Elastic Release Notes

Features and enhancements

Machine Learning

• Add EuroBERT and Jina v5 ops to graph validation allowlist #3015
• Better error handling regarding quantiles state documents #2894
• Better handling of invalid JSON state documents #2895
• Better messaging regarding OOM process termination #2841
• Downgrade log severity for a batch of recoverable errors #2889
• Harden pytorch_inference with TorchScript model graph validation #3008 (issue: #2890)
• Improve adherence to memory limits for the bucket gatherer #2848
• Report the actual memory usage of the autodetect process #2846
• Restrict file system access for pytorch models #2851
• Update the PyTorch library to version 2.7.1 #2863

Security

• Update elastic-apm-agent-java8 to 1.55.6 #148271

Fixes

Data streams

• Update failure store redirect logic to exclude backpressure exceptions #148154

ES|QL

• Bugfix - Block Loader Pushdown + Union Types #147940
• Disallow empty lists in named params, only #147748 (issue: #147448)
• ES|QL query approximation: enforce minimum number of sampled source rows #147886

Inference

• Implement RerankingInferenceService for Elastic service #148365
• [Inference API] Fix inference initialization thread exhaustion #147063

Machine Learning

• Fix flaky CIoManagerTest/testFileIoGood test #3017

Vector Search

• [DiskBBQ] Check that precondition should not be overwritten on update #148111 (issue: #148004)

Watcher

• Fix race in TickerScheduleTriggerEngine by checking watcher to node allocation #147678 (issue: #146874)

Original source

Fixes

Alerting:

• Fixes empty rule type fields, such as kibana.alert.reason, on active alert documents when a delayed alert graduates to active during a flapping hold without an executor report. #266012

Dashboards and Visualizations:

• Fixes a critical validation failure that occurred when dashboard controls had null titles. Control titles are now converted to undefined during transforms, allowing validation to pass #268220.
• Fixes a regression where the dashboard remained locked in an open-flyout state after closing the ES|QL control edit flyout when editing an existing query-based control #267605.

Elastic Security solution:

For the Elastic Security 9.4.1 release information, refer to Elastic Security Solution Release Notes.

Original source

We now recommend that your Kibana instances have at least 2 GB of memory, especially when using Platinum or Enterprise Kibana features, and for production workloads.New Elastic Cloud Hosted deployments now default to 2 GB of RAM for each Kibana instance.

Features and enhancements

Alerting:

• Makes maximumCasesToOpen a runtime property #259255.
• Adds an auto-push case option to the case connector #249251.
• Exposes the maximumCasesToOpen parameter in the case action connection #247990.
• Adds additional workflow steps #256922.
• Alert deletion is now generally available #247465.

Elastic Agent Builder:

• Updates Test tool flyout to support datetime picker #249549.
• Simplifies the ES|QL test tool parameter types #249855.
• Exposes configuration_overrides in agent_builder/converse API #249256.
• Adds support for array parameter types in ES|QL tools #250386.
• Migrates the flyout to a sidebar #252918.
• Adds server-side support for user-created skills in Agent Builder #252493.
• Adds agent and tools RBAC sub features #254464.
• Agent Builder's default agent is no longer read-only and can now be customized per Kibana space #256333.
• Adds user-created skills to Agent Builder #252221.
• Allows Agent Builder to detect outdated attachments and lets users refresh them into the next message #257658.
• Allows ES|QL generation to search index patterns #253492.
• Allows agents to run one or more workflows before each execution, enabling prompt modifications or conditional abort #252452.
• Adds audit logging for agent and tool create, update, and delete actions #252143.

Connectivity:

• Adds support for the region parameter to the Bedrock Connector #252956.
• Adds a Jina Reader data source connector #247527.
• Adds a Jira Cloud data source connector #251345.
• Adds a SharePoint Online data source connector #251544.
• Adds a ServiceNow data source connector #252430.
• Adds a Microsoft Teams data source connector #252465.
• Adds a Tavily data source connector #252717.
• Adds a Google Calendar data source connector #252740.
• Adds a Slack data source connector #252972.
• Adds an Amazon S3 data source connector #253753.
• Adds a Salesforce data source connector #254303.
• Adds a Zendesk data source connector #254739.
• Adds a Firecrawl data source connector #255004.
• Adds a 1Password data source connector #255076.
• Adds a PagerDuty data source connector #255154.
• Adds a Zoom data source connector #255174.
• Adds a Figma data source connector #255322.
• Adds a Gmail data source connector #255565.
• Adds an AWS Lambda data source connector #256150.
• Adds a Confluence Cloud data source connector #256508.
• Adds a Google Cloud Storage data source connector #257374.
• Adds a SharePoint Server data source connector #258014.
• Adds a GitHub data source connector #258169.
• Adds an Azure Blob Storage data source connector #259439.
• Adds a GCP Cloud Functions data source connector #261277.
• Adds an AbuseIPDB data source connector #245421.
• Adds an AlienVault OTX data source connector #245421.
• Adds a GreyNoise data source connector #245421.
• Adds a Shodan data source connector #245421.
• Adds a URLVoid data source connector #245421.
• Adds a VirusTotal data source connector #245421.

Dashboards and Visualizations:

• A new Dashboard skill is now available in Agent Builder. This skill allows you to create and update dashboards through natural language chat, using the chat UI in Kibana, the Chat API, or the MCP server. Describe what you want to visualize and the agent builds a dashboard with ES|QL-powered visualizations. #261530.

• New API endpoints are now available in technical preview to manage your dashboards and visualization library. The Dashboards API gives you full read and write access to dashboards, including their panels, controls, sections, and display options. The Visualizations API lets you create and manage visualizations as standalone saved objects in the Kibana Visualizations library. #256302.

• Adds the ability to show and export Dashboard API JSON in a flyout #255382.

• Controls are now available as a panel type, allowing them to be freely placed anywhere in your dashboards #245588.

• Makes Contains the default search technique for options list controls #250992.

• Allows IP fields to be searched using CIDR notation in controls #250875.

• Extends the selectable area for dragging, collapsing and expanding sections to their entire header #258502.

• Allows dragging of opened collapsible sections #257191.

• Enforces panel limits on dashboards: up to 100 top-level items (panels, unpinned controls, and sections combined), up to 100 panels per section, and up to 100 pinned controls #256102.

• Makes the filter pills section collapsible #255887.

• Adds a grid size gauge while resizing panels #255363.

• Adds a borderless option to panel settings #255021.

• Adds library support for markdown panels #248779.

• Allows panels to be dragged while they're in focus for editing #251327.

• Redesigns the panel titles #251720.

• Refreshes the Dashboards app menu #246153.

• Adds a Discover session panel option to dashboards #256293.

• Editing an unlinked Discover session panel in a dashboard now saves changes back to that panel #250438.

• Filtering a field value in a Discover ES|QL session embedded in a dashboard now creates a DSL filter, consistent with how filtering works elsewhere #249357.

• Adds a tab selector to Discover session panels in Dashboards, with improved warning messages when a tab or data view can't be retrieved #252311.

• Adds ES|QL support to Vega visualizations #247186.

• Enables ES|QL multi-terms charts in Lens #244743.

• Allows filtering from legend actions when possible for ES|QL visualizations #248789.

• Suggests line charts for timeseries ES|QL queries (TS / PromQL) in Lens #252661.

• Retrieves variable types from the ES|QL query response #254436.

• Enables dashboard and URL drilldown for ES|QL charts #253223.

• Defaults the visualization type to line chart when the x-axis contains a timestamp, instead of a bar chart #253930.

• Adds a new optimized color palette for line charts #253437.

• Adds a Badge color option for table values in Lens, allowing cell values to be displayed as colored badges instead of text or background coloring #257408.

• Adds a new list legend layout for horizontal legends (top and bottom), offering a more space-efficient alternative to the grid layout. This is now the default for XY charts #257092.

• Adds sort order options for heatmap visualization axes #244696.

• Adds a middle position option for the primary metric styling settings of metric charts #260902.

• Improves tick labels for time-based X axes in ES|QL heatmap visualizations #259218.

• Improves datatable visualization performance for large datasets in Lens #256234.

• Enables fixed-width number formatting in Lens visualizations for cleaner alignment #251576.

• Introduces a Severity color palette in Lens color mapping #250198.

• Improves the badge colors for metric trend indicators in Lens #256255.

• Legend actions in Lens XY and Partition charts now only appear on hover #255616.

• Removes the font-weight configuration option from Lens Metric chart titles, defaulting to medium weight #254941.

• Updates axis title and label colors in Lens and dashboard charts to be less visually prominent #254587.

• Displays row numbers by default in Lens data tables #247834.

Data ingestion and Fleet:

• Allows remote Elasticsearch outputs and service tokens in Serverless #262101.
• Renames Cloud Connector to Federated Identity in the UX #261353.
• Adds support for monitoring OpenTelemetry (OTel) collectors in Fleet in technical preview. You can now add OTel collector agents using the Add > Collector (OpAMP) button in the Fleet UI #260654.
• Introduces support for version-specific policies in Fleet when integrations specify agent version requirements, ensuring agents receive only configurations compatible with their version #258796.
• Shows UI warnings for integrations with upcoming deprecations #257937.
• Resolves and merges templates listed in template_paths #257730.
• Adds permission verifier background tasks #257516.
• Installs package dependencies automatically #256700.
• Requests user review when auto-upgrading packages with deprecations #255273.
• Adds an out-of-the-box alerting rule template to freshly installed integrations for monitoring idle data streams #254730.
• Displays warnings for deprecated integration features #253923.
• Shows warnings in the UI when an integration is deprecated #251860.
• Allows Fleet to install integration-managed SLO templates for creating new SLOs #250369.
• Migrates input configurations when the migrate_from field is specified in the package manifest #242934.
• Updates the maximum supported package specification version to 3.6 #261362.
• Adds a new Alerting tab to the integrations UI for viewing and managing alerting-related assets #253948.
• Allows integration rollback when only some integration policies are upgraded #253646.
• Ensures the time series index mode is not enabled for input packages with non-metrics data streams #251205.
• Adds authentication fields to Elastic Agent binary download sources managed by Fleet for connecting to self-hosted artifact registries #250557.
• Improves memory usage during Fleet setup by deferring package reinstalls to async tasks #248235.

Discover:

• Redesigns the ES|QL editor footer in Discover: removes the row limit and timestamp indicators, and adds query run statistics #244284.

• Adds a fields browser to the ES|QL editor in Discover #252749.

• Adds a layout toggle to show or hide the data table in Discover, with the state persisted in the URL #259083.

• Adds a grouped view in Discover for ES|QL queries that use STATS ... BY with a single grouping field. A new toolbar selector lets you pivot by that field or switch back to the standard table view. #220119.

• Converts DSL filters to ES|QL when possible when switching to ES|QL mode #259260.

• Persists the query mode (ES|QL or classic) to local storage so that the next sessions open with the last mode used #250388.

• Shows Streams field descriptions in the ES|QL editor and field sidebar #260582.

• Filters from the top-level ES|QL WHERE clause now propagate into per-metric charts in the Discover metrics grid #249103.

• Adds support for visualizing tdigest and exponential_histogram histogram metrics in the Discover metrics grid #249269.

• Hides the data table by default when the metrics-specific Discover experience is triggered #260607.

• Adds the ability to restore recently closed tab groups #253365.

• Hovering over an entry in the recently closed tabs menu now shows a preview of what the tab contained #246973.

• Moves the inspector menu item to the tab menu #258767.

• The chart interval is now saved with Discover sessions and restored when reopening them #246426.

• Adds notifications for background search completion #249857.

• Adds a Save Discover table to dashboard option #259626.

• Adds default table columns for indexes and views with a small number of fields #255292.

• The doc viewer flyout now stays open when switching between Discover tabs and remembers which tab (such as Table or JSON) was active in each #246612.

ES|QL editor:

• Adds PromQL support in Kibana through ES|QL #249854.

• Adds support for the USER_AGENT command #261314.

• Adds support for the MMR command #257208.

• Adds autocomplete and validation support for the approximate setting in the ES|QL editor #248946.

• Adds support for KQL syntax to the quick search option #247224.

• Adds autocomplete to the KQL function #249510.

• Adds support for unmapped fields #248606.

• Adds support for timezone handling #247917.

• Makes the FORK command generally available #261904.

• Makes the RERANK command generally available #252242.

• Redesigns the ES|QL editor interface #251223.

• Adds a data source browser to the ES|QL editor #251897.

• Adds support for ES|QL views to the editor #261907.

• Adds ES|QL query statistics to the editor #251029.

• Improves ES|QL editor autocomplete for full-text search functions: MATCH_PHRASE's second argument now only suggests literal values, and FTS functions are excluded from EVAL suggestions except inside SCORE() #247003.

• Improves line commenting in the ES|QL editor to match standard IDE conventions #254851.

• Improves query pretty printing #257440.

• Adds an ES|QL indentation shortcut to the editor #247234.

• Simplifies the Run and Cancel button states in the ES|QL editor #254121.

• Highlights multiple word occurrences in search results #258764.

Elastic Observability solution:
For the Elastic Observability 9.4.0 release information, refer to Elastic Observability Solution Release Notes.
Elastic Security solution:
For the Elastic Security 9.4.0 release information, refer to Elastic Security Solution Release Notes.
Kibana platform:

• In container deployments, automatically sets the Node.js heap size to 60% of available memory, up to a maximum of 4096 MB, when no heap size is explicitly configured #246073.
• Adds a feedback button to Kibana's header #225074.
• Remembers the pagination state when navigating back from an edit on the Users page, instead of always returning to page 1 and resetting the search #261152.
• Distinguishes between session idle timeouts and session lifespan timeouts #252779.
• Improves Index Management index list load performance on large clusters with many indices #246276.
• Adds a Query Activity page under Stack Management for viewing and canceling long-running queries #253216.

Machine Learning:

• Updates Security ML jobs to use entity analytics fields for host and user fields #255339.
• Adds a link to manage anomaly detection jobs in the Machine Learning left navigation #260605.
• Anomaly detection now automatically closes the job when stopping a datafeed #259603.
• Adds aria labels to anomaly detection job wizard combo boxes #258509.
• Updates the v3_rare_process_by_host_windows bucket span to two hours #255855.
• Changes the rare process by host Windows job bucket span from 15m to 4h #255385.
• Adds a new single APM Correlations endpoint for latency and failed transactions #254607.
• Adds Gemini 2.5 Flash Lite, Claude 4.5 Haiku, and Claude 4.6 Sonnet preconfigured connectors #253109.
• Adds a dynamic default connector in GenAI settings #252861.
• Adds a zoom in button to the date picker #252252.
• Adds Anthropic Claude Opus 4.6 preconfigured connector #252177.
• Uses the location field to correctly set provider config in AI/Inference Connector creation #250838.
• Adds the proxy URL setting for product documentation artifact #250771.
• Adds new preconfigured connectors #249379.
• Moves the results view buttons closer to the job selection controls in Anomaly Detection #249261.
• Adds missing ES|QL commands and functions documentation for inference tasks #249089.
• Enhances model memory estimation for supplied configurations in anomaly detection #248479.
• Adds the timeout parameter to InferenceChatModel #248326.
• Adds time window buttons to the date picker #248142.
• Adds a button to synchronize saved objects in trained models #247691.
• Refreshes the Overview page #247573.
• Marks 429 errors as user errors in Inference/AI Connector #246640.
• Opens matching pattern docs in a new Discover tab #245695.

Search:

• Adds warnings to the Feature Settings page for models that are invalid #262262.
• Deprecates search indices in favor of index management #260210.
• Adds a Models page for inference management #259374.
• Adds a Model Settings UI for inference endpoint assignments #258871.
• Sets Jina v5 as the default inference endpoint for semantic_text fields when it's available #257464.
• Adds an AI assistant-led onboarding option to the Elasticsearch getting started page #255192.
• Automatically creates AI connectors for Elastic Inference Service chat completion endpoints when they are added #254826.
• Adds sorting capabilities to the Inference Endpoints table, allowing users to sort by Endpoint, Service, Type, or Model using a dropdown or by clicking column headers #252189.
• Adds a summary stats bar to the Inference Endpoints page displaying counts for Services, Models, Types, and Endpoints #251558.
• Adds a copy-to-clipboard button for inference endpoint names in the Inference Endpoints management page #251494.
• Improves the External Inference page by hiding the Elasticsearch service provider from the Add Inference Endpoint flyout, since Elasticsearch endpoints are managed internally #261851.
• Adds a model detail flyout with endpoint management #260307.
• Reduces search latency by switching to long-polling when HTTP/2 multiplexing is available, eliminating unnecessary wait times #256564.
• Improves the Inference Endpoints management page by adding a view to group by service #254296.
• Improves the Inference Endpoints management page by adding a view to group by models, making this the default view #252984.
• Consolidates Type, Preconfigured, and Tech Preview badges under the endpoint name and removes the dedicated Type column in the inference endpoints table #252621.
• Improves AI connector setup by auto-populating the model field with recommended defaults #250506.
• Improves the inference endpoints page by adding a Model column and enabling search by model name #249779.
• Adds descriptions to the semantic_text field inference endpoint select #249265.
• Fixes layout instability in the inference endpoint selector when endpoint names are long #247417.
• Displays the API key tab if the user has permission, and hides it for users without API key management permissions #246979.
• Updates the Search homepage design #246777.

Workflows:

• Adds import and export features for workflows #257976.
• Adds the workflows.executionFailed trigger so you can run workflows when another workflow fails. Use it to send notifications (for example, Slack), run cleanup, or trigger retries #257633.
• Adds a server-side workflow validation endpoint #254502.
• Makes the manual run API public #253010.
• Whitelists Streams APIs as Kibana workflow steps #252068.
• Adds the entries Liquid filter for iterating over object keys #259249.
• Adds cases workflow steps #253119,#256922.

Fixes

Alerting:

• Fixes an issue where Stack alerts sent recovery notifications but remained active in Kibana instead of transitioning to recovered #261012.
• Fixes stale uiamApiKey leaking through object spread in rule updates #263887.
• Fixes OpenAPI alerting rule params schemas missing accepted keys for burn-rate windows and Elasticsearch query sourceFields #263634.
• Fixes an index template update failing due to system-managed fields #262534.
• Adds the application/x-zip-compressed MIME type as an accepted value for cases file attachment #262414.
• Fixes alert recovery targeting the wrong document when multiple lifecycles exist for the same instance ID #261012.
• Fixes cloneRule leaking source rule API keys to cloned rules #260549.
• Fixes incremental_id drift issues #258789.
• Fixes Webhook Connector accessTokenUrl validation #258290.
• Fixes additional fields not being included #257625.
• Fixes a discrepancy between tracked alerts and alerts in task state #257235.
• Fixes a problem generating a report with multi-page Canvas workpads #255022.
• Fixes a blank page appearing at the end of PDF exports when using the Print format option with an even number of dashboard visualizations #254957.
• Fixes an error not being caught from scheduleUnusedUrlsCleanupTask() #254574.
• Fixes a bug with PagerDuty where setting the Custom details field causes rules to fail #253683.
• Improves error handling within the content stream code for multiple reporting attempts #252982.
• Fixes rule execution failing due to null execution UUIDs #252618.
• Improves handling of 204 responses #251090.
• Fixes timestamp override for ES|QL CSV scheduled reports with relative time ranges #248169.
• Fixes Failed to check if maintenance windows are active error #261048.
• Updates total_event in the Elasticsearch document when attaching an event #247996.
• Encodes the search term in the cases page #247992.
• Adds max character validation to the email connector params and config #246453.
• Fixes the wrong time zone being applied when a CSV report has a local date comparison #244405.

Connectivity:

• Fixes defaultModel not being injected for the Other OpenAI provider on run and test sub-actions #260747.
• Fixes MCP connectors ignoring the proxy and SSL configuration from the actions plugin #255813.
• Adds the datasource name to the namespace to allow creating multiple sources of the same type #249123.

Dashboards and Visualizations:

• Fixes an issue that could prevent a dashboard from showing its latest saved state #262695.
• Prevents a false positive warning about unsaved changes when sharing a dashboard while in View Mode #261051.
• Fixes regressions for space-relative links and same-window target #260782.
• Improves ES|QL suggestions logic in Lens #258475.
• Adjusts scroll behavior when dropping a panel to a new position #258445.
• Fixes screen reader announcements when entering full screen mode on a dashboard #258230.
• Fixes an issue with logic for detecting unsaved changes for dashboards in non-default spaces #257762.
• Fixes an issue where visualizations stayed focused after closing the variables editor flyout #257263.
• Fixes Add from library adding incorrect embeddable state #257261.
• Fixes dashboard panels getting stuck in infinite loading state after an error instead of showing error messages #257188.
• Fixes an issue where editing a library visualization would correctly save changes but visually show its previous saved state in dashboards referencing that visualization until the page was refreshed #256984.
• Stops adding a default title when creating ES|QL charts in Lens #256475.
• Fixes the pinned state for variable (ES|QL) and range slider controls #256035.
• Fixes timeFilter's quick mode in Maps stored state, that could prevent maps from loading #255178.
• Fixes an issue where saving a dashboard included access control features when a user profile, which is required for access control, was not available #255065.
• Fixes an issue occurring when saving a map containing filters #253537.
• Fixes configuration panel scrolling in the Lens editor when the content exceeds available height #253247.
• Changes dashboard background color to white #253068.
• Changes the default height of link panels to 2 rows #252707.
• Fixes the library annotation group not syncing across panels after an update in Lens #252640.
• Fixes KQL character escaping when a query is generated from the Top values column (breakdown) in Lens #250925.
• Fixes an issue where PDF/PNG reports are cut off at the end when a dashboard has a markdown panel #249644.
• Limits variable suggestions to variables within scope #248365.
• Re-fetches control options when the timerange changes #248068.
• Fixes link color contrast in Lens data tables #247721.
• Removes | LIMIT 10 from the ES|QL panel in dashboards when creating a visualization in Lens #247427.
• Fixes compound filters showing unsaved changes on dashboard load #247309.
• Increases default top values from 3 or 5 to 9 categories in Lens #247015.
• Fixes the handling of a quote as a dead key #246773.
• Fixes an issue where embeddables cannot load when no references are provided #257779.
• Fixes runtime_mappings being ignored or overridden in Vega visualization data requests #253560.
• Changes the Gauge chart default color palette to the status palette #246734.

Data ingestion and Fleet:

• Fixes package policy count filters: uses NOT latest_revision:false instead of latest_revision:true #263717.
• Disables the output selector for managed policies in the package policy edit form #263494.
• Fixes permissions for spanevents stored in logs data streams #263415.
• Handles compressed responses from Elasticsearch #262394.
• Fixes the table sorting announcement for accessibility #262226.
• Fixes the learn more focus for accessibility #261902.
• Fixes Define as JSON announcement for accessibility #261896.
• Fixes the pipelines table row index announcement for accessibility #261369.
• Includes input_output in inference
  processor #260517.
• Fixes the selected log level when there is a policy override #259425.
• Avoids icon announcement duplication for accessibility #259185.
• Fixes processors accessibility announcements #259096.
• Adds version-specific policies telemetry #259031.
• Fixes space-awareness for Fleet bulk agent actions (unenroll, upgrade, reassign to policy) #258582.
• Fixes an auto upgrade bug when upgrading agents in other policies interfered with the calculation #258387.
• Validates generated OpenAPI output #258267.
• Fixes package policy creation failing with a data_stream.type validation error for input-only integrations that use dynamic signal types, such as OpenTelemetry collector packages #258143.
• Improves error handling in debug API #258115.
• Fixes the unenroll task and adds an FTR test #255726.
• Fixes the incorrect installation of assets #254923.
• Filters out unenrolled agents in the cleanup policy revisions task #254899.
• Fixes an issue where an agent rolled back after an upgrade could not be upgraded again in the Fleet UI #253850.
• Fixes a TypeError when an integration has no SVG icons #251308.
• Adds back support for generating a CSV report of Fleet agent data in serverless environments #247185.

Discover:

• Fixes the date picker showing empty when switching from KQL to ES|QL #261175.
• Fixes a tab URL state leak when leaving Discover #262929.
• Resets the time field when the updated index pattern does not have it #262001.
• Resets the default profile state when transitioning between tab modes #255226.
• Makes matches cells expandable for long field filter matches #255093.
• Fixes URL, Badge, Color, and other field formatters incorrectly rendering fields with missing or null values #251892.
• Fixes filtering out null values from the Discover histogram legend in ES|QL mode #249302.
• Fixes Search entire time range for date nanos #248495.
• Prevents doc viewer flyout tabs from unnecessarily re-mounting on query refresh #248203.
• Fixes dropdown menus staying open when switching tabs #247836.
• Makes static-lookup formatter work with aggregated boolean fields #249311.
• Adds a check to ensure ES|QL is valid before matching the Metrics profile #248917.
• Prevents losing draft queries when switching tabs #247968.
• Fixes an issue where quickly opened tabs could not complete loading #246941.
• Fixes the default app state handling when detecting unsaved changes #246664.

ES|QL editor:

• Fixes ES|QL multi-value filtering with STATS #260998.
• Fixes STATS generated columns with inline WHERE #260196.
• When no local indices are available, the ES|QL query suggestion now correctly considers remote indices #257340.
• Fixes ES|QL variable controls not displaying server-side errors in the editor #263020.
• Fixes autocomplete fetches piling up without cancellation when typing rapidly in the ES|QL editor #255664.
• Fixes incorrect validation of the TS (time series) command #253635.
• Fixes some GROK patterns not being recognized, which caused columns to appear as unknown #246871.
• Aborts in-flight long-running queries for ES|QL controls #254487.
• Fixes incorrect KQL bar results for some indices #254119.

Elastic Observability solution:
For the Elastic Observability 9.4.0 release information, refer to Elastic Observability Solution Release Notes.
Elastic Security solution:
For the Elastic Security 9.4.0 release information, refer to Elastic Security Solution Release Notes.
Kibana platform:

• Sets auto_expand_replicas to fix yellow health on single-node Elasticsearch clusters #263096.
• Allows space color to be cleared, falling back to default #261826.
• Fixes the data stream and indices duplication for accessibility #261786.
• Fixes an incorrect announcement for accessibility #261603.
• Announces policy button with distinguishable names for accessibility #261313.
• Prevents duplicate Leave without saving? modal on solution view cancel #260958.
• Fixes inactive component template row focus and badge accessibility labels #260719.
• Fetches the last available version #259798.
• Fixes the Stack Monitoring shard legend not showing node placement #257854.
• Fixes Stack Monitoring Elasticsearch nodes CPU usage sorting #257852.
• Fixes an issue where the Kibana JSON logger could print a JSON object with a large number of numbered keys #256233.
• Resolves an issue with the spaces list displaying No spaces match text on load #255654.
• Adds waitFor for the privilege button #255094.
• Fixes the embeddable console auto-closing on chrome/overlay clicks #253382.
• Fixes a problem loading the doc count in index management when viewing larger page sizes with long index names #252422.
• Fixes share feature rounding #251073.
• Handles paging through more than 10,000 API keys #250826.
• Fixes Stack Monitoring Recent Log Entries timestamps to respect Kibana's time zone setting (dateFormat:tz) #249016.
• Fixes an issue with share modal where all time ranges were being shared as absolute #248804.
• Fixes createAuditEvents always returning failure as outcome #247152.
• Fixes the monitoring breadcrumbs for the solution view #249751.

Machine Learning:

• Ensures the single metric chart shows anomaly actions correctly in Anomaly Explorer #263925.
• Formats time_of_day / time_of_week values in anomaly detection alerting rule notifications and results preview #261034.
• Fixes the anomaly swim lane embeddable refresh in Anomaly Detection #259962.
• Fixes a jobs list console error in Data frame analytics #258591.
• Disables start and update deployment actions for Rerank models in trained models #257400.
• Fixes the field statistics saved search not updating when the dashboard changes filter #257241.
• Fixes the update of the job rules flyout in Anomaly Detection Single Metric Viewer #257196.
• Fixes screen reader announcements for flyouts #256409.
• Improves Smart Grouping performance and re-enables it in Log rate analysis #253704.
• Fixes headings in Log rate and pattern analysis and Change point detection for accessibility #253266.
• Fixes the today and this week filters for Log Rate and Pattern Analysis embeddables #252925.
• Fixes the file size limit check in file upload #251515.
• Fixes occasional file preview corruption in file upload #250532.
• Fixes word break in Anomaly Detection page titles #250058.
• Passes abort signal to Elasticsearch in file upload #249623.
• Updates the Packetbeat DNS tunneling datafeed to include runtime mappings #249317.
• Fixes counter metric fields being missing in the Anomaly detection dropdown #248187.
• Fixes broken Data Visualizer and AIOps navigation breadcrumbs and sidebar in solutions #248167.
• Disables ES|QL field stats for TS command #247641.
• Fixes the display of the map view for small screen sizes in Data Visualizer #247615.
• Fixes an anomaly chart empty query bug #246841.
• Fixes deanonymization offset drift and adds regression coverage #256112.
• Improves anonymization error messages when the NER model is not available #247696.
• Adds a refusal field to assistant conversations #243423.

Management:

• Fixes the code box stale announcement for accessibility #261921.
• Announces data streams stats toggle change for accessibility [#261911](https://github.com/elastic/k

Original source

Highlights

ES|QL now supports Views: virtual indices whose fields are produced by an ES|QL query. A view is referenced inside a `FROM` clause exactly like a regular index, alongside other indices, views, and wildcards. Complex processing pipelines can be hidden behind a view, exposing a stable set of columns without requiring callers to know the underlying source structure. A single query can combine multiple pre-processed data sources by listing several views in one `FROM` clause, with each view's pipeline running independently. Common transformations such as renames, type conversions, derived fields, and aggregations can be defined once in a view and reused across many queries, dashboards, and alerts. PromQL is now supported as a source command in ES|QL (Tech Preview). Users can now leverage their existing knowledge of PromQL while benefiting from the powerful features and scalability of Elasticsearch. This enhancement expands the versatility of ES|QL and makes it easier for users to integrate with Prometheus data sources.The syntax is illustrated in the following example: ```esql PROMQL index=k8s-downsampled start="2026-02-17T08:00:00Z" end="2026-02-17T09:00:00Z" step=30m avg_bytes=(avg(rate(network.total_bytes_in[30m]))) | SORT avg_bytes DESC, step; ``` ES|QL adds the `METRICS_INFO` command for queries that start with a time series (`TS`) source. It returns one row per distinct metric, with columns such as `metric_name`, `data_stream`, `unit`, `metric_type`, `field_type`, and `dimension_fields`, derived from time series metadata in the index. It unlocks inspecting which metrics exist and how they are typed before you aggregate with `STATS`.For example, list metrics sorted by name: ```esql TS my_data_stream | METRICS_INFO | SORT metric_name ``` Or filter to counters only: ```esql TS my_data_stream | METRICS_INFO | WHERE metric_type == "counter" | SORT metric_name ``` We're introducing a Prometheus-compatible `POST /_prometheus/api/v1/write` REST entrypoint that allows receiving data via Prometheus remote write protocol (Tech Preview). Elasticsearch can now be used as a Prometheus storage backend, consuming data sent in Prometheus native format. ES|QL adds the `TS_INFO` command for time series (`TS`) queries. It returns one row per metric and time series combination. You get the same metadata columns as `METRICS_INFO`, plus a `dimensions` column with a JSON object of dimension keys and values for that series. That unlocks inferring which labels apply to each series when exploring or validating time series data.For example: ```esql TS my_data_stream | TS_INFO | SORT metric_name, dimensions ``` Until Elasticsearch `9.3`, both downsampling methods (`aggregate` and `last_value`) used to store only the last value of a counter in the downsampled document. This works great for the `last_value` method where we optimise for storage efficiency, but it is not ideal for the `aggregate` method where we optimise for accuracy.In Elasticsearch `9.4`, we change the way the (default) `aggregate` sampling method is working. We store the first encountered value for a counter in the downsampled document and then we add auxiliary documents when we detect counter resets. This enables the rate calculation to take the counter resets into account and produce more accurate results. This change is backwards compatible. Time series aggregations in ES|QL are enhanced to support windows smaller than the time bucket. ```esql TS metrics | STATS AVG(RATE(requests, 5m)) BY TBUCKET(10m), host ``` Previously, only window values that were equal or exact multiples of the time bucket were supported. Time series aggregations in ES|QL are enhanced to support windows that are not an exact multiple of the time bucket. ```esql TS metrics | STATS AVG(RATE(requests, 15m)) BY TBUCKET(10m), host ``` Previously, only window values that were exact multiples of the time bucket were supported. This updates our diskbbq algorithm and format. - It now provides 3x or more better search performance on very restrictive filters (prefilters on centroids) - Provides a way to condition non iid vectors (expert API for now) - Gives more bit options (1, 2, 4, and 7 bits!) - More native code improvements for overall performance The `_id` field has a significant storage footprint in metrics applications, as it requires both storing and indexing unique document identifiers that are rarely used for direct lookups. To alleviate this, we are introducing synthetic IDs for indices in time-series mode. Instead of indexing the `_id` field, a Bloom filter is used for fast, lightweight duplicate detection at ingest time. Lookups and operations that previously relied on `_id` are delegated to other indexed fields on the document, such as timestamps, or dimension fields, preserving the same query and retrieval functionality.This offers up to 40% storage improvement for OTLP metrics and reduces the cpu overhead for segment merging due to the lack of an inverted index for `_id` fields. We're introducing a Prometheus-compatible /_prometheus/api/v1/query_range REST endpoint (Tech Preview) that: - Accepts the standard Prometheus range query parameters (query, start, end, step, optional index) - Translates the PromQL expression into an ES|QL PROMQL command and executes it via EsqlQueryAction - Converts the columnar ES|QL response into the Prometheus matrix JSON format and returns it to the caller We're introducing a Prometheus-compatible `GET /_prometheus/api/v1/series` REST entrypoint that accepts Prometheus series selectors and returns matching label sets (Tech Preview). This is typically used for auto-completion in web UIs. The first bytes of a time series id (tsid) include a hash of the metric name(s) for each doc of a time-series index. Counter rate evaluation leverages these bytes to assign tsids to workers inside the ES|QL compute engine. This (a) improves parallelism by dividing work in a granular and uniform fashion, and (b) leads to dense, sequential access patterns per time series that have been optimized to avoid copies between counter value decoding and rate calculations.Rate execution performance thus improves substantially, with up to 5x faster query responses. We're introducing a Prometheus-compatible `GET /_prometheus/api/v1/labels` REST entrypoint for time series discovery and label enumeration and introspection (Tech Preview). Web UIs can use this for label auto-completion. We're introducing a Prometheus-compatible `GET /_prometheus/api/v1/query` REST endpoint that evaluates a PromQL expression at a single point in time and returns vector results (Tech Preview). The instant query endpoint currently runs a short range query under the hood and returns the last sample. In Elasticsearch `9.4` we expand the supportability of `aggregate_metric_double` to include non-native operations in ES|QL, such as `std_dev`, using the average. The average is calculated using the `sum` and `value_count` sub-fields. The average was selected because in most cases it is a more representative signal compared to a single sub-field. Native operations such as `max`, `min`, `sum`, `avg`, and `count` will be supported natively by the respective sub-fields.For example, the following query is now supported where `network.eth0.tx` is a an `aggregate_metric_double`: ```esql FROM k8s-downsampled | STATS max = max(network.eth0.tx), std_dev = STD_DEV(network.eth0.tx) by pod | sort pod ``` Response: ``` max:double | std_dev:double | pod:keyword 1060.0 | 275.6970067 | one 824.0 | 184.1213952 | three 1419.0 | 356.9865993 | two ```

Features and enhancements

Aggregations:

• Bump heap usage limits for INLINE STATS #144679

Analysis:

• Inject circuit breaker into forked SynonymMapBuilder #144800
• Support custom rulesets in analysis-icu/icu-transform plugin #143060

Authentication:

• Add Clone API Key endpoint #142633 (issue: #59304)

Authorization:

• Update View CRUD Actions to be Index Actions #141570
• [Entity Store] Add permissions for Entity Store datastream #145981

CCS:

• CPS and project routing support for templated searches #139446

CRUD:

• Do not mark bulk indexing requests as retried after primary relocations #142157 (issue: #141586)

Codec:

• Add dynamic bloom filter sizing based on document count #141342
• Add panama simd implementation of contains function for BinaryDocValuesContainsTermQuery #143922
• Allow loading BYTE_LENGTH without decompressing Zstd byte ref blocks #141322
• ES819 Binary doc values: compact doc offsets using bit packing #142772
• Enable large blocks for binary doc values by default. This mainly affects fields of type wildcard, ignored source, values hitting ignore above threshold and ignore malformed numbers and dates. #145216
• Fast codePointCount implementation for BytesRef #140388
• Push contains binary doc values query down to es819 codec #143898
• Rewrite *substring* wildcard queries to contains term queries for binary doc values keywords #143433
• Track bloom filter disk usage in IndexDiskUsageAnalyzer #142106
• Upgrade zstd to version 1.5.7 #140530
• Use DirectAccessInput in ZstdDecompressor to avoid intermediate heap copy #145658
• Use max instead of median for merged bloom filter size #143302
• CodePointCount implementation using Panama vectors API #140693 (issue: #140567)

Data streams:

• Add 'logs.otel' and 'logs.ecs' stream types #141564 (issue: #141040)
• Ensure DLM only runs one general loop at a time #143883
• Support Failure Stores in Cross Cluster Search #139316

Distributed:

• Batch index creation #144074
• Batch snapshot update tasks after external change #142091
• Ensure that synthetic _id is usable after restarts/relocations #138678
• Health reports GREEN when provisionally unassigned replica #144773
• Increase the per-index limit for merges to half the CPUs #141389
• Opt-in persistent task reassignment on node shutdown #143306

Downsampling:

• Collect dimensions only once per tsid when downsampling #145089
• Rate calculation for downsampled counters becomes aware of counter resets when the aggregate sampling method is used. #143381 (issue: #136178)
• Use the tdigest type and compression from TDigest in downsampling #143247

ES|QL:

• Add APM telemetry for SET statement #141719
• Add Arrow-native Block & Vector implementations #142981
• Add CCS Remote Views Detection #143384
• Add Connector SPI and gRPC/Arrow Flight module #142667
• Add Google Cloud Storage data source plugin #142563
• Add JSON_EXTRACT ES|QL scalar function #142375
• Add LZ4, Snappy, and Brotli decompression codecs #144688
• Add METRICS_INFO command #141667 (issue: #139296)
• Add MMR command for result diversification #143867
• Add MV_UNION Function #139664
• Add ORC predicate pushdown via SearchArgument #144686
• Add Parquet filter pushdown with bloom filter, statistics, and dictionary row-group skipping #144832
• Add TS_INFO information retrieval command #142721 (issue: #139296)
• Add Views Security Model #141050
• Add Warning for Sort Under Lookup Join #141482 (issue: #141483)
• Add FormatReadContext to consolidate FormatReader API #143928
• Add IntRangeVector for selected groups in aggregation #141205
• Add LongLongSwissHash - specialization for grouping by two long fields #140838
• Add appliesTo to the TRange and TBucket functions #142160
• Add anonymous Azure access via auth=none #144475
• Add anonymous GCS access via auth=none #144476
• Add anonymous S3 access via auth=none #144471
• Add blocks and vectors for more Arrow numeric types #145111
• Add cloud API rate limiting for external sources #144734
• Add column pruning for external datasources #143903
• Add configurable bracket-based multi-value support for CSV reader #143890
• Add coordinator-only caching for external source metadata #145300
• Add data node execution for external sources #143209
• Add dense_vector equality and inequality support in ES|QL #140005 (issue: #139929)
• Add error handling and propagation for external source execution #143333
• Add error policy and configurable options for CSV format reader #143779
• Add extended distribution tests and fault injection for external sources #143420
• Add info into the profile of METRICS_INFO and TS_INFO #145634
• Add limit pushdown for external data sources #143515
• Add local parallelism and partition detection for external sources #143154
• Add logic to fold project tags metadata on data nodes #141935
• Add mapper-size plugin's _size metadata attribute #141427 (issue: #136956)
• Add memory tracking for TS_INFO and METRICS_INFO #143491 (issue: #139296)
• Add parallel execution for Arrow Flight multi-endpoint sources #143345
• Add parameter support in PromQL query durations #139873 (issue: #139508)
• Add pluggable partition detection and virtual columns #143120
• Add positional readBytes API to StorageObject SPI #143703
• Add schema reconciliation for multi-file external sources #145220
• Add split SPI, partition detection, and filter hint extraction #143005
• Add split discovery and distribution for external sources #143114
• Add support for ORC file format #142900
• Add support for dense_vector in COALESCE #142974 (issue: #139928)
• Add support for binary operators with AMD #143996 (issue: #142094)
• Add support for project METADATA #140592
• Add support for top-level arithmetic ops to TS|STATS #140135 (issue: #139570)
• Add syntax support and parsing for SET approximate #139908
• Add telemetry (stack) for query settings #141836
• Add timezone to add and sub operators, and ConfigurationAware planning support #140101
• Add xerial snappy-java to compression-libs #145393
• Added three new simple but useful spatial functions: ST_Dimension, ST_GeometryType, ST_IsEmpty #144703
• Added timezone support to date_format #138517
• Adding ES|QL USER_AGENT command #144384 (issue: #134886)
• Adding ES|QL command REGISTERED_DOMAIN #142680 (issue: #133942)
• Adding ES|QL command URI_PART #140004 (issue: #134885)
• Adding MV_INTERSECTS function #140662
• Adding sparkline aggregate function #141388
• Adds LIMIT BY ESQL command in Tech Preview #145225 (issue: #112918)
• Adds ST_SIMPLIFY geospatial function #136309 (issue: #44747)
• Allow TBUCKET to skip the from/to parameters when Kibana adds a timestamp range filter. Exmaple: TBUCKET(100) #144057
• Allow evaluatable grouping functions (Like BUCKET) in LIMIT BY #146642
• Attribute ES|QL shard search load in Lucene operators #142841
• Avoid caching multiple times in doc-partitioning #142913
• Bridge Connector SPI to ExternalSplit #143331
• Buffer reuse in ParquetStorageObjectAdapter and StorageObject #143700
• Byte-based buffer backpressure for external sources #144218
• CSV schema inference and parsing enhancements #144050
• Case Support for Compound Types #140677
• Converted PackedValuesBlockHash.bytes to BreakingBytesRefBuilder for better memory tracking #140171
• Count aggregation for histograms #141138
• DS: Parquet file handling improvements #145123
• Data sources: Azure plugin #143236
• Data sources: ZSTD, BZIP2 #143228
• Datasources: GZIP #143035
• Document and test Parquet page-index filtering #145571
• ESQL - Add dense_vector field type to SUM function #142129
• ESQL - Improve search performance by adding min competitive aware collection when using multiple shards / threads #142406 (issue: #136267)
• ESQL 137269 some csv tests for lookup join behavior with multivalues #144520
• ESQL mv_difference function #141895
• ESQL: Improve field reference tracking in FORK command #137678 (issue: #137283)
• ESQL: Prune unused regex extract nodes in optimizer #140982 (issue: #132437)
• ESQL: Support intra-row field references in ROW command #140217 (issue: #140119)
• ESQL: enable unmapped_fields="load" in tech preview #145052 (issue: #142369)
• ES|QL - Add parsing, preanalysis and analysis timing information to profile #139540
• ES|QL - Top N queries are parallelized #143133
• ES|QL - dense_vector support for COUNT, PRESENT, ABSENT aggregator functions #139914 (issue: #135688)
• ES|QL CHUNK function multi-valued field support #141240
• ES|QL Improve LOOKUP JOIN on single keyword #144704
• ES|QL Top Snippets multi-valued field support #142117
• ES|QL Views support #134995
• ES|QL TEXT_EMBEDDING function is GA #140555
• ES|QL dense vector functions are GA #140545
• ES|QL approximate analytical queries #131828
• ES|QL command RERANK is GA #141508
• Enable PromQL command in ES|QL #140808
• Enable distributed pipeline breakers for external sources via FragmentExec #143696
• Enable doc-partitioning for more queries #143095
• Extract centroid from doc values for ST_CENTROID_AGG over geo_shape and cartesian_shape #142528 (issue: #142640)
• Fix ORC type support gaps #145074
• Fix Parquet and ORC datasource allocation overhead #143791
• Fix Parquet type support gaps #144059
• Fix review feedback and add test coverage for PR #143703 #143900
• Fix window validation in time-series aggregations when TBUCKET uses a numeric target count #144291
• Format "_query" response dates using the given timezone #139529
• GCS native async I/O via ReadChannel #144733
• Harden distributed external source execution #144277
• Implement EXPLAIN for local data node plans #142748
• Implementing rerank on multi values #140672
• Improve Lookup Join performance with CachedDirectoryReader #139314 (issue: #137268)
• Improve memory usage and tracking by moving union types into ValuesSourceReaderOperator #140384
• Improve ndjson schema inference for date-time #145553
• Introduce "Swiss Table"-based hashing to ES|QL, a SIMD-accelerated hash table resulting in significantly higher throughput on uniform, high-cardinality workloads #145010
• Introduce Geospatial functions ST_Buffer and ST_SimplifyPreserveTopology #145154
• Introduce SwissTable-based hashing for ES|QL STATS #139343
• Introduce adaptive block hash for long/int #141237
• JSON_EXTRACT: zero-copy byte slicing for object, array, and number extraction #143702
• LIMIT BY fixed telemetry and tests #146992
• MMR Command: Grammar and Logical Plan #140684
• Make MV_EXPAND GA #144543
• Make datasources plugins lazy #142815
• Minimize Hadoop dependencies for ORC plugin #146944
• Optimize TopNOperator to avoid resorting when input is already sorted #141094 (issue: #131221)
• Partition rate query using tsid prefixes #144818
• Per-file filter pushdown awareness #145755
• Periodically emit partial aggregation results #141392
• Push STARTS_WITH/LIKE prefix to Parquet and ORC #145640
• Push stats to external source via metadata #143940
• Reapply "Introduce pluggable external datasource framework" #142707
• Reapply "NDJSON datasource" #142855
• Refactor inference operator architecture for multi-value field support #139694
• Register TSV as a separate format with tab delimiter #143906
• Remove Hadoop JARs from Parquet plugin #146780 (issue: #146716)
• Remove hadoop-client-runtime from datasource plugins #146206 (issue: #146203)
• Remove implicit limit appended for each subquery branch #139058
• Remove implicit limit for FORK #145429
• Remove snapshot protection from node reduce late materialization #142834
• Review fixes for datasource framework #142565
• Route external source I/O through esql_worker thread pool #144596
• Schema-aware filter pushdown for DATETIME and DECIMAL #145641
• Shrink description #140089
• Skip files with no projected column overlap in UNION_BY_NAME #145701
• Skip time series field type merge for non-TS agg queries #143262
• Speed up remote Parquet reads #144454
• Stats pushdown past EVAL/RENAME for external sources #144806
• Stream results from topn #140088
• Support arithmetic operations for dense_vectors: scalar version #141060 (issue: #140538)
• Support arithmetic operations for dense_vectors: vector version #140539 (issue: #140537)
• Support of a window that is not an exact multiple of the bucket #143704
• Support shapes in ST_CENTROID_AGG #141657
• Support target bucket count in TBUCKET with explicit from/to date range #142747
• Support window smaller than time bucket #143661
• TRange timezone support #139911
• Type conflict resolution in unmapped-fields load #143693 (issues: #142004, #141912)
• Use avg metric for AMD default metric #141331
• Use less memory in ValuesFromMany #140062
• Validate TOP_SNIPPETS query argument is foldable at verification #142763 (issue: #142462)
• Various fixes to spatial functions (ST_ENVELOPE and ST_NPOINTS) #139618
• [ES|QL|DS] Add circuit breaker to the Parquet datasource #144491
• [ES|QL|DS] Parquet row-group level split parallelism #144018
• [ES|QL|DS] Wire parallel parsing into production for text formats #143997
• ToString/ToDatetime/ToDateNanos converters timezone support #138985
• support DATE_RANGE field type #133309
• Add CHICKEN function to ES|QL #140645

Engine:

• Ensure acquired snapshot commit is always flushed #144067 (issue: #143993)

Indices APIs:

• More actionable PUT /{index}/_settings error #138611

Inference:

• Add FireworksAI chat completion support #142664
• Add FireworksAI inference service for embeddings #137130
• Add embedding task support to ElasticInferenceService #141547
• Add provider validation call to Update Inference Endpoint operation #140003 (issue: #122356)
• Added Reasoning support for Chat Completion in the Inference Plugin #143242
• Added service settings update logic for AI21 provider in the Inference Plugin #142597 (issue: #122356)
• Added service settings update logic for Alibaba Cloud Search provider in the Inference Plugin #142738 (issue: #122356)
• Enable multimodal inputs for all chat completion integrations #144509
• Removed the max_tokens request parameter for Chat Completion with Reasoning in the Inference Plugin #143242
• [Inference API] Add Chat Completion to Amazon Bedrock for the Inference API #139411
• [Inference API] Add custom headers for Azure OpenAI Service #142969
• [Inference API] Add support for embedding task to JinaAI service #140323
• [Inference API] Adding OAuth2 support for Azure OpenAI #143896
• [Inference API] Expose Endpoint Heuristics through Inference API #141393
• [Inference API] Handle preconfigured endpoints with embedding task type #141788
• [Inference API] Parse endpoint metadata from persisted endpoints #143081
• [Inference API] Support multimodal inputs for chat completion #142736
• [Inference API] Update authorized endpoints when their fingerprint or version changed #143567

Infra/Core:

• Add DateFormatter.tryParse() #144474
• Expose byte offsets on XContentParser via getCurrentLocation() #143501 (issue: #142873)

Infra/Plugins:

• [Fleet] Add OpAMP field mappings to fleet-agents #142550
• [Fleet] Add metadata mappings for OpAMP #145824

Infra/Scripting:

• Painless hoist constant collection .contains calls #143311 (issue: #137849)

Ingest Node:

• Update Grok to use the new Matcher#setTimeout #139405
• [INGEST] GrokProcessor: add validate_only option to skip field extraction #145126

Logs:

• Default index.mapping.use_doc_values_skipper to true for logsdb #142851
• Store fallback match only text fields in binary doc values #140189

Machine Learning:

• Add EuroBERT and Jina v5 ops to graph validation allowlist #3015
• Add a suggestion for fixing the ML node allocation error #139520
• Add exponential-backoff retry for AD job opening during system-initiated reassignments #144478
• Add support for nested NDJSON records in TextStructure endpoints #141045 (issue: #127777)
• Better error handling regarding quantiles state documents #2894
• Better handling of invalid JSON state documents #2895
• Better messaging regarding OOM process termination #2841
• Downgrade log severity for a batch of recoverable errors #2889
• Harden pytorch_inference with TorchScript model graph validation #3008 (issue: #2890)
• Improve adherence to memory limits for the bucket gatherer #2848
• Report the actual memory usage of the autodetect process #2846
• Restrict file system access for pytorch models #2851
• Update the PyTorch library to version 2.7.1 #2863

Mapping:

• Add option to enable accurate leaf arrays for flattened fields #145376
• Add passthrough support to flattened field type for mapped sub-fields #145131
• Add properties support to flattened field type #144451
• Aggregate metric double use average #142135
• Improve the supportability of aggregate_metric_double by non-native ES|QL aggregation functions, such as std_dev. #145742
• Remove redundant root doc values from flattened fields if index=false #143907
• Set default semantic_text index type to disk_bbq by using dense_vector defaults #145374
• Store flattened field data in binary doc values #140246
• Update semantic text to use BFLOAT16 by default #144236

Monitoring:

• Add mode and codec fields to Stack Monitoring index template #143673

Packaging:

• Flip cloud-ess-fips default from FIPS 140-2 to FIPS 140-3 #140788

Performance:

• Allow intermediate builds in PR-based benchmarks #142472
• Correctly reference non-main branches in benchmark script #142303
• Relax PR-based benchmarks target branch #142297

PromQL:

• Add Prometheus instant query REST endpoint #145321
• Add Prometheus labels REST endpoint #144952
• Add Prometheus query_range endpoint #144416
• Add Prometheus series REST endpoint #144494
• Implement Prometheus remote write indexing support #141957

Ranking:

• Use VectorScorer to consume AcceptDocs iterator for lazy bulk scoring in VectorScoringUtils #145835 (issue: #145834)

Reindex:

• Add reindex-from-remote blocklist setting #145357
• Disable OCC in update/delete-by-query for seq_no-less indices #143465

Relevance:

• GA chunk_rescorer in text_similarity_reranker #139830

SQL:

• Add project_routing to CLI #138965
• Add support for API key to JDBC and CLI #142021

Search:

• Account for ES|QL Lucene query rewrite in recent search load #141819
• Add semantic_text field type to MMR Result Diversification Retriever #141666
• Add search task watchdog to log hot threads on slow search #142746
• Added return_intermediate_results query param to toggle when partial results are returned for a get async results operation #141073 (issue: #139828)
• CPS handles datastreams #140637
• Expose keep_alive in async task status #144010
• Fail MatchQueryParser if it generates a query with more clauses than allowed by max_clause_count #143233 (issue: #143032)
• Ids Query: Use max result window as upper limit #140515 (issue: #138758)
• Makes scroll CPS compatible #140977
• Making use of sort optimization written from search in search shards #144247 (issue: #143945)
• Only consider the primary sort when determining concurrency #143608
• Optimize script sorts that do not require query scores #139748
• Optimize search shard iterator sort #140747 (issue: #135472)
• PIT context relocation work on main repo #137675
• Prevent creating too many nested boolean clauses while creating the lucene query to avoid query explosion #143220
• Ref-counting SearchHits from InternalTopHits to SearchResponse #142732
• Search/query logging support for _search, ES|QL, EQL, SQL #139920
• Semantic text default inference id setting #143486
• Switch default model for semantic_text to jina-v5 #142980
• Take control of max clause count verification in Lucene searcher #139752
• Update text_similarity_rank_retriever to default to chunking settings optimal for inference ID #137397
• Upgrade Elasticsearch to Apache Lucene 10.4 #141882
• Use IndexOrDocValuesQuery in IpFieldType#termQuery #140735
• Use IndexOrDocValuesQuery in NumberFieldType#termQuery implementations #140734
• CanMatch returns numSkipped per cluster instead of all skipped shards #142170

Searchable Snapshots:

• Add SparseFileTracker.getAbsentBytesWithin #141179
• Split blob-cache freelist using decays #142545
• Trigger cache decay at 5% left on freq 0 #142685

Security:

• Allow deleting multiple views in one request #145816
• Don't allow querying views with DLS or FLS #144903
• Make ServiceAccountToken APIs Available in Serverless #140631
• Upgrade bouncycastle to 1.84 #147197
• Use opaque random session IDs for ESQL compute sessions #142249

Snapshot/Restore:

• Batching of snapshot-delete start updates #141998
• Identify Elasticsearch as user-agent in S3 calls #141881
• Reduce memory usage of TransportGetSnapshotsAction #142468
• Report shard snapshot pauses in shutdown status #144717
• Strengthen MPU-based CAS in S3 repo

Original source

Today, we are pleased to announce the general availability of Elastic 9.4 as the latest version of the Elasticsearch Platform. In addition to including new features that help developers with context engineering, application and infrastructure monitoring, and AI-powered security operations, Elastic 9.4 introduces a broad set of capabilities in Elastic Search & AI, Elastic Observability, and Elastic Security.

The Elasticsearch Platform

Elastic 9.4 delivers an Elasticsearch Platform that has grown more capable across four dimensions: automation and orchestration, query language expressiveness, AI-native analyst experiences, and the governance and compliance infrastructure that enterprise deployments require.

Automation and orchestration

Elastic Workflows is now generally available. Workflows is the automation and orchestration layer that connects Elastic to the broader operational world, enabling teams to trigger actions in external systems, coordinate multistep processes, and close the loop between what the platform detects and what it actually does about it. Teams building with Agent Builder will find Workflows to be its natural companion: Agent Builder defines what an agent knows and can reason over; Workflows defines what it does when it acts.

ES|QL → A best-in-class query language

ES|QL, Elastic’s premier piped query language, continues to advance in 9.4, adding five new capabilities, all in technical preview, including:

• Subqueries enable analysts to run and combine independent pipelines in a single statement, eliminating the need to stitch results across multiple queries by hand.
• Approximate Queries trade a small degree of aggregation precision for dramatically faster response times on large datasets with confidence signals so that analysts always know how much to trust the result.
• Logical Views enable teams to define complex query logic once and reuse it as a named data source across dashboards, alerts, and ad-hoc queries.
• JSON Function Extraction pulls specific elements from any JSON-mapped field or raw _source document using standard path notation — no reindexing or pipeline changes required.
• Access to All Ingested Fields eliminates the "ignorance cliff." Fields that were missed at mapping time are no longer permanently inaccessible, giving teams full query coverage over everything they've ingested.

AI-native Kibana

With Elastic 9.4, Kibana is becoming increasingly AI-native. AI-Powered Dashboard Creation (technical preview) enables analysts to describe what they want to see in natural language and watch Kibana build it iteratively, in conversation, with no manual configuration. In addition, Dashboards as Code (technical preview) gives platform teams the complementary capability: dashboards managed as version-controlled and code-reviewable assets deployed through CI/CD pipelines, replacing the fragile (and now “old school”) saved-object export/import workflow entirely. Together, these new features represent Kibana's continued evolution toward a more intelligent, collaborative workspace.

Operate with confidence

Elastic 9.4 also delivers a meaningful set of advances for the operators and compliance teams responsible for keeping the platform healthy, auditable, and secure. Notable enhancements — all generally available — include:

• Query activity in Kibana gives administrators instant visibility into every long-running query with its origin and the ability to cancel it in a single click.
• Search Analytics Logs extends the audit trail to every query across DSL, ES|QL, EQL, and SQL, capturing latency, request origin, and full query body with no configuration required.
• Per-user authentication for Kibana Connectors replaces shared service account credentials with individual user identity, giving compliance teams accurate, trustworthy audit trails across integrations.
• FIPS 140-3 Compliance, now generally available for both Elasticsearch and Kibana, delivers full-stack coverage ahead of the September 2026 deadline with a clean upgrade path and no data migration required.

Search & AI

Elastic 9.4 gives developers building AI agents with Elasticsearch more of what production demands: tighter control over what agents know and how they act, deeper visibility into how they perform, and better economics for the vector workloads underneath them.

Agent Builder enhancements

With Elastic 9.4, Agent Builder has been extended to optimize context with a set of interlocking capabilities and enhancements that control how agents acquire context, use it efficiently, and act on what they find. New capabilities and enhancements include:

• Skills, which act as instructional guides that teach the agent how to complete specific tasks and are loaded only when needed
• In-chat interaction (and preview) with Kibana objects like dashboards, workflows, ES|QL queries — enabling chat-based creation, refinement, and analysis
• A new semantic metadata layer across Elastic and all connected sources like Drive and SharePoint that acts as a discovery backbone for these objects, giving agents rich understanding of data to optimize reasoning
• Improved context management with query result offloading, compaction, and summarization that delivers better performance and cost-efficiency for long, multi-turn interactions

In sum, users are now able to create more reliable, lower-cost, and higher-performing agents.

VectorDB enhancements

DiskBBQ, Elastic’s best vector indexing and search algorithm, has improved in Elasticsearch 9.4. Among the many enhancements, query latency has improved by at least 3x for queries with restrictive filters and the performance of vector comparisons improved (thanks to the now extensive use of native code), impacting both indexing and search. In addition, it is now possible to use BBQ to quantize to vectors with elements of two, four, and seven bits, enabling better recall when a single bit is insufficient. Together, these updates will help to ensure an optimal balance of speed and cost-efficiency for your production AI workloads.

GPU-accelerated vector indexing, released as technical preview in Elastic 9.3, is now generally available. By integrating NVIDIA cuVS, an open source library for GPU-accelerated vector search and data clustering, into Elasticsearch, self-managed Elastic customers can expect to see up to a 12x improvement in indexing throughput and 7x faster force merging.

Developer onboarding assistant

A new conversational assistant guides developers from idea to working search implementation in Cursor, Claude Code, and Kibana. It asks what you're building, understands your data, recommends the right approach, walks through mapping and indexing, and generates a working implementation — proactively surfacing Elasticsearch concepts at every step. For teams building their first search application or prototyping a new use case, this replaces hours of documentation reading with minutes of guided building.

Dynamic LLM connectors and Inference Management

New LLM models are now available as connectors between stack releases. Alongside this, Elastic 9.4 establishes a single, authoritative Inference Management experience within the Elastic ecosystem, resulting in one place to manage inference endpoints, models, and connectors across all of your Search & AI workflows.

Elastic Observability

AI workloads, Kubernetes sprawl, and microservice proliferation have pushed metrics volumes from millions of time series events into the hundreds of millions. SREs now correlate across more high-cardinality signals, more services, and more ephemeral infrastructure than ever with less time to do it. The existing tools make it worse: On Datadog, custom metrics drive the bill up to 52% on average, so teams strip out high-cardinality labels to stay in budget, then go hunting for those exact labels mid-incident. On Prometheus and Grafana, cardinality still degrades performance, logs and metrics live in separate backends, and correlating a single timestamp means pivoting between two query languages. Either way, teams end up blind at exactly the wrong moment.

Elastic Observability 9.4 brings metrics up to the same standard teams already rely on for logs. Elasticsearch is now the fastest place to run them: 25x faster than Prometheus, 2.6x more storage-efficient, and less than 50% the cost of Datadog with no cardinality limits and no custom metric penalties. Native PromQL support in Kibana means existing queries, dashboards, and alert rules work without modification.

9.4 also introduces the first agentic investigation capabilities in Elastic Observability. Kubernetes is first with an AI-driven workflow that helps SREs identify root cause before they even open a dashboard.

Best-in-class metrics experience

Elastic 9.4 is the start of a whole new era of using Elasticsearch for metrics. Faster storage at scale supports a production-ready time-series query language and native Prometheus and PromQL. Together, these capabilities give SREs and observability teams a single platform for logs, metrics, and traces with no toolchain migration required. Notable enhancements include:

• Elasticsearch TSDB performance improvements, now generally available, deliver both a significant storage requirements reduction (2.6x more efficient than Prometheus) and ingestion throughput gains. When combined with query performance improvements (25x faster than Prometheus and Mimir), it becomes easy to see how users can now ingest more data, retain data longer, and query data faster — all without proportional hardware spend. Long story short, Elasticsearch TSDB is production-ready for mission-critical observability workloads.
• Native Prometheus and PromQL support, available now as a technical preview, enables you to ship Prometheus metrics directly to Elasticsearch and execute PromQL queries directly in Kibana. Use the patterns you already know in combination with ES|QL, a single piped query language for logs, metrics, and traces.
• ES|QL time-series support, now generally available, enables you to perform time-series analysis at scale with expanded aggregation functions (e.g., rate, changes, cumulative, trange, and clamp) and full time-range filtering. It’s now in a fully supported foundation for building critical monitoring, alerting, and reporting workflows across both logs and metrics without switching languages or tools mid-workflow.

Agentic Kubernetes observability

Elastic Observability is releasing an agentic Kubernetes observability experience that automatically goes from alert to root cause:

• Kubernetes based agentic investigation workflows in Kibana that trigger on an alert and return a structured root cause hypothesis with evidence and next steps before the engineer opens a single dashboard.
• A new Kubernetes observability MCP app brings Kubernetes-specific skills directly into Claude, VS Code, and other MCP-compatible AI hosts with more MCP apps on the way.
• A set of out-of-the-box dashboards, SLOs, and ML jobs provide additional ad-hoc analysis if needed.

Agent Skills for observability

Agent Skills are open source packages that give your AI coding agent native Elastic Observability expertise, so it can run real observability workflows within Elastic. This release covers five core workflows SREs and developers run daily:

• Instrument applications with OpenTelemetry
• Search logs
• Manage SLOs
• Assess service health
• Monitor LLM applications

These tasks require familiarity with specific APIs, index patterns, and Kibana workflows. For domain knowledge that's easy to get wrong and time-consuming to repeat across every service and environment, Agent Skills package that knowledge into reusable units for consistent and accurate execution.

Managed OTLP endpoint now generally available on Elastic Cloud

And, in case you missed it, the managed OTLP endpoint is now generally available on Elastic Cloud Hosted, giving teams a simple path to send OpenTelemetry data — logs, metrics, and traces — directly into Elastic. There is no need to deploy or operate collectors for basic ingestion, reducing management overhead. This lowers the friction of adopting OpenTelemetry, speeds data onboarding, and cuts the maintenance cost of a self-managed collector layer.

Elastic Security

Elastic 9.4 advances security across five dimensions:

• native workflow automation that eliminates the need for a standalone SOAR tool;
• data management and compliance capabilities that make that automation trustworthy;
• purpose-built AI agent skills that bring multistep SOC intelligence to alert triage, hunting, and investigation;
• a new approach to entity analytics that resolves identity noise at the architecture level; and
• expanded endpoint forensics depth for investigation and response teams.

Native automation for the Agentic SOC

Elastic Workflows is now generally available for Enterprise customers, bringing native automation directly into Elastic Security, the agentic security operations platform that already includes unified SIEM and XDR. Security teams can now automate the defined tasks across every alert, investigation, and case — enrichment, triage, response, notification, and case creation — where their security data already lives.

Enhancing data management and compliance

Building on the Elastic Workflows news, automation is only trustworthy when the underlying data is complete and access is properly governed. Elastic 9.4 addresses both via:

• Granular detection and alert permissions, now generally available, enables security teams to configure separate access controls for detection rules and alerts, ensuring junior analysts can triage and update alerts without modifying core detection rule logic.
• SIEM Readiness: Visibility Health and Data Coverage, available as a technical preview, delivers a centralized, continuously updated health view inside Elastic Security. It evaluates Coverage, Quality, Continuity, and Retention across five log categories (Endpoint, Identity, Network, Cloud, and Application/SaaS), so teams always know if their data is in the right shape to support active detections.

Agent Skills for security users

Elastic 9.4 introduces five purpose-built skills to the Elastic AI Agent, giving it deep domain expertise across the SOC workflows that matter most: alert triage, detection rule authoring, entity investigation, threat hunting, and anomaly analysis. Two platform skills, dashboard management and graph creation, are also available to the Elastic AI Agent alongside the security-specific ones. Workflow authoring ships as an experimental capability in 9.4. The Elastic AI Agent can invoke multiple skills in sequence, moving from threat hunting to detection tuning to workflow creation within a single investigation. More security skills are in development, including detection emulation, binary analysis, and alert deduplication.

Identify the entity behind the attack with entity analytics (not just the signal)

Elastic 9.4 solves identity noise at the data model level with entity analytics — not with more dashboards, but with four new generally available capabilities that give analysts one authoritative record per person with aggregated risk and context:

• Precision Entity Identification unifies disparate logs into high-confidence, verified identity profiles for users, hosts, and services, governed automatically at the platform level, not by the analyst.
• Entity Resolution consolidates fragmented digital accounts — Okta, Entra, Active Directory — into a single unified record per employee.
• Dynamic Watchlists inject risk-score multipliers for high-value entities — executives, privileged admins, users in notice periods, or any “crown jewel” designation your team defines, making organizational context a first-class input to risk scoring.
• Entity-Driven Hunting Leads shifts hunting from reactive to proactive by surfacing risk-based leads tailored to your environment's actual behavioral patterns with narrative context, not a blank page.

Deeper forensics, faster response

Elastic 9.4 extends the depth and reach of endpoint investigation from remote script execution to cross-platform memory forensics to redesigned Osquery workflows via four new generally available features:

• Runscript Response Action and Script Library enables analysts to execute scripts remotely on endpoints directly from the Response Console or as an automated rule action backed by a centralized library of reusable, standardized scripts, enabling consistent remediation, custom forensic triage, and MSSP-scale operations.
• Memory Dump Response Action for Linux extends cross-platform memory forensics to Linux, enabling acquisition of process memory across major operating systems from within Elastic Security without external tooling for fileless malware, memory-resident attacks, and runtime artifact extraction.
• Osquery enhancements deliver a completely redesigned experience with a unified history page, enhanced result views, and advanced search and filtering, closing usability gaps and improving analyst efficiency at scale.
• Jumplists Osquery Table Extension and Forensic Query Packs provide prebuilt queries targeting Browser History, Amcache, and Jumplists, giving teams ready-to-run forensic artifacts for reconstructing user activity timelines and attacker behavior.

In case you missed it …

A lot happens at Elastic in between releases, and the space between Elastic 9.3 and Elastic 9.4 was no exception. For readers who may have missed some of the big news, here’s a short list of things to know and read:

• Elastic AutoOps is now free! Elastic AutoOps brings diagnostics and operational insights directly to your environment, transforming the way you manage Elasticsearch, now with no additional cost.
• Cross-project search is now available as a technical preview. Query across multiple Elastic Cloud Serverless projects simultaneously from a single interface without collapsing project-level isolation or security boundaries.
• Unified API keys for Elastic Cloud Serverless and Elasticsearch are now available. Use one API key to manage both infrastructure and data queries across projects with fine-grained permission controls intact.
• New ARM-based hardware profiles deliver better price-performance — up to 40% better on storage optimized workloads with Graviton4 and up to 25% better on CPU-intensive workloads with Axion.
• Elastic Cloud Serverless expansion continues: With recent additions across Azure, AWS, and Google Cloud, Elastic Cloud Serverless is now available in 29 regions worldwide.

Start here now

With a raft of impactful, new, and enhanced platform features like Agent Builder and Workflows, significant advances in our time series capabilities, and so much more, Elastic 9.4 is ready to help you and your organization transform data into answers, actions, and outcomes.

So … what are you waiting for? Elastic 9.4 is now available on Elastic Cloud — the hosted Elasticsearch service that includes all of the new features in this latest release.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use.

Elastic, Elasticsearch, and associated marks are trademarks, logos or registered trademarks of Elasticsearch B.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.

Original source

Features and enhancements

Elastic Observability solution:

For the Elastic Observability 9.3.4 release information, refer to Elastic Observability Release Notes.

Elastic Security solution:

For the Elastic Security 9.3.4 release information, refer to Elastic Security Release Notes.

Kibana platform:

• Remembers the pagination state when navigating back from an edit on the Users page, instead of always returning to page 1 and resetting the search #261152.

Fixes

Alerting:

• Adds the application/x-zip-compressed MIME type as an accepted value for case file attachments #262414.
• Fixes the "Failed to check if maintenance windows are active" error #261048.

Data ingestion and Fleet:

• Fixes YAML file downloads being truncated at the first # character by properly URL-encoding the content #264083.
• Fixes package policy count filters to correctly identify non-latest revisions #263717.
• Only auto-installs content packages that are newer than the installed version #262509.
• Fixes Fleet Server diagnostic bundles failing to download when elasticsearch.compression is enabled #262394.
• Fixes missing sort-state announcements for screen readers in the Ingest pipelines list #262226.
• Fixes focus management for the Learn more link #261902.
• Fixes screen reader announcements for the Define as JSON toggle #261896.
• Fixes screen readers announcing duplicate row indices in the Ingest pipelines list #261369.
• Fixes the inference processor form to accept the input_output configuration shape #260517.
• Fixes screen readers announcing icon labels twice in the Ingest pipelines list #259185.
• Fixes screen readers incorrectly combining button announcements on the Create Pipeline page #261603.

Data management:

• Fixes stale screen reader announcements in code boxes #261921.
• Fixes the transforms detail summary to show all source_index entries when source_index is an array #261875.
• Fixes screen readers announcing search template options twice #261585.
• Fixes screen readers announcing duplicate row indices on the data streams table #261366.
• Fixes screen readers announcing icon labels twice in the Edit policy flyout #261324.
• Fixes screen readers announcing policy actions tooltip text twice in the index lifecycle policies list #261322.
• Fixes screen readers announcing copy button labels twice #261311.
• Fixes screen readers announcing grey color badge text twice in the transforms list #261307.
• Fixes screen readers not announcing invalid field validation errors #260673.

Discover:

• Resets the time field when the updated index pattern does not include it #262001.
• Fixes ES|QL multi-value filtering with STATS #260998.

Kibana platform:

• Adjusts the API Key flyout width #263858.
• Allows space colors to be cleared, falling back to the default #261826.
• Fixes screen readers announcing data stream and index options twice in the Create policy and Restore snapshot selectable lists #261786.
• Fixes policy buttons to have distinguishable names for screen readers #261313.

Machine Learning:

• Fixes the single metric chart in Anomaly Explorer not showing anomaly actions correctly #263925.
• Updates the hono and @hono/node-server dependencies #263794.
• Fixes execution tree clipping when foreach has many iterations #253576.

Original source

- Elastic Stack: Planned

Features and enhancements

Aggregations

• Bump heap usage limits for INLINE STATS #144679

ES|QL

• Skip time series field type merge for non-TS agg queries #143262

Fixes

EQL

• Fix propagation of filters on join keys for missing events #145813 (issue: #145402)

ES|QL

• Do not discard disjunction conditions when is null/is not null might invalidate them #145941
• Don't use a Literal for constant_keyword fields when used inside full-text functions #145632 (issue: #145570)
• ESQL - Fix performance loading source when vectors are excluded #146223 (issue: #145799)
• Fix handling of values on the time bucket boundaries for ES|QL increase #145794
• Fix nested fields loading under NULLIFY #145741 (issue: #142616)
• Fix rate/increase single-value bucket handling for delta temporality #146518
• Fix starts_with/ends_with with special chars #146348 (issue: #130851)
• Keywords mv count fix #145390

Infra/Core

• Throw a 400 error for malformed parsing input when missing element end #145777

Ingest Node

• Fix pipeline resolution cache for bulk requests #144648
• Fix waiting for enrich policy execution for users without the monitor privilege #145751

Machine Learning

• Omit uncomputed model stats #146186

Mapping

• Fix match only text decoding surrogate pairs #146567 (issue: #146538)

Reindex

• Restore initial thread context during reindex etc #146134

Search

• Add cancellation support to IndicesRequestCache #141708
• Collapse pathological regex quantifier stacking to prevent NFA construction OOM #145452
• Fix terminate_after not honored for aggs when size=0 #146199 (issue: #126665)
• Fix bug parsing "request" parameter in clear cache API, it should clear the request cache only #145726
• Use query circuit breaker for wildcard/regexp determinization #145427 (issue: #145128)

Snapshot/Restore

• Use IllegalArgumentException over RepositoryException for readonly-repository checks #140200

TSDB

• Replace IllegalStateException with IllegalArgumentException for conflicting time series metadata #142370

Vector Search

• Fix NPE in GPU resource pool when CuVSResources creation fails #146632
• Fix NPE when having double nested field with knn query #146933 (issue: #141830)
• [DiskBBQ] Fix offHeap size for empty indices #146347
• [DiskBBQ] Wait for queue saturation in MaxScoreTopKnnCollector #145341

Original source

Search across all your workloads from a single pane of glass. Instantly query distributed Elastic Cloud Serverless projects as one without moving your data or paying egress fees.

By Najwa Harif, Hubert Grzesiek

As organizations scale, data naturally fragments. Elastic Cloud Serverless allows you to organize your data into dedicated projects whether you’re isolating team environments, separating business units, or complying with regional data residency laws. While separating workloads offers great architectural benefits, it traditionally required consolidating data whenever a unified search was needed.

Today, we are announcing the technical preview launch of cross-project search (CPS) for Elastic Cloud Serverless. You can now instantly query distributed Elastic Cloud Serverless projects as one — maintaining native project isolation while querying your entire organization from a single pane of glass.

Global visibility, project-level control

Cross-project search brings a true single-pane-of-glass experience to Elastic Cloud Serverless. The setup is straightforward, and the value is immediate:

• One-step linking in cloud console: Administrators select which projects to link, and that’s it! Searches from the origin project will span linked projects by default.
• Broad by default, precise when needed: Use UI scope controls, per-space defaults, or directly adjust your queries to narrow searches.
• Secure by design: Access is enforced per project using existing roles, so users only see data they’re allowed to see in each linked project.

The outcome is simple: faster cross-project investigations, less operational friction, and no tradeoff between project isolation and unified search.

Get started: Linking and search scope

Getting started with cross-project search takes just a few clicks:

1. In the Elastic Cloud console, create a new project to use as your origin — the project you’ll search from.
2. Open that project, choose which other projects to link, save your configuration, and let the Elastic control plane establish the connections.

Once linking is in place, data from linked projects appears in your origin project automatically. In Kibana, use the project picker in the navigation bar to switch between All projects and This project, and save your preferred scope to a dashboard, rule, or Discover session when you want it to stick.

Do different teams need different project scopes? Configure project routing per Kibana space so that each team lands on the right scope by default.

Query, visualize, and narrow scope

CPS gives you immediate global visibility; from your origin project, one query spans all linked projects by default. Then, when you need precision, you can narrow scope per request, per workflow, or per team default without changing where data lives.

• Route to exactly the projects you want using project_routing expressions in ES|QL queries (SET project_routing), search APIs, and any CPS-enabled endpoint. In Kibana, use the project picker in the navigation bar to switch between All projects and This project. After the tech preview release, more granular controls will be released to select subsets of projects based on criteria like the project region, cloud provider, or any custom project tags defined by your team.
• Analyze and aggregate data by linked projects using project tags in your queries. You can group results by region, environment, or team, so patterns become obvious fast without moving or duplicating data.
• Set the right default per Kibana space. Kibana spaces let each team start from the right default view of linked data. Configure a space-level default project scope (e.g., This project) so that dashboards, rules, and daily workflows open in the right slice by default, and analysts can still expand scope when needed.

Programmatic access with Elastic Cloud API keys

To ensure this cross-project visibility extends natively to your automated workflows, we enhanced Elastic Cloud API Keys to authenticate directly against Elasticsearch and Kibana APIs. By relying on unified API keys, the system can automatically evaluate your permissions across all projects simultaneously without requiring you to configure complex trust relationships, certificates, or duplicate credentials on every target project.

Pricing and availability

Cross-project search will be available in tech preview starting April 16, 2026. For Elasticsearch project type, you continue to pay for search capacity through VCUs, which scales the origin project (from where the search originates) to handle federated queries alongside your origin project’s local search workloads. For observability and security project types, CPS is available on Observability Complete and Security Complete tiers; during the preview phase, there will be no separate CPS charges.

At general availability (GA), cross-project search will be priced on usage:

• Observability and security (as origin projects, where search originates): A monthly charge per GB of data retained in each linked project will be billed at the origin project. So, each retained GB in a linked project will be charged at the origin project on a monthly basis.
• All project types: There will be a charge for data transferred between projects for CPS.

Exact rates and billing mechanics will be published closer to GA.

Ready to get started?

If you would like to start with cross-project search, login to your Elastic Cloud console, and link your first project. If you would like to learn more, read our technical docs.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

Original source

Fixes

Alerting

• Fixes Webhook Connector accessTokenUrl validation #258290.

Dashboards and Visualizations

• Adjusts scrolling when you drag and drop a dashboard panel to avoid jumping #258445.
• Fixes Canvas library embeddables failing to load when savedObjectId is present without saved object references #257779.
• Fixes a race condition in the dashboard backup service and removes unnecessary error toasts #257762.
• Fixes Add from library in Canvas creating incorrect embeddable state #257261.
• Fixes Lens panels appearing to revert after inline edits until you refresh the page, even though changes are saved #256984.

Data ingestion and Fleet

• Improves screen reader announcements and focus when moving processors in the ingest pipeline editor #259096.
• Fixes Fleet bulk agent actions (unenroll, upgrade, reassign to policy) not respecting the current space when selection uses a kuery filter #258582.
• Fixes automatic agent upgrades stopping early with “target percentage already reached” because agents upgrading in other policies are also counted #258387.

Data management

• Restores keyboard focus to the Create a transform button on the Transforms page #258095.
• Enhances screen reader notifications for bulk actions in Index Management tables, providing live announcements when the bulk actions menu becomes visible or hidden #257089.

Elastic Observability solution

For the Elastic Observability 9.3.3 release information, refer to Elastic Observability Solution Release Notes.

Elastic Security solution

For the Elastic Security 9.3.3 release information, refer to Elastic Security Solution Release Notes.

Elasticsearch solution

• Fixes the query rules UI rejecting case variants as duplicate values #259506.
• Fixes only passing filtered rules to the API and deleting rules not matching the filter in the Query Rule Set editor #259503.
• Prevents creating incompatible inference endpoints when adding a semantic_text field in the Index Management mappings editor #256586.

Machine Learning

• Fixes the anomaly swim lane dashboard panel not refreshing #259962.
• Fixes a console error when opening the data frame analytics jobs list #258591.
• Adds aria labels to job wizard combo boxes #258509.

Original source

The 9.3.2 release contains fixes for potential security vulnerabilities. Check our security advisory for more details.

Features and enhancements

Elastic Security solution:
For the Elastic Security 9.3.2 release information, refer to Elastic Security Solution Release Notes.

Connectivity:

• Adds Gemini 2.5 Flash Lite, Claude 4.5 Haiku, and Claude 4.6 Sonnet models to preconfigured connectors #253109.

Fixes

Elastic Agent Builder:

• Fixes a bug in the platform.core.search tool and index_search tool type where nested fields were ignored when searching for matching documents #255914.
• Fixes MCP connectors ignoring the proxy and SSL configuration from the actions plugin (xpack.actions configuration property) #255813.

Alerting:

• Fixes a problem generating a report with multi-page Canvas workpads #255022.
• Fixes a blank page appearing at the end of PDF exports when using the Print format option with an even number of dashboard visualizations #254957.
• Improves handling of 204 responses #251090.

Dashboards and Visualizations:

• Fixes an issue where embedded panels in Canvas workpads could lose their saved object references, causing panels to fail to load #252191.
• Fixes the Add from library action adding incorrect embeddable state #257261.
• Fixes Lens transforms #257224.
• Fixes an issue where dashboard panels could get stuck in an infinite loading state after an error instead of showing error messages #257188.
• Fixes Maps failing to load when the stored time filter contained a quick mode value #255178.

Data ingestion and Fleet:

• Fixes the unenroll task and adds an FTR test #255726.
• Fixes incorrect installation of assets #254923.

Discover:

• Fixes glitchy rendering in the Attributes tab #255173.

Elastic Observability solution:
For the Elastic Observability 9.3.2 release information, refer to Elastic Observability Solution Release Notes.

Elastic Security solution:
For the Elastic Security 9.3.2 release information, refer to Elastic Security Solution Release Notes.

Kibana platform:

• Fixes the spaces list displaying No spaces match text on load #255654.
• Fixes the embeddable console auto-closing on chrome or overlay clicks #253382.
• Fixes an issue where the Kibana JSON logger could produce JSON objects with a large number of numbered keys #256233.

Kibana security:

• Adds waitFor for the privilege button #255094.
• Fixes an issue where saving a dashboard included access control features when a user profile was not available #255065.

Machine Learning:

• Fixes screen reader announcements for flyouts #256409.

Management:

• Improves name announcement in the index mode modal #256392.
• Fixes an issue in Dev Tools Console where syntax highlighting broke when queries contained accented or non-ASCII characters #255649.
• Fixes an issue in Dev Tools Console where closing nested braces broke syntax highlighting for subsequent elements #255426.

Search:

• Changes the Run in Console button type #256455.
• Fixes Search Playground routes to limit the maximum size of arrays #255881.
• Fixes focus behavior when there are errors in the connector flyout form #255770.
• Adds server-side API key generation #256083.

Original source

The 9.3.1 release contains fixes for potential security vulnerabilities. Check our security advisory for more details.

Features and enhancements

Data ingestion and Fleet

• Allows integration rollback even if all package policies are not on an upgraded version #253646.

Elastic Security solution

For the Elastic Security 9.3.1 release information, refer to Elastic Security Solution Release Notes.

Machine Learning

• Adds a dynamic default connector to GenAI settings #252861.
• Adds missing ES|QL commands and functions documentation for inference tasks #249089.

Fixes

Alerting and cases

• Fixes a bug with PagerDuty where setting the Custom details field causes rules to fail #253683.
• Adds external reference IDs to the attached documents check when a case is selected #253107.
• Fixes rule execution failing due to null execution UUIDs #252618.
• Improves handling of 204 responses #251090.

Connectivity

• Fixes AI Connector form fields incorrectly resetting to default values when cleared with backspace #251095.
• Updates connector description terminology to reference "pre-configured AI connectors" #250649.

Dashboards and Visualizations

• Fixes layer editor scrolling in the full Lens editor #253247.
• Fixes runtime_mappings being ignored or overridden in Vega specs when defined in data[].url.body #253560.

Data ingestion and Fleet

• Fixes an issue where an agent rolled back after an upgrade could not be upgraded again in Fleet UI #253850.

Discover

• Fixes handling of missing values #251892.

Elastic Observability solution

For the Elastic Observability 9.3.1 release information, refer to Elastic Observability Solution Release Notes.

Elastic Security solution

For the Elastic Security 9.3.1 release information, refer to Elastic Security Solution Release Notes.

Kibana platform

• Strips system-managed date fields from ingest pipelines before PUT requests #252579.
• Fixes Stack Monitoring breadcrumb when in solution view #249751.

Machine Learning

• Fixes "today" and "this week" filters for Log Rate and Pattern Analysis embeddables #252925.
• Fixes word break in Anomaly Detection page titles #250058.

Management

• Fixes autocomplete not working in embedded console #253306.
• Fixes an issue loading the doc count in index management when viewing larger page sizes with long index names #252422.
• Fixes a validation error for AI pipeline suggestions with empty grok patterns #251113.

Search

• Fixes homepage throwing errors when license level is below Enterprise #251484.
• Reduces background polling on the Index Details page to avoid unnecessary API requests #251446.
• Fixes links being visible on Search homepage when the user doesn't have access #251437.

Workflows

• Adds datemath support to the KQL evaluator #252840.

Original source

Features and enhancements

Elastic Agent Builder

• Elastic Agent Builder is now generally available. It is enabled by default in Elasticsearch solution environments, and you can opt in to Agent Builder and its AI Agent chat experience in Observability and Security solution environments. Learn how to get started.

Alerting

• Supports searching for report schedules by title and creator #243841.
• Provides fields for specifying cc and bcc recipients, the subject line, and the message for scheduled report email notifications #242922.
• Enables incremental human-readable case IDs #238555.
• Adds option to delete report schedules #238197.
• Alert cleanup is now generally available #247465.
• Adds search to the new Attachments tab in cases #246265.
• Adds support for searching rules by their actions' params using the API #246123.
• Scheduled reports are now generally available #245882.
• The Slack connector can now be configured to send messages to any channel using channel names #245423.
• Improves search on the case management page #245321.
• Adds option to enable disabled report schedules #244202.
• Disable flapping per rule - schema only changes #243855.
• Centralizes tabs for different attachement types under the new Attachments tab in cases #243708.
• Adds a date time picker to the cases management page to help you find cases that were created during a specific time range #243409.
• Adds option to edit report schedules #241928.
• Improves UI for specifying additional fields for IBM Resilient action #238869.
• Makes Agent ID the default observables type #238533.
• Adds kibana.alert.index_pattern to all Stack alerts. This change doesn't affect detection alerts #239450.

Connectivity

• Elastic will regularly be adding new AI models from 9.3 onwards which will appear as pre-configured AI connectors in Kibana. Refer to the Elastic Inference Service page for more details.
• Adds Groq to the list of available providers for the Inference/AI Connector and for Inference endpoint creation #244962.
• Introduces a Brave Search connector #245329.
• The webhook connector now supports the following HTTP request methods: POST(default), PUT, PATCH, GET, and DELETE #238072.
• Adds new preconfigured connectors and updates existing ones #242791.
• Adds a new temperature parameter to AI Connector and to OpenAI, Bedrock, and Gemini connectors #239806.
• Adds support for headers in the OpenAI integration #238710.

Dashboards and Visualizations

• Dashboards now support ownership and "write_restricted" mode. You can now keep dashboards publicly editable or in a write-restricted state until they are ready to be published, giving you more control over who can edit your dashboards, regardless of broader space permissions #224552.
• Adds support for chaining variable controls. You can now set up variable controls to depend on the values selected for another variable control #242909.
• Adds basic filtering support for interactions with ES|QL charts #243439.
• Removes the Supporting visualization section heading from the Primary Metric editor. All configuration options remain fully accessible in the same location under Appearance #245979.
• Reorganizes and renames color settings in the Primary Metric dimension editor. For numeric metrics, the "Color by value" and "Color mapping"/"Color" settings are now located under the "Background chart" field. The settings have been renamed as follows: "Color by value" is now "Color mode", and "Color mapping" is now "Dynamic color mapping" #243608.
• In dashboard visualization in-line editing and Lens workspace, the 'Appearance', 'Titles and text', 'Axis', and 'Legend' settings have been moved from a popover into a dedicated flyout panel #240804.
• Moves the Lens visualization toolbar from the workspace section to the configuration panel #239879
• Moves the Save as and Reset options under the top nav Save button when the dashboard is in edit mode #237211.
• The Lens configuration panel has been redesigned to display layers as tabs instead of vertically stacked panels. Layer actions (clone, remove, save) are now accessible through a menu in each tab, improving the editing experience when working with multiple data layers, annotations, and reference lines #235372.

Data ingestion and Fleet

• Enables integration knowledge generation by default and adds a UI setting that allows you to opt out of the integration knowledge indexing #245080.
• Enables rolling back integrations to the previously installed version #240761.
• Adds capability for rolling back a recent upgrade of a Fleet-managed Elastic Agent using Fleet UI or API #247398, #249416.
• Adds functionality for removing root privilege from Fleet-managed agents if applicable #237790.
• Adds Advanced Internal YAML Settings field to the agent policy settings UI #245819.
• Redesigns the Actions menu in Fleet, placing commonly used actions at the top level and organizing other actions into nested menus by use case #245174.
• Auto-migrates component templates to use type@lifecycle ILM policies during Fleet setup #243333.
• Adds a cleanup task that removes excess policy revisions from the .fleet-policies index #242612.
• Uses type@lifecycle ILM policies for new package installations #241992.
• Adds the xpack.fleet.experimentalFeatures config setting #238840.
• Adds a Show agentless resources toggle on the Fleet > Settings page for debugging and diagnostics #237528.
• Adds Fleet Server host authentication settings for Elastic Agent > Fleet Server SSL support #236959.
• Persists the state of filters in the agent list table while navigating within a session #228875.

Discover

• Discover now shows partial results after a search gets canceled #242346.
• Background search is now enabled by default in all environments #242105.
• Adds a “Copy as Markdown” option for selected results #245545.
• Optimizes performance by avoiding redundant requests when breakdown or chart interval changes #245523.
• Shows multi-fields in the document viewer by default in ES|QL mode #245890.
• Adds support for filtering multivalue fields by interacting with the results table in ES|QL mode #245554.
• Improves the lookup index editor interface available in ES|QL mode #244480.
• Improves the file upload section of the lookup index editor interface #244550.
• Saving an ES|QL query's visualization to a dashboard now brings any related controls along with it #237070.
• Updates the icon in the document viewer to add or remove a field in the main documents table #246024.

ES|QL editor

• Adds a Quick search functionality that helps you turn free-text inputs into ES|QL WHERE clauses #242123.
• Adds support for multi-value variables using MV_CONTAINS functions #239266.
• Adds inline suggestions to ES|QL queries #235162.
• Allows selecting field data type in the lookup index editor interface of the ES|QL editor #241637.
• Adds support for expressions in functions #236343.
• Improves computed suggestions for expressions #246421.
• Renders string-only suggestions for Like and RLike operators #244903.
• Improves validation and autocomplete suggestions for the CASE function #244280.
• Adds context-aware suggestion ordering with categorization #243312.
• Suggests adding curly braces after the WITH keyword for RERANK and COMPLETION commands #243047.
• Adds support for new exponential_histogram Elasticsearch field type #242748.
• Wraps the fork subcommands inside aparens node #242369.
• Improves the quality of context-based suggestions #241081.
• Adds autocomplete suggestions for expressions in LOOKUP JOIN commands #240735.
• Applies the breakdown field before applying time bucketing in STATS BY commands to preserve consistent sorting across buckets in ES|QL queries #239685.

Elastic Observability solution

For the Elastic Observability 9.3.0 release information, refer to Elastic Observability Solution Release Notes.

Elastic Security solution

For the Elastic Security 9.3.0 release information, refer to Elastic Security Solution Release Notes.

Kibana platform

• Adds buttons to the time picker component to quickly shift the selected time range backward and forward, and adds timezone information to the time picker popover #243020.
• Adds cross-tab syncing for recently used time ranges #242467.
• The defaultRoute advanced setting now controls the target of the Elastic logo link for spaces using a solution view #241571.
• The name of the deployment now appears in the navigation breadcrumb on Elastic Cloud Hosted #238078.
• Enforces the object_src 'none' directive in Kibana's Content Security Policy and introduces a new csp.object_src configuration option to control its behavior
• Containers now set the default Node.js heap to 75% of available memory up to a maximum of 4096 Mb. Previously, this was set to 50% #246073.
• Linux now supports the populate_file_data advanced option which enables entropy and header_bytes fields in file events #246197.
• Adds the ability to cancel file uploads #241297.

Kibana security

• The API keys management page now defaults to showing personal API keys only #245261.
• Adds a warning when deleting API keys currently used by alerting rules #243353.
• Adds the ability to specify the origin(s) of authentication providers that appear to users logging in to Kibana #239993.
• Enhances the error message to include detailed information about why a role is considered as malformed #239098.
• Removes the AI Assistants Settings privilege #239144.

Machine Learning

• Adds an optional timeout parameter to the Inference chat model #248326.
• Adds Security machine learning modules for GCP Audit and Azure Activity Logs #236849.
• Removes median line length anomaly detection categorization check #243827.
• Adds custom header support to inference endpoints creation UI #242187.
• Improves the layout for custom inference endpoint UI #241779.
• Adds an action to create an anomaly detection alerting rule #241274.
• Makes the machine learning update space APIs public #241109.
• Improves display of long fields values in top values list #241006.
• Adds the ability to narrow down the list of anomalies that the Anomaly detection rule looks for #240100.
• Adds feedback button to the Anomaly Explorer and Single Metric Viewer #239883.

Search

• When creating a new Elasticsearch solution project, you will now land on the Elasticsearch home page by default instead of the Create index page to get immediate access to relevant tutorials and educational content #237612.
• Adds a new getting started page within the Elasticsearch solution which offers hands-on feature tutorials. This page defaults as the initial destination for users creating a new Elasticsearch solution project #245311.
• Adds a clear confirmation when an element has been successfully copied using one of the available Copy buttons on the Elasticsearch solution home page #246090.
• Adds callouts and guided tours to Kibana's Elasticsearch solution UI on Elastic Cloud Hosted and Serverless to provide better introductions to Elastic Inference Service endpoints. You can dismiss callouts and tours, which will not reappear after dismissal #244626.
• Improves the Console UI to make key actions more intuitive. The Play button is now more prominent, a new Copy to language button provides quick access to export the selected command in your preferred coding language, and the context menu has been updated to allow you to set a default language preference #242487.

Workflows

• Elastic Workflows is now available in technical preview. Build YAML-based workflows to automate actions across Elasticsearch,Kibana, external systems, and AI. Workflows support manual, scheduled, and alert-based triggers, conditional logic, and integrations with existing connectors and Agent Builder. You must turn on the feature to get started. Refer to Set up workflows for more details.

Fixes

Alerting

• Fixes cases.total_event not showing the number of events attached to a case #247996.
• Encodes terms searched on cases management page #247992.
• Adds max character validation to the email connector params and config #246453.
• Fixes an issue that caused the Security alerts table to not update columns correctly when switching view mode #245253.
• Adds alert.consecutiveMatches to action context #244997.
• Fixes case submissions becoming stale #244543.
• Allows spaces in file paths for case observables #244350.
• Catches connector errors without interrupting the case creation flow #244188.
• Improves error messages for IBM connector #244012.
• Verifies the alert exists before muting #242847.
• Fixes auto-extraction in event bulk actions #242325.
• Fixes Alerts table pagination being stuck on rule details page #242275.
• Use real dimensions when taking a screenshot of {kib} layout #242127.
• Only takes tag changes into account when connector supports them #241944.
• Improves cases management table loading to prevent flashing #240155.
• Fixes missing announcements in case forms to improve accessiblity #240132.
• Adds manual focus to buttons for case actions to improve accessiblity #239504.
• Removes autoFocus to preserve proper focus when modal closed #239366.
• Fixes observables not being added to cases when auto-extract is turned on #239000.
• Updates nodemailer to to 7.0.9 #238816.
• Adds Jira's otherFields JSON editor to case creation flow #238435.
• Isolates the configuration parameters for the Tines connector to the server side #236863.
• Enables auto-extraction by default and adds user actions for case observable actions #236524.
• Separates sync alert and auto-extract updates in case activity #236519.
• Fixes the alert history chart background color in dark mode #246017.
• Fixes infinite loop issue in investigation guide editor #240472.
• Fixes missing fields when using combined filters with the ignoreFilterIfFieldNotInIndex advanced setting enabled #238945.

Connectivity

• Ensures that the "maximum tokens" parameter is passed as expected by the service for the Anthropic connector #241188.
• Removes the default fallback region for the Bedrock connector #241157.
• Ensures all authentication fields show up correctly for the AI Connector #240913.

Dashboards and Visualizations

• Cleans filters as they’re updated from Unified Search, adds extra cleanup for compound filters by removing undefined properties, and fixes unsaved badges appearing when dashboards with compound filters are loaded #247309.
• Uses Number.MAX_VALUE instead of Infinity for the default maximum height of a panel #243572.
• Fixes an issue where saving a dashboard after switching a Dashboard Link to an External Link caused the save function to throw an error #243134.
• Fixes the silence warnings by silencing error notifications in Discover and Dashboards and changing the built-in URL restore error to a console.warn #242788.
• Fixes a regression with print mode in Dashboard #242780.
• Fixes an issue with sync colors and sync tooltips being turned on by default for new dashboards. Now, those options are turned off by default for new dashboards #242442.
• Fixes an error with deselecting a "(blank)" option from an options list #242036.
• Fixes layout issues for Markdown embeddables in small dashboard panels using CSS container queries. When a markdown panel is shorter than 120px, the UI now adapts to a compact layout that maximizes usable space #240806.
• Labels in the Create index flow now render with the default Use vector tiles scaling as soon as label styling is applied (or after save), without requiring a scaling toggle #240728.
• Fixes an issue where users could not reset unsaved changes after enabling time restore and changing dashboard time range #239992.
• Fixes search session restoration issue #239822.
• Fixes an error in the Options list control when selecting a "(blank)" value #239791.
• Fixes an issue in the LensConfigBuilder that treated all dataview references the same, causing the UI to throw an error attempting to find an ad-hoc dataview that does not exist as a SavedObject #239431.
• Fixes an issue in the Lens Table that broke click to filter on table rows when any column is used as a formula #239222.
• Fixes metric color assignment when the breakdown and maximum options are defined in Lens #238901.
• Fixes an issue where ad-hoc data views were not providing suggestions in the global search bar #238731.
• Fixes an error in the Visualize Listing page in which an error in the visualization could cause the entire page to error. This improves the error handling to make it easier to identify which visualization is causing the problem in order to address it #238355.
• Fixes an issue where dashboards cannot be saved when a filter pill has a combined filter using OR or AND operations #237477.
• Fixes an issue where panels in sections are not displayed when opening the dashboard from a shared link #237382.
• Prevents a double fetch when panels would fetch data while controls were building filters and then fetch data again once controls filters are available #237169.
• Fixes color contrast for links in Lens #247721.

Data ingestion and Fleet

• Uses long expiration for agent auto-upgrade actions and scheduled upgrades #243443.
• Fixes auto-upgrade logic to retry upgrade action if agents are stuck in Updating state #243326.
• Adds retry behavior for /api/fleet/agents when transient issues with Elasticsearch are encountered #243105.
• Fixes Docker image in the Kubernetes manifest in the Add agent instructions #242691.
• Fixes an issue where some package icons were not loaded correctly #242406.
• Shows warnings on sync integrations UI when referencing other entities #241623.
• Adds the proxy SSL options to download sources if a proxy is selected #241115.
• Omits system properties when synchronizing ingest pipelines #241096.
• Fixes template_path asset selection for some integration packages #240750.
• Allows Fleet setup retries on start in all environments #240342.
• Fixes an issue where the uniqueness of agent policy names was not consistently enforced across spaces when name or space changes occurred #239631.
• Fixes ignore_above mapping for flattened fields #238890.
• Fixes a "package not found" error when skipping cloud onboarding for a prerelease package #238629.
• Fixes an issue where new package global variables were not included and stale variable references were not removed on integration policy upgrade #238542.
• Fixes an error that occurred when deleting orphaned integration policies #237875.
• Enables storing secrets in Fleet Server host config if Fleet Server is running at a minimum supported version #237464.
• Fixes MSI commands for installing Elastic Agent and Fleet Server #236994.

Discover

• Fixes an issue with the "Search entire time range" option that could exclude some results if the time field was set to date nanos #248495.
• Fixes an issue where document viewer tabs were unnecessarily re-mounting on every refresh, leading to degraded performance #248203.
• Fixes an issue causing query drafts to be lost when switching between tabs without running the query first in ES|QL mode #247968.
• Fixes an issue with ES|QL tabs not loading properly #246941.
• Fixes an issue in Discover where default app state could trigger unsaved changes in saved Discover sessions, such as default columns applied through the defaultColumns advanced setting #246664.
• Fixes an issue with Discover tabs that occurs when navigating to a different tab while the previous tab is still initializing #245752.
• Fixes truncation for longer text in the Discover table #241440.

ES|QL editor

• Displays the available options when editing an existing variable control #239315.
• Fixes unrecognized GROK patterns #246871.
• Fixes KEEP behavior in ES|QL when a query initially returns no results #239063.
• Adds FORK with KEEP/STATS in the transformational commands #240011.
• Fixes the autocomplete of timeseries sources after a comma #241402.

Elastic Observability solution

For the Elastic Observability 9.3.0 release information, refer to Elastic Observability Solution Release Notes.

Elastic Security solution

For the Elastic Security 9.3.0 release information, refer to Elastic Security Solution Release Notes.

Kibana platform

• Fixes the serialization of meta.error in JSON layouts. If it is an Error instance, only message, name, and stack are included. Other fields are no longer returned in the logs #244364.
• Fixes an issue in the component template creation flow where a new component template with @custom suffix in its name would lead to updating mappings of all unrelated data streams and cause a popup to appear asking to roll over conflicting ones #237952.
• Fixes privilege requirements when reindexing indices through the upgrade assistant. Previously, the "superuser" role was required. Now, "cluster: manage" and "all" privileges for the relevant indices are sufficient #237055.
• Fixes a case where the upgrade assistant would incorrectly warn about a node breaching the low watermark despite the max headroom setting #243906.
• Fixes createAuditEvents always returning failure as outcome #247152.
• Fixes "now" and mixed format date handling in the Share menu #245539.
• Fixes favicon CSS specifity #243351.
• Reduces re-renders on resize and items changes #239888.
• Fixes an issue with the files management flyout crashing #237588.
• Fixes infinite loading of roles on the Edit space page #242954.
• Reflects the value selected for the AI Assistants Visibility GenAI setting when opening AI Assistant from the header #239555.
• Fixes ECS-incompatible logs values #245706.
• Fixes an issue where clients authorized to a partial list of saved object types would circumvent the Saved Objects Repository's allowed types and could list hidden saved object types #244967.

Kibana security

• Fixes an issue where fields were not case-sensitive in Kibana's user interface for creating and updating roles, though fields are case-sensitive in Elasticsearch #246069.
• Fixes an issue preventing IDP-initiated login with multiple OIDC providers #243869.
• Introduces a separate error for empty login attempts with SAML and OIDC providers #237611.

Machine Learning

• Disables field statistics when using the ES|QL TS command in Data Visualizer #247641.
• Fixes display of Data Visualizer's map view for small screen sizes #247615.
• Fixes anomaly chart empty query issue #246841.
• Fixes creating new anomaly detection jobs from Discover sessions with no data view #246410.
• Ensures Anomaly detection result chart tooltips are always shown correctly #246077.
• Prevents clearing cell selections after hiding the alert's table popover in Anomaly explorer #244183.
• Optimizes and enables text field analysis in contextual insights for log rate analysis #244109.
• Ensures deleted text in the inference connector, AI connector, and inference endpoint creation forms is not sent as an empty string #244059.
• Fixes wizard for data view with runtime fields for data frame analytics #242557.
• Fixes import and improves validation for Anomaly detection and Data frame analytics jobs #242263.
• Ensures max tokens parameter is passed as expected during Anthropic endpoint creation #241212.
• Fixes index names causing incompatible cluster errors when product docs are installed for multiple inference IDs #240506.
• Ensures inference endpoints UI list loads when provider is custom #240189.
• Fixes layout of fields in machine learning overview and notifications pages #239113.
• Adds unique accessible labels for Show top field values buttons #237972.
• Fixes tool calling unavailable tools #237174.
• Improves trained models list performance #237072.
• Fixes partition field settings errors in the single metric viewer dashboard panel #237046.
• Prevents URL-like strings from being displayed as links in alerts #226849.
• Improves anonymization error messages when NER model is unavailable #247696.
• Adds table caption for empty top categories in logs category table #246041.
• Fixes broken Data Visualizer and AI Operations navigation breadcrumbs and sidebar in solutions #248167.
• Fixes counter metric fields missing in anomaly detection dropdown #153021.

Search

• Fixes an issue when running Elasticsearch with a Basic license, where you could encounter errors when updating index mappings, even when adding non-ML field types. Mapping updates now work as expected, while advanced semantic text features continue to require the appropriate license #248462.
• Disables 'API keys' button on the Elasticsearch home page when logged in with insufficient permissions #248072.
• Fixes the token count display showing "NaN" in Search Playground by preserving message annotations across the AI SDK v5 stream #246589.
• Fixes an issue with the API creation flyout size #244072.
• Fixes a case of keyboard focus getting trapped in pages using document preview #243791.
• Makes elser-2-elastic (ELSER in EIS) the default inference endpoint for adding semantic text fields. Refactors the SelectInferenceId component for clarity and stability, resolving a console warning and improving popover and flyout state handling #242436.
• Fixes Agents & Playground icons in the solution side navigation to render correctly when using dark mode #240475.
• Fixes visual issues in the data preview metadata popup when ID is too long. Adds a tooltip and copy button to improve user experience #239768.
• Fixes an issue in RAG Playground where invalid fields displayed red styling but no error messages. Error text now appears to help you identify and correct form issues #238284.
• Fixes an accessibility issue where resetting changes or removing all terms in the Synonyms panel was not announced by screen readers. VoiceOver users on Safari will now hear updates when terms are reset #237877.
• The Index management mappings editor now syncs model deployment status correctly. This fixes a case where users couldn't save semantic_text fields during deployment without forcing #237812.
• Fixes an issue where the retriever query copied from the "Search your data" JavaScript tutorial fails with a parsing_exception when passed through the query parameter in the Node.js Elasticsearch client. Retriever queries must be passed through the body parameter to ensure they are serialized correctly #237654.
• Adds refusal field to AI Assistant conversations #243423.
• Turns off custom suggestions on the embedded console #241516.
• Fixes an issue where form fields were resetting automatically when editing ingest pipeline settings #237509.

Original source