Elastic Agent failing to parse valid condition functions


I'm having an issue where if I try to run elastic-agent inspect with a policy that defines a condition with a function, I get an error, even if the function is valid.

Elastic Agent 8.11.3


Use the Kubernetes integration with the Container Logs enabled. Set the condition for that input to:

startsWith(${kubernetes.container.image}, 'docker.com') != true

Run elastic-agent inspect

Get the error:

Error: expected ',' when parsing 'startsWith(${kubernetes.container.image}, 'docker.com') != true' accessing 'inputs.6'
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.11/fleet-troubleshooting.html

Anyone have any ideas?

Note: The Elastic Agent does seem to parse and use the conditions correctly.

Hello @BenB196,

Have you debugged the generated config?

HI @Priscilla_Parodi, yes, the config is valid. I ended up opening a support case for this issue. Support was able to reproduce and have escalated to the development team. I'm currently awaiting a response on the case regarding the dev team's finding.

Hi @BenB196

Silly question Did you try "s


Because I believe that condition gets embedded inside single quotes... So I think perhaps those single quotes are ending the condition prematurely

Hi @stephenb no such thing as a silly question, but yep, tried a few different ways:

  • startsWith(${kubernetes.container.image}, 'docker.com') != true
  • startsWith(${kubernetes.container.image}, "docker.com") != true
  • startsWith("${kubernetes.container.image}", 'docker.com') != true
  • startsWith("${kubernetes.container.image}", "docker.com") != true

All produced a similar error complaining about the ,.


1st Which / Where / What part are you adding the condition? Curious. can you show?

2nd, you can see the manifest pretty easily with the Preview API Request button at the bottom right of the Settings Screen

3rd Looking at the actual request, I think now think (sure) single quotes are correct.

So, this is working for me...as a simple test... It is filtering the pod logs as described.

startsWith(${kubernetes.pod.name}, 'my-otel-demo-c') == true

    "container-logs-filestream": {
      "enabled": true,
      "streams": {
        "kubernetes.container_logs": {
          "enabled": true,
          "vars": {
            "containerParserFormat": "auto",
            "condition": "startsWith(${kubernetes.pod.name}, 'my-otel-demo-c') == true",
            "paths": [

Can you show the preview of your request for that condition / part etc?

Hi @stephenb your example is actually the same implementation as mine. The issue you'll run into is on that Elastic Agent which has that policy applied to it, try to run the command elastic-agent inspect, you will see that you get the error. The Elastic Agent is able to properly read/parse/use the condition and gather data as expected, however any sort of Elastic Agent CLI command inspect/uninstall/etc... all fail with the error.

1 Like


Ahhh sorry I missed that .. I thought you meant it was not working at all... but you are saying inspect CLI commands do not work.

I see the same... interesting... definitely a bug....

1 Like

Circling back here, Elastic support/devs were able to confirm that this was a bug and opened ucfg `Value` parses `.` in strings, breaking upstream Conditional statements in config · Issue #196 · elastic/go-ucfg · GitHub


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.