 +63,7 @@ This configuration enables the processor on an {{agent}} running as a process on
       host: <hostname>
       # If kube_config is not set, KUBECONFIG environment variable will be checked
       # and if not present it will fall back to InCluster
-      kube_config: ${fleet} and {agent} Guide/.kube/config
+      kube_config: ~/.kube/config
       # Defining indexers and matchers manually is required for {beatname_lc}, for instance:
       #indexers:
       #  - ip_port:

@@ -39,7 +39,8 @@ inputs:
     data_stream.namespace: default
     use_output: default
     streams:
-      - metricset: cpu
+      - metricsets:
+          - cpu
         data_stream.dataset: system.cpu
 ```
 

@@ -10,7 +10,7 @@ products:
 # Scenario 2: Apply an ILM policy to specific data streams generated from Fleet integrations across all namespaces [data-streams-scenario2]
 
 
-Mappings and settings for data streams can be customized through the creation of `*@custom` component templates, which are referenced by the index templates created by the {{es}} apm-data plugin. The easiest way to configure a custom index lifecycle policy per data stream is to edit this template.
+Mappings and settings for data streams can be customized through the creation of `*@custom` component templates, which are referenced by the index templates created by each integration. The easiest way to configure a custom index lifecycle policy per data stream is to edit this template.
 
 This tutorial explains how to apply a custom index lifecycle policy to the `logs-system.auth` data stream.
 

@@ -27,8 +27,8 @@ processors:
 
 ## Configuration settings [_configuration_settings_21]
 
-| Name | Required | Default | Description |  |
-| --- | --- | --- | --- | --- |
-| `field` | yes |  | Which field of event needs to be decoded as `time.Duration` |  |
-| `format` | yes | `milliseconds` | Supported formats: `milliseconds`/`seconds`/`minutes`/`hours` |  |
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `field` | yes |  | Which field of event needs to be decoded as `time.Duration` |
+| `format` | yes | `milliseconds` | Supported formats: `milliseconds`/`seconds`/`minutes`/`hours` |
 
@@ -149,10 +149,10 @@ If `map_ecs_fields` is enabled then the following field mappings are also perfor
 | --- | --- | --- |
 | `event.code` | `winlog.event_id` |  |
 | `event.kind` | `"event"` |  |
-| `event.provider` | `<Event><System><Provider>` | `Name` attribute |
-| `event.action` | `<Event><RenderingInfo><Task>` |  |
-| `event.host.name` | `<Event><System><Computer>` |  |
+| `event.provider` | `winlog.provider_name` | `Name` attribute |
+| `event.action` | `winlog.task` |  |
 | `event.outcome` | `winlog.outcome` |  |
+| `host.name` | `winlog.computer_name` |  |
 | `log.level` | `winlog.level` |  |
 | `message` | `winlog.message` |  |
 | `error.code` | `winlog.error.code` |  |

@@ -184,7 +184,8 @@ inputs:
   - id: unique-system-metrics-id
     type: system/metrics
     streams:
-      - metricset: load
+      - metricsets:
+          - load
         data_stream.dataset: system.cpu
         condition: ${host.platform} != 'windows'
 ```
@@ -196,7 +197,8 @@ inputs:
   - id: unique-system-metrics-id
     type: system/metrics
     streams:
-      - metricset: load
+      - metricsets:
+          - load
         data_stream.dataset: system.cpu
     processors:
       - add_fields:

@@ -189,10 +189,10 @@ If you’d like to run {{agent}} in a Docker container on a read-only file syste
 For example:
 
 ```bash subs=true
-docker run --rm --mount source=$(pwd)/state,destination=/state -e {STATE_PATH}=/state --read-only docker.elastic.co/elastic-agent/elastic-agent:{{version.stack}} <1>
+docker run --rm --mount source=$(pwd)/state,destination=/state -e STATE_PATH=/state --read-only docker.elastic.co/elastic-agent/elastic-agent:{{version.stack}} <1>
 ```
 
-1. Where `{STATE_PATH}` is the path to a stateful directory to mount where {{agent}} application data can be stored.
+1. Where `STATE_PATH` is the path to a stateful directory to mount where {{agent}} application data can be stored.
 
 You can also add `type=tmpfs` to the mount parameter (`--mount type=tmpfs,destination=/state...`) to specify a temporary file storage location. This should be done with caution as it can cause data duplication, particularly for logs, when the container is restarted, as no state data is persisted.
 

@@ -248,7 +248,7 @@ Settings used to parse, filter, and transform data.
     ```yaml
     outputs:
       default:
-        type: elasticsearchoutput.elasticsearch:
+        type: elasticsearch
         hosts: ["http://localhost:9200"]
         pipeline: my_pipeline_id
     ```

@@ -106,12 +106,12 @@ To install and run {{agent}} standalone:
     You can use either of the two command formats to set the `ELASTIC_AGENT_FLAVOR` environment variable:
 
     ```shell subs=true
-    curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{{version.stack}}-amd64.deb
+    curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{{version.stack}}-x86_64.rpm
     sudo ELASTIC_AGENT_FLAVOR=servers rpm -vi elastic-agent-{{version.stack}}-x86_64.rpm
     ```
 
     ```shell subs=true
-    curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{{version.stack}}-amd64.deb
+    curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{{version.stack}}-x86_64.rpm
     ELASTIC_AGENT_FLAVOR=servers sudo -E rpm -vi elastic-agent-{{version.stack}}-x86_64.rpm
     ```
 
@@ -163,7 +163,7 @@ To install and run {{agent}} standalone:
     sudo ./elastic-agent install
     ```
 
-    By default the {{agent}} basic flavor is installed. To install the servers flavor, add the `--ìnstall-servers` parameter. Refer to [{{agent}} installation flavors](./install-elastic-agents.md#elastic-agent-installation-flavors) for details.
+    By default the {{agent}} basic flavor is installed. To install the servers flavor, add the `--install-servers` parameter. Refer to [{{agent}} installation flavors](./install-elastic-agents.md#elastic-agent-installation-flavors) for details.
 
     ::::
 
@@ -177,7 +177,7 @@ To install and run {{agent}} standalone:
     sudo ./elastic-agent install
     ```
 
-    By default the {{agent}} basic flavor is installed. To install the servers flavor, add the `--ìnstall-servers` parameter. Refer to [{{agent}} installation flavors](./install-elastic-agents.md#elastic-agent-installation-flavors) for details.
+    By default the {{agent}} basic flavor is installed. To install the servers flavor, add the `--install-servers` parameter. Refer to [{{agent}} installation flavors](./install-elastic-agents.md#elastic-agent-installation-flavors) for details.
 
     ::::
 
@@ -191,7 +191,7 @@ To install and run {{agent}} standalone:
     .\elastic-agent.exe install
     ```
 
-    By default the {{agent}} basic flavor is installed. To install the servers flavor, add the `--ìnstall-servers` parameter. Refer to [{{agent}} installation flavors](./install-elastic-agents.md#elastic-agent-installation-flavors) for details.
+    By default the {{agent}} basic flavor is installed. To install the servers flavor, add the `--install-servers` parameter. Refer to [{{agent}} installation flavors](./install-elastic-agents.md#elastic-agent-installation-flavors) for details.
 
     ::::
 

@@ -150,11 +150,12 @@ For example, if the Kubernetes provider provides the following inventory:
     {
        "id": "1",
        "mapping:": {"namespace": "kube-system", "pod": {"name": "kube-controllermanger"}},
-       "processors": {"add_fields": {"kuberentes.namespace": "kube-system", "kubernetes.pod": {"name": "kube-controllermanger"}}
+       "processors": {"add_fields": {"kuberentes.namespace": "kube-system", "kubernetes.pod": {"name": "kube-controllermanger"}}}
+    },
     {
         "id": "2",
         "mapping:": {"namespace": "kube-system", "pod": {"name": "kube-scheduler"}},
-        "processors": {"add_fields": {"kubernetes.namespace": "kube-system", "kubernetes.pod": {"name": "kube-scheduler"}}
+        "processors": {"add_fields": {"kubernetes.namespace": "kube-system", "kubernetes.pod": {"name": "kube-scheduler"}}}
     }
 ]
 ```
@@ -163,8 +164,8 @@ For example, if the Kubernetes provider provides the following inventory:
 
 ```json
 [
-    {"kubernetes": {"id": "1", "namespace": {"name": "kube-system"}, "pod": {"name": "kube-controllermanger"}},
-    {"kubernetes": {"id": "2", "namespace": {"name": "kube-system"}, "pod": {"name": "kube-scheduler"}},
+    {"kubernetes": {"id": "1", "namespace": {"name": "kube-system"}, "pod": {"name": "kube-controllermanger"}}},
+    {"kubernetes": {"id": "2", "namespace": {"name": "kube-system"}, "pod": {"name": "kube-scheduler"}}}
 ]
 ```
 

@@ -38,7 +38,6 @@ output {
   elasticsearch {
     hosts => ["http://localhost:9200"] <2>
     # cloud_id => "..."
-    data_stream => "true"
     api_key => "<api_key>" <3>
     data_stream => true
     ssl_enabled => true

@@ -84,11 +84,11 @@ Your final event will be:
 
 ## Configuration settings [_configuration_settings_32]
 
-| Name | Required | Default | Description |  |
-| --- | --- | --- | --- | --- |
-| `from` | no |  | Which field you want extract. This field and any nested fields will be moved into `to` unless they are filtered out. If empty, indicates event root. |  |
-| `fields` | no |  | Which fields to extract from `from` and move to `to`. An empty list indicates all fields. |  |
-| `ignore_missing` | no | false | Ignore "not found" errors when extracting fields. |  |
-| `exclude` | no |  | A list of fields to exclude and not move. |  |
-| `to` | yes |  | These fields extract from `from` destination field prefix the `to` will base on fields root. |  |
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `from` | no |  | Which field you want extract. This field and any nested fields will be moved into `to` unless they are filtered out. If empty, indicates event root. |
+| `fields` | no |  | Which fields to extract from `from` and move to `to`. An empty list indicates all fields. |
+| `ignore_missing` | no | false | Ignore "not found" errors when extracting fields. |
+| `exclude` | no |  | A list of fields to exclude and not move. |
+| `to` | yes |  | These fields extract from `from` destination field prefix the `to` will base on fields root. |
 
@@ -22,7 +22,7 @@ This processor uses the Mozilla Public Suffix list to determine the value.
       field: dns.question.name
       target_field: dns.question.registered_domain
       target_etld_field: dns.question.top_level_domain
-      target_subdomain_field: dns.question.sudomain
+      target_subdomain_field: dns.question.subdomain
       ignore_missing: true
       ignore_failure: true
 ```

@@ -224,7 +224,7 @@ To encrypt traffic between {{agent}}s, {{fleet-server}}, and {{es}}:
             `elastic-agent-cert-key`
             :   The path to the private key to use as for {{agent}}'s connections to {{fleet-server}}.
 
-            `elastic-agent-cert-key`
+            `elastic-agent-cert-key-passphrase`
             :   The path to the file that contains the passphrase for the mutual TLS private key that {{agent}} will use to connect to {{fleet-server}}. The file must only contain the characters of the passphrase, no newline or extra non-printing characters. This option is only used if the `elastic-agent-cert-key` is encrypted and requires a passphrase to use.
 
             `fleet-server-es-cert`

@@ -64,7 +64,7 @@ elastic-agent install --url=https://your-fleet-server.elastic.co:443 \
 --certificate-authorities=/path/to/fleet-ca,/path/to/agent-ca \
 --elastic-agent-cert=/path/to/agent-cert \
 --elastic-agent-cert-key=/path/to/agent-cert-key \
---elastic-agent-cert-key=/path/to/agent-cert-key-passphrase \
+--elastic-agent-cert-key-passphrase=/path/to/agent-cert-key-passphrase \
 --fleet-server-es=https://es.elastic.com:443 \
 --fleet-server-es-ca=/path/to/es-ca \
 --fleet-server-es-cert=/path/to/fleet-es-cert \