Upgrade notes

edit

Before you upgrade, review the breaking changes and deprecations introduced in Kibana 8.x, then mitigate the impact.

For Elastic Security release information, refer to Elastic Security Solution Release Notes.

Breaking changes

edit

Kibana APIs

edit
Removed legacy alerting endpoints (9.0.0)

Details

  • POST /api/alerts/alert/{id?} has been replaced by POST /api/alerting/rule/{id?}
  • GET /api/alerts/alert/{id} has been replaced by GET /api/alerting/rule/{id}
  • PUT /api/alerts/alert/{id} has been replaced by PUT /api/alerting/rule/rule/{id}
  • DELETE: /api/alerts/alert/{id} has been replaced by DELETE /api/alerting/rule/{id}
  • POST /api/alerts/alert/{id}/_disable has been replaced by POST /api/alerting/rule/{id}/_disable
  • POST /api/alerts/alert/{id}/_enable has been replaced by POST /api/alerting/rule/{id}/_enable
  • GET /api/alerts/_find has been replaced by GET /api/alerting/rules/_find
  • GET /api/alerts/_health has been replaced by GET /api/alerting/rule/_health
  • GET /api/alerts/list_alert_types has been replaced by GET /api/alerting/rule_types
  • POST /api/alerts/alert/{alert_id}/alert_instance/{alert_instance_id}/_mute has been replaced by POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
  • POST /api/alerts/alert/{alert_id}/alert_instance/{alert_instance_id}/_unmute has been replaced by POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
  • POST /api/alerts/alert/{id}/_mute_all has been replaced by POST /api/alerting/rule/{id}/_mute_all
  • POST /api/alerts/alert/{id}/_unmute_all has been replaced by POST /api/alerting/rule/{id}/_unmute_all
  • POST /api/alerts/alert/{id}/_update_api_key has been replaced by POST /api/alerting/rule/{id}/_update_api_key
  • GET /api/alerts/{id}/_instance_summary has been deprecated without replacement. Will be removed in v9.0.0
  • GET /api/alerts/{id}/state has been deprecated without replacement. Will be removed in v9.0.0

Impact
Deprecated endpoints will fail with a 404 status code starting from version 9.0.0

Action
Remove references to GET /api/alerts/{id}/_instance_summary endpoint. Remove references to GET /api/alerts/{id}/state endpoint. Replace references to endpoints listed as deprecated by it’s replacement. See Details section. The updated APIs can be found here https://www.elastic.co/docs/api/doc/kibana/v8/group/endpoint-alerting

Removed legacy cases endpoints (9.0.0)

Details

  • GET /api/cases/status has been deprecated with no replacement. Deleted in v9.0.0
  • GET /api/cases/{case_id}/comments has been replaced by GET /api/cases/{case_id}/comments/_find released in v7.13
  • GET /api/cases/<case_id>/user_actions has been replaced by GET /api/cases/<case_id>/user_actions/_find released in v8.7
  • includeComments parameter in GET /api/cases/{case_id} has been deprecated. Use GET /api/cases/{case_id}/comments/_find instead, released in v7.13

Impact
Deprecated endpoints will fail with a 404 status code starting from version 9.0.0

Action
Remove references to GET /api/cases/status endpoint. Replace references to deprecated endpoints with the replacements listed in the breaking change details.

Removed all security v1 endpoints (9.0.0)

Details
All v1 Kibana security HTTP endpoints have been removed.

GET /api/security/v1/logout has been replaced by GET /api/security/logout GET /api/security/v1/oidc/implicit has been replaced by GET /api/security/oidc/implicit GET /api/security/v1/oidc has been replaced by GET /api/security/oidc/callback POST /api/security/v1/oidc has been replaced by POST /api/security/oidc/initiate_login POST /api/security/v1/saml has been replaced by POST /api/security/saml/callback GET /api/security/v1/me has been removed with no replacement.

For more information, refer to #199656.

Impact
Any HTTP API calls to the v1 Kibana security endpoints will fail with a 404 status code starting from version 9.0.0. Third party OIDC and SAML identity providers configured with v1 endpoints will no longer work.

Action
Update any OIDC and SAML identity providers to reference the corresponding replacement endpoint listed above. Remove references to the /api/security/v1/me endpoint from any automations, applications, tooling, and scripts.

Access to all internal APIs is blocked (9.0.0)

Details
Access to internal Kibana HTTP APIs is restricted from version 9.0.0. This is to ensure that HTTP API integrations with Kibana avoid unexpected breaking changes. Refer to #193792.

Impact
Any HTTP API calls to internal Kibana endpoints will fail with a 400 status code starting from version 9.0.0.

Action
Do not integrate with internal HTTP APIs. They may change or be removed without notice, and lead to unexpected behaviors. If you would like some capability to be exposed over an HTTP API, create an issue. We would love to discuss your use case.

Get case metrics APIs became internal. (8.10)

Details
The get case metrics APIs are now internal. For more information, refer to (#162506).

Removed legacy project monitor API. (8.8)

Details
The project monitor API for Synthetics in Elastic Observability has been removed. For more information, refer to #155470.

Impact
In 8.8.0 and later, an error appears when you use the project monitor API.

Removed the current_upgrades endpoint. (8.7)

Details
The /api/fleet/current_upgrades endpoint has been removed. For more information, refer to #147616.

Impact
When you upgrade to 8.7.0, use the api/fleet/agents/action_status endpoint.

Removed the preconfiguration API route. (8.7)

Details
The /api/fleet/setup/preconfiguration API, which was released as generally available by error, has been removed. For more information, refer to #147199.

Impact
Do not use /api/fleet/setup/preconfiguration. To manage preconfigured agent policies, use kibana.yml. For more information, check Preconfigured settings.

Updated bulk action API to return actionId instead of agent success. (8.5)

Details
To make bulk action responses consistent, returns actionId instead of agent ids with success: True or success: False results. For more information, refer to #141757.

Impact
When you use FleetBulkResponse, you now receive only actionId responses.

Removed deprecated config fields from Logs and Metrics APIs and saved objects. (8.0)

Details
On the Logs and Metrics UIs, references to the following API and saved object deprecated fields have been removed:

  • timestamp
  • tiebreaker
  • container
  • pod
  • host

For more information, refer to #116821 and #115874.

Impact
When you upgrade to 8.0.0, you are unable to use references to the deprecated fields.

Removed /api/settings. (8.0)

Details
The /api/settings REST API has been removed. For more information, refer to #114730.

Impact
Use /api/stats.

Changed the GET /api/status default behavior. (8.0)

Details
GET /api/status reports a new and more verbose payload. For more information, refer to #110830.

Impact
To retrieve the Kibana status in the previous format, use GET /api/status?v7format=true.

Kibana platform

edit
[Alerting] A new sub-feature privilege to control user access to the cases settings. (8.12)

Details
Roles with at least a sub-feature privilege configured will not have access to the cases setting like they had previously. All roles without a sub-feature privilege configured will not be affected. For more information, refer to (#170635).

[Alerting] New case limits. (8.10)

Details
Limits are now imposed on the number of objects cases can process or the amount of data those objects can store.

For the full list, refer to #146945.

[Alerting] Changed privileges for alerts and cases. (8.8)

Details
The privileges for attaching alerts to cases has changed. For more information, refer to #147985.

Impact
To attach alerts to cases, you must have Read access to an Observability or Security feature that has alerts and All access to the Cases feature. For detailed information, check Kibana privileges and Configure access to cases.

[Alerting] Removed support for monitoring.cluster_alerts.allowedSpaces. (8.0)

Details
The monitoring.cluster_alerts.allowedSpaces setting, which Kibana uses to create Stack Monitoring alerts, has been removed. For more information, refer to #123229.

Impact
Before you upgrade to 8.0.0, remove monitoring.cluster_alerts.allowedSpaces from kibana.yml.

[Alerting] Removed xpack.task_manager.index setting. (8.0)

Details
The xpack.task_manager.index setting has been removed. For more information, refer to #114558.

Impact
Before you upgrade to 8.0.0, remove xpack.task_manager.index from kibana.yml.

[Alerting] Removed ability to remove Elastic-managed plugins. (8.0)

Details
The xpack.actions.enabled setting has been removed. For more information, refer to #113461.

Impact
Before you upgrade to 8.0.0, remove xpack.actions.enabled from kibana.yml.

[Alerting] Legacy RBAC exemption (9.0.0)

Details
The legacy role-based action control exemption for alerting rules has been removed in version 9.0.0.

Impact
Any alerting rules that rely on the legacy exemption will fail to trigger actions for alerts starting from version 9.0.0.

Action
To identify the affected rules run the following query in Dev Tools:

GET .kibana*/_search
{
  "runtime_mappings": {
    "apiKeyVersion": {
      "type": "keyword",
      "script": {
        "source": "def alert = params._source['alert']; if (alert != null) { def meta = alert.meta; if (meta != null) { emit(meta.versionApiKeyLastmodified); } else { emit('');}}"
      }
    }
  },
  "size": 10000,
  "query": {
    "bool": {
      "filter": [
        {
          "term": {
            "type": "alert"
          }
        },
        {
          "term": {
            "apiKeyVersion": "pre-7.10.0"
          }
        }
      ]
    }
  },
  "_source": ["alert.name", "namespaces"]
}

To use normal RBAC authorization, edit each affected rule to update the API key.

[Data views] Removed filter validation for ad-hoc data views (8.5)

Details
Filters associated with unknown data views, such as deleted data views, are no longer automatically disabled. For more information, refer to #139431.

Impact
Filters associated with unknown data views now display a warning message instead of being automatically disabled.

[Dev tools] The addProcessorDefinition function was removed from Console. (8.10)

Details
The function addProcessorDefinition is removed from the Console plugin start contract (server side). For more information, refer to (#159041).

[Dev tools] Removed the console.ssl setting. (8.0)

Details
The console.ssl setting has been removed. For more information, refer to #123754.

Impact
Before you upgrade to 8.0.0, remove console.ssl from kibana.yml.

[Elastic Common Schema] Moved doc_root.vulnerability.package to doc_root.package (ECS). (8.11)

Details
This change updates all instances of vulnerability.package to the ECS standard package fieldset. For more information, refer to (#164651).

[ES|QL] Renamed an advanced setting to enable ES|QL. (8.14)

Details
The advanced setting which hides ES|QL from the UI has been renamed from discover:enableESQL to enableESQL. It is enabled by default and must be switched off to disable ES|QL features from your Kibana applications. For more information, refer to (#182074).

[ES|QL] Removed is_nan, is_finite, and is_infinite functions from ES|QL. (8.13)

Details
These functions have been removed from ES|QL queries as they are not supported. Errors would be thrown when trying to use them. For more information, refer to (#174674).

[Fleet] Added rate limiting to install by upload endpoint. (8.15)

Details
Rate limiting was added to the upload api/fleet/epm/packages endpoint. For more information, refer to #184036.

Impact
If you do two or more requests in less than 10 seconds, the subsequent requests fail with 429 Too Many Requests. Wait 10 seconds before uploading again. This change could potentially break automations for users that rely on frequent package uploads.

[Fleet]Removed conditional topics for Kafka outputs. (8.13)

Details
The Kafka output no longer supports conditional topics. For more information, refer to (#176879).

[Fleet]Most Fleet installed integrations are now read-only and labelled with a Managed tag in the Kibana UI. (8.13)

Details

Integration content installed by Fleet is no longer editable. This content is tagged with Managed in the Kibana UI, and is Elastic managed. This content cannot be edited or deleted. However, managed visualizations, dashboards, and saved searches can be cloned. The clones can be customized.

When cloning a dashboard the cloned panels become entirely independent copies that are unlinked from the original configurations and dependencies.

For managed content relating to specific visualization editors such as Lens, TSVB, and Maps, the clones retain the original reference configurations. The same applies to editing any saved searches in a managed visualization.

For more information, refer to (#172393).

[Fleet] Improved config output validation for default output. (8.11)

Details
Improve config output validation to not allow to defining multiple default outputs in Kibana configuration. For more information, refer to (#167085).

[Fleet] Removed the package_policies field from the agent policy saved object. (8.5)

Details
The bidirectional foreign key between agent policy and package policy has been removed. For more information, refer to #138677.

Impact
The agent policy saved object no longer includes the package_policies field.

[Fleet] xpack.agents.* are now uneditable in UI when defined in kibana.yml. (8.4)

Details
When you configure xpack.fleet.agents.fleet_server.hosts and xpack.fleet.agents.elasticsearch.hosts in kibana.yml, you are unable to update the fields on the Fleet UI.

For more information, refer to #135669.

Impact
To configure xpack.fleet.agents.fleet_server.hosts and xpack.fleet.agents.elasticsearch.hosts on the Fleet UI, avoid configuring the settings in kibana.yml.

[Fleet] Split package policy upgrade endpoint for Fleet. (8.0)

Details
For package policy upgrades, the packagePolicy upgrade endpoint format supports a mutative upgrade operation (when dryRun: false) and a read-only dry run operation (when dryRun: true):

 POST /package_policies/upgrade
 {
   packagePolicyIds: [...],
   dryRun: false
 }

For more information, refer to #118854.

Impact
The endpoint is now split into two separate endpoints:

 POST /package_policies/upgrade
 {
   packagePolicyIds: [...]
 }

 POST /package_policies/upgrade/dry_run
 {
   packagePolicyIds: [...]
 }
[General settings] Updated request processing during shutdown. (8.16)

Details
During shutdown, Kibana now waits for all the ongoing requests to complete according to the server.shutdownTimeout setting. During that period, the incoming socket is closed and any new incoming requests are rejected. Before this update, new incoming requests received a response with the status code 503 and body {"message": "Kibana is shutting down and not accepting new incoming requests"}. For more information, refer to #180986.

[General settings] Removed CONFIG_PATH and DATA_PATH environment variables. (8.0)

Details
The CONFIG_PATH and DATA_PATH environment variables have been removed. For more information, refer to #111535.

Impact
Replace the CONFIG_PATH environment variable with KBN_PATH_CONF, and replace DATA_PATH with the path.data setting.

[General settings] Removed support for csp.rules configuration. (8.0)

Details
Support for the csp.rules configuration property has been removed. For more information, refer to #114379.

Impact
Configuring the default csp.script_src, csp.workers_src, and csp.style_src values is not required.

[General settings] Changed and removed deprecated core settings and deprecated settings from core plugins. (8.0)

Details
The deprecation notice for server.cors has changed from level:critical to level:warning.

The following settings have changed:

  • The xpack.banners.placement value of header has been renamed to top

Support for the following configuration settings has been removed:

  • newsfeed.defaultLanguage
  • cpu.cgroup.path.override
  • cpuacct.cgroup.path.override
  • server.xsrf.whitelist
  • xpack.xpack_main.xpack_api_polling_frequency_millis
  • KIBANA_PATH_CONF

For more information, refer to #113653.

Impact
* The header value provided to the xpack.banners.placement configuration has been renamed to top * The newsfeed.defaultLanguage newsfeed items are retrieved based on the browser locale and default to English * Replace cpu.cgroup.path.override with ops.cGroupOverrides.cpuPath * Replace cpuacct.cgroup.path.override with ops.cGroupOverrides.cpuAcctPath * Replace server.xsrf.whitelist with server.xsrf.allowlist * Replace xpack.xpack_main.xpack_api_polling_frequency_millis with xpack.licensing.api_polling_frequency * Replace KIBANA_PATH_CONF path to the Kibana configuration file using the KBN_PATH_CONF environment variable

[General settings] Removed enabled settings from plugins. (8.0)

Details
Using {plugin_name}.enabled to disable plugins has been removed. Some plugins, such as telemetry, newsfeed, reporting, and the various vis_type plugins will continue to support this setting. All other Kibana plugins will not support this setting. Any new plugin will support this setting only when specified in the configSchema. For more information, refer to #113495.

The xpack.security.enabled setting has been removed. For more information, refer to #111681.

Impact
Before you upgrade to 8.0.0:

  • Remove {plugin_name}.enabled from kibana.yml. If you use the setting to control user access to Kibana applications, use Features controls instead.
  • Replace xpack.security.enabled with xpack.security.enabled in elasticsearch.yml.
[General settings] Removed --plugin-dir cli option. (8.0)

Details
The plugins.scanDirs setting and --plugin-dir cli option have been removed. For more information, refer to #113367.

Impact
Before you upgrade to 8.0.0, remove plugins.scanDirs from kibana.yml.

[General settings] Removed support for optimize.* settings. (8.0)

Details
The legacy optimize.* settings have been removed. If your configuration uses the following legacy optimize.* settings, Kibana fails to start:

  • optimize.lazy
  • optimize.lazyPort
  • optimize.lazyHost
  • optimize.lazyPrebuild
  • optimize.lazyProxyTimeout
  • optimize.enabled
  • optimize.bundleFilter
  • optimize.bundleDir
  • optimize.viewCaching
  • optimize.watch
  • optimize.watchPort
  • optimize.watchHost
  • optimize.watchPrebuild
  • optimize.watchProxyTimeout
  • optimize.useBundleCache
  • optimize.sourceMaps
  • optimize.workers
  • optimize.profile
  • optimize.validateSyntaxOfNodeModules

For more information, refer to #113296.

Impact
To run the @kbn/optimizer separately in development, pass --no-optimizer to yarn start. For more details, refer to #73154.

[General settings] Removed so/server/es settings. (8.0)

Details
Some of the savedObjects, server, and elasticsearch settings have been removed. If your configuration uses the following settings, Kibana fails to start:

  • savedObjects.indexCheckTimeout
  • server.xsrf.token
  • elasticsearch.preserveHost
  • elasticsearch.startupTimeout

For more information, refer to #113173.

Impact
Before you upgrade to 8.0.0., remove these settings from kibana.yml.

[General settings] Added requirement for inline scripting. (8.0)

Details
To start Kibana, you must enable inline scripting in Elasticsearch. For more information, refer to #113068.

Impact
Enable inline scripting.

[General settings] Removed kibana.index settings. (8.0)

Details
The kibana.index, xpack.reporting.index, and xpack.task_manager.index settings have been removed. For more information, refer to #112773.

Impact
Use spaces, cross-cluster replication, or cross-cluster search. To migrate to spaces, export your saved objects from a tenant into the default space. For more details, refer to #82020.

[General settings] Removed legacy logging. (8.0)

Details
The logging configuration and log output format has changed. For more information, refer to #112305.

Impact
Use the new logging system configuration.

[General settings] Removed kibana.defaultAppId setting. (8.0)

Details
The deprecated kibana.defaultAppId setting in kibana.yml, which is also available as kibana_legacy.defaultAppId, has been removed. For more information, refer to #109798.

Impact
When you upgrade, remove kibana.defaultAppId from your kibana.yml file. To configure the default route for users when they enter a space, use the defaultRoute in Advanced Settings.

[General settings] Removed courier:batchSearches setting. (8.0)

Details
The deprecated courier:batchSearches setting in Advanced Settings has been removed. For more information, refer to #109350.

Impact
When you upgrade, the courier:batchSearches setting will no longer be available.

[General settings] New session timeout defaults. (8.0)

Details
The default values for the session timeout xpack.security.session.{lifespan|idleTimeout} settings have changed. For more information, refer to #106061

Impact
The new default values are as follows:

  • xpack.security.session.idleTimeout: 3d
  • xpack.security.session.lifespan: 30d
[General settings] Removed support for setting server.host to 0. (8.0)

Details
Support for configuring Kibana with 0 as the server.host has been removed. Please use 0.0.0.0 instead. For more information, refer to #87114

Impact
You are now unable to use 0 as the server.host.

[General settings] Removed xpack.security.public and xpack.security.authProviders settings. (8.0)

Details
The xpack.security.public and xpack.security.authProviders settings have been removed. For more information, refer to #38657

Impact
Use the xpack.security.authc.saml.realm and xpack.security.authc.providers settings.

[General settings] Removed logging.useUTC setting. (8.0)

Details
The logging.useUTC setting has been removed. For more information, refer to #22696

Impact
The default timezone is UTC. To change the timezone, set logging.timezone: false in kibana.yml. Change the timezone when the system, such as a docker container, is configured for a nonlocal timezone.

[Index management] Removed support for time-based interval index patterns. (8.0)

Details
Time-based interval index patterns were deprecated in 5.x. In 6.x, you could no longer create time-based interval index patterns, but they continued to function as expected. Support for these index patterns has been removed in 8.0. For more information, refer to #35173

Impact
You must migrate your time_based index patterns to a wildcard pattern. For example, logstash-*.

[Logs] Removed deprecated alias config entries. (8.0)

Details
The deprecated xpack.infra.sources.default.logAlias and xpack.infra.sources.default.logAlias settings have been removed. For more information, refer to #115974.

Impact
Before you upgrade, remove the settings from kibana.yml, then configure the settings in Logs.

[Logs] Removed configurable fields in settings. (8.0)

Details
The Logs and Metrics configurable fields settings have been removed. For more information, refer to #61302.

Impact
Configure the settings in ECS.

[Machine learning] Removed APM jobs from Machine Learning. (8.0)

Details
APM Node.js and RUM JavaScript anomaly detection job modules have been removed. For more information, refer to #119945.

Impact
When you upgrade to 8.0.0, you are unable to create and view the APM Node.js and RUM JavaScript jobs in Machine Learning.

[Machine learning] Granted access to machine learning features when base privileges are used. (8.0)

Details
Machine learning features are included as base privileges. For more information, refer to #115444.

Impact
If you do not want to grant users privileges to machine learning features, update Users and Roles.

[Osquery] "All" base privilege option now also applies to Osquery. (8.3)

Details
The Osquery Kibana privilege has been updated, so that when the Privileges for all features level is set to All, this now applies All to Osquery privileges as well. Previously, users had to choose the Customize option to grant any access to Osquery. For more information, refer to #130523.

Impact
This impacts user roles that have Privileges for all features set to All. After this update, users with this role will have access to the Osquery page in Kibana. However, to use the Osquery feature fully, these requirements remain the same: users also need Read access to the logs-osquery_manager.result* index and the Osquery Manager integration must be deployed to Elastic Agents.

[Saved objects] Fail migrations for saved objects with unknown types. (8.0)

Details
Unknown saved object types now cause Kibana migrations to fail. For more information, refer to #107678.

Impact
To complete the migration, re-enable plugins or delete documents from the index in the previous version.

[Saved objects] Removed support for legacy exports. (8.0)

Details
In Kibana 8.0.0 and later, the legacy format from Kibana 6.x is unsupported. For more information, refer to #110738

Impact
Using the user interface to import saved objects is restricted to .ndjson format imports.

[Security] Removed legacy audit logger. (8.0)

Details
The legacy audit logger has been removed. For more information, refer to #116191.

Impact
Audit logs will be written to the default location in the new ECS format. To change the output file, filter events, and more, use the audit logging settings.

[Security] Legacy browsers rejected by default. (8.0)

Details
To provide the maximum level of protection for most installations, the csp.strict config is now enabled by default. Legacy browsers not supported by Kibana, such as Internet Explorer 11, are unable to access Kibana unless explicitly enabled. All browsers officially supported by Kibana do not have this issue. For more information, refer to #41700

Impact
To enable support for legacy browsers, set csp.strict: false in kibana.yml. To effectively enforce the security protocol, we strongly discourage disabling csp.strict unless it is critical that you support Internet Explorer 11.

[Setup] Removed platform from archive root directory. (8.0)

Details
After you extract an archive, the output directory no longer includes the target platform. For example, kibana-8.0.0-linux-aarch64.tar.gz produces a kibana-8.0.0 folder. For more information, refer to #93835.

Impact
To use the new folder, update the configuration management tools and automation.

[Setup] Removed default support for TLS v1.0 and v1.1. (8.0)

Details
The default support for TLS v1.0 and v1.1 has been removed. For more information, refer to #90511.

Impact
To enable support, set --tls-min-1.0 in the node.options configuration file. To locate the configuration file, go to the kibana/config folder or any other configuration with the KBN_PATH_CONF environment variable. For example, if you are using a Debian-based system, the configuration file is located in /etc/kibana.

[Setup] Removed support for sysv init. (8.0)

Details
All supported operating systems use systemd service files. Any system that doesn’t have service aliased to use kibana.service should use systemctl start kibana.service instead of service start kibana. For more information, refer to #74424.

Impact
If your installation uses .deb or .rpm packages with SysV, migrate to systemd.

[Setup] Disabled response logging as a default. (8.0)

Details
In previous versions, all events are logged in json when logging.json:true. With the new logging configuration, you can choose the json and pattern output formats with layouts. For more information, refer to #42353.

Impact
To restore the previous behavior, configure the logging format for each custom appender with the appender.layout property in kibana.yml. There is no default for custom appenders, and each appender must be configured explicitly.

[Sharing & Reporting] The Download CSV endpoint has changed. (8.10)

Details
The API endpoint for downloading a CSV file from a saved search in the Dashboard application has changed to reflect the fact that this is an internal API. The previous API path of /api/reporting/v1/generate/immediate/csv_searchsource has been changed to /internal/reporting/generate/immediate/csv_searchsource. For more information, refer to #162288.

[Sharing & Reporting] CSV reports now use PIT instead of Scroll. (8.6)

Details
CSV reports now use PIT instead of Scroll. Previously generated CSV reports that used an index alias with alias-only privileges, but without privileges on the alias referenced-indices will no longer generate. For more information, refer to #158338.

Impact
To generate CSV reports, grant read privileges to the underlying indices.

[Sharing & Reporting] Removed legacy CSV export type. (8.1)

Details
The /api/reporting/generate/csv endpoint has been removed. For more information, refer to #121435.

Impact
If you are using 7.13.0 and earlier, regenerate the POST URLs that you use to automatically generate CSV reports.

[Sharing & Reporting]Removed legacy PDF shim. (8.1)

Details
The POST URLs that you generated in Kibana 6.2.0 no longer work. For more information, refer to #121369.

Impact
Regenerate the POST URLs that you use to automatatically generate PDF reports.

[Sharing & Reporting] Removed reporting settings. (8.0)

Details
The following settings have been removed:

  • xpack.reporting.capture.concurrency
  • xpack.reporting.capture.settleTime
  • xpack.reporting.capture.timeout
  • xpack.reporting.kibanaApp

For more information, refer to #114216.

Impact
Before you upgrade to 8.0.0, remove the settings from kibana.yml.

[Sharing & Reporting] Legacy job parameters are no longer supported. (8.0)

Details
Reporting is no longer compatible with POST URL snippets generated with Kibana 6.2.0 and earlier. For more information, refer to #52539

Impact
If you use POST URL snippets to automatically generate PDF reports, regenerate the POST URL strings.

[User management] Removed the ability to use elasticsearch.username: elastic in production. (8.0)

Details
In production, you are no longer able to use the elastic superuser to authenticate to Elasticsearch. For more information, refer to #122722.

Impact
When you configure elasticsearch.username: elastic, Kibana fails.

[Visualizations] Removed the fields list sampling setting from Lens. (8.7)

Details
lens:useFieldExistenceSampling has been removed from Advanced Settings. The setting allowed you to enable document sampling to determine the fields that are displayed in Lens. For more information, refer to #149482.

Impact
In 8.1.0 and later, Kibana uses the field caps API, by default, to determine the fields that are displayed in Lens.

[Visualizations] Removed legacy pie chart visualization setting. (8.7)

Details
visualization:visualize:legacyPieChartsLibrary has been removed from Advanced Settings. The setting allowed you to create aggregation-based pie chart visualizations using the legacy charts library. For more information, refer to #146990.

Impact
In 7.14.0 and later, the new aggregation-based pie chart visualization is available by default. For more information, check Aggregation-based.

[Visualizations] Changed the histogram:maxBars default setting. (8.6)

Details
To configure higher resolution data histogram aggregations without changing the Advanced Settings, the default histogram:maxBars setting is now 1000 instead of 100. For more information, refer to #143081.

Impact
For each space, complete the following to change histogram:maxBars to the previous default setting:

  1. Open the main menu, then click Stack Management > Advanced Settings.
  2. Scroll or search for histogram:maxBars.
  3. Enter 100, then click Save changes.
[Visualizations] Removed the legacy Timelion charts library. (8.4)

Details
The legacy implementation of the Timelion visualization charts library has been removed. All Timelion visualizations now use the elastic-charts library, which was introduced in 7.15.0.

For more information, refer to #134336.

Impact
In 8.4.0 and later, you are unable to configure the Timelion legacy charts library advanced setting. For information about visualization Advanced Settings, check Visualization.

[Visualizations] Removed Quandl and Graphite integrations. (8.3)

Details
The experimental .quandl and .graphite functions and advanced settings are removed from Timelion. For more information, check #129581.

Impact
When you use the vis_type_timelion.graphiteUrls kibana.yml setting, Kibana successfully starts, but logs a [WARN ][config.deprecation] You no longer need to configure "vis_type_timelion.graphiteUrls". warning.

To leave your feedback about the removal of .quandl and .graphite, go to the discuss forum.

[Visualizations] Removed display options from legacy gauge visualizations. (8.0)

Details
The Display warnings option has been removed from the aggregation-based gauge visualization. For more information, refer to #113516.

Impact
When you create aggregation-based gauge visualizations, the Display warnings option is no longer available in Options > Labels.

[Visualizations] Removed settings from visEditors plugins. (8.0)

Details
The following deprecated visEditors plugin settings have been removed:

  • metric_vis.enabled
  • table_vis.enabled
  • tagcloud.enabled
  • metrics.enabled
  • metrics.chartResolution
  • chartResolution
  • metrics.minimumBucketSize
  • minimumBucketSize
  • vega.enabled
  • vega.enableExternalUrls
  • vis_type_table.legacyVisEnabled
  • timelion_vis.enabled
  • timelion.enabled
  • timelion.graphiteUrls
  • timelion.ui.enabled

For more information, refer to #112643.

Impact
Before you upgrade, make the following changes in kibana.yml:

  • Replace metric_vis.enabled with vis_type_metric.enabled
  • Replace table_vis.enabled with vis_type_table.enabled
  • Replace tagcloud.enabled with vis_type_tagcloud.enabled
  • Replace metrics.enabled with vis_type_timeseries.enabled
  • Replace metrics.chartResolution and chartResolution with vis_type_timeseries.chartResolution
  • Replace metrics.minimumBucketSize and minimumBucketSize with vis_type_timeseries.minimumBucketSize
  • Replace vega.enabled with vis_type_vega.enabled
  • Replace vega.enableExternalUrls with vis_type_vega.enableExternalUrls
  • Remove vis_type_table.legacyVisEnabled
  • Replace timelion_vis.enabled with vis_type_timelion.enabled
  • Replace timelion.enabled with vis_type_timelion.enabled
  • Replace timelion.graphiteUrls with vis_type_timelion.graphiteUrls
  • Remove timelion.ui.enabled
[Visualizations] Removed dimming opacity setting. (8.0)

Details
The Dimming opacity setting in Advanced Settings has been removed. For more information, refer to #111704.

Impact
When you upgrade to 8.0.0, you are no longer able to configure the dimming opactiy for visualizations.

[Visualizations] Removes Less stylesheet support in TSVB. (8.0)

Details
In TSVB, custom Less stylesheets have been removed. For more information, refer to #110985.

Impact
Existing less stylesheets are automatically converted to CSS stylesheets.

[Visualizations] Disabled the input string mode in TSVB. (8.0)

Details
In TSVB, the Index pattern selection mode option has been removed. For more information, refer to #110571.

Impact
To use index patterns and Elasticsearch indices in TSVB visualizations:

  1. Open the main menu, then click Stack Management > Advanced Settings.
  2. Select Allow string indices in TSVB.
  3. Click Save changes.
[Visualizations] Removed proxyElasticMapsServiceInMaps Maps setting. (8.0)

Details
The map.proxyElasticMapsServiceInMaps setting has been removed. For more information, refer to #116184.

Impact
Install the on-prem version of the Elastic Maps Service, which is a Docker service that resides in the Elastic Docker registry, in an accessible location on your internal network. When you complete the installation, update kibana.yml to point to the service.

[Visualizations] Removed map.regionmap.*. (8.0)

Details
The deprecated map.regionmap.* setting in kibana.yml has been removed. For more information, refer to #109896.

Impact
If you have maps that use map.regionmap layers:

  1. Remove the map.regionmap layer.
  2. To recreate the choropleth layer, use GeoJSON upload to index your static vector data into Elasticsearch.
  3. Create a choropleth layer from the indexed vector data.
[Visualizations] Removed dashboard-only mode. (8.0)

Details
The legacy dashboard-only mode has been removed. For more information, refer to #108103.

Impact
To grant users access to only dashboards, create a new role, then assign only the Dashboard feature privilege. For more information, refer to Kibana privileges.

[Visualizations] Removed xpack.maps.showMapVisualizationTypes setting. (8.0)

Details
The deprecated xpack.maps.showMapVisualizationTypes setting in kibana.yml has been removed. For more information, refer to #105979

Impact
When you upgrade, remove xpack.maps.showMapVisualizationTypes from your kibana.yml file.

Elastic Observability solution

edit
[APM] Removed apm_user. (8.3)

Details
Removes the apm_user role. For more information, check #132790.

Impact
The apm_user role is replaced with the viewer and editor built-in roles.

[SLOs]New SLO architecture. (8.12)

Details
We introduced a breaking change in the SLO features that will break any SLOs created before 8.12. These SLOs have to be manually reset through an API until we provide a UI for it. The data aggregated over time (rollup) is still available in the SLI v2 index, but won’t be used for summary calculation when reset.

The previous summary transforms summarizing every SLOs won’t be used anymore and can be stopped and deleted:

  • slo-summary-occurrences-7d-rolling
  • slo-summary-occurrences-30d-rolling
  • slo-summary-occurrences-90d-rolling
  • slo-summary-occurrences-monthly-aligned
  • slo-summary-occurrences-weekly-aligned
  • slo-summary-timeslices-7d-rolling
  • slo-summary-timeslices-30d-rolling
  • slo-summary-timeslices-90d-rolling
  • slo-summary-timeslices-monthly-aligned
  • slo-summary-timeslices-weekly-aligned

Be aware that when installing a new SLO (or after resetting an SLO), we install two transforms (one for the rollup data and one that summarize the rollup data). Do not delete the new slo-summary-{slo_id}-{slo_revision} transforms. For more information, refer to (#172224).

[SLO] Introduced new summary search capabilities that will cause SLOs created before 8.10 to stop working. (8.10)

Details

  • SLO find API body parameters have changed.
  • The index mapping used by the rollup data has changed, and we have added a summary index that becomes the new source of truth for search.
  • The rollup transforms have been updated, but existing SLO with their transforms won’t be updated.

If some SLOs have been installed in a prior version at 8.10, they won’t work after migrating to 8.10. There are two approaches to handle this breaking change. The recommended route is to delete all SLOs before migrating to 8.10. The alternative is to migrate to 8.10 and manually remove the SLOs.

Removing SLOs before migrating to 8.10

Use the SLO UI or the SLO delete API to delete all existing SLOs. This takes care of the saved object, transform and rollup data. When all SLOs have been deleted, then delete the residual rollup indices: .slo-observability.sli-v1*. Note that this is v1.

Removing SLOs after migrating to 8.10

After migrating to 8.10, the previously created SLOs won’t appear in the UI because the API is using a new index. The previously created SLOs still exist, and associated transforms are still rolling up data into the previous index .slo-observability.sli-v1*. The SLO delete API can’t be used now, so remove the resources resources manually:

  1. Find all existing transforms All SLO related transforms start with the slo- prefix, this request returns them all:

    GET _transform/slo-*

    Make a note of all the transforms IDs for later.

  2. Stop all transforms

    POST _transform/slo-*/_stop?force=true
  3. Remove all transforms

    From the list of transforms returned during the first step, now delete them one by one:

    DELETE _transform/{transform_id}?force=true
  4. Find the SLO saved objects

    This request lists all the SLO saved objects. The SLO IDs and the saved object IDs are not the same.

    GET kbn:/api/saved_objects/_find?type=slo

    Make a note of all the saved object IDs from the response.

  5. Remove the SLO saved objects

    For each saved object ID, run the following:

    DELETE kbn:/api/saved_objects/slo/{Saved_Object_Id}
  6. Delete the rollup indices v1

    Note that this is v1.

    DELETE .slo-observability.sli-v1*
[Uptime] Uptime app now hidden when no data is available. (8.9)

Details
The Uptime app now gets hidden from the interface when it doesn’t have any data for more than a week. If you have a standalone Heartbeat pushing data to Elasticsearch, the Uptime app is considered active. You can disable this automatic behavior from the advanced settings in Kibana using the Always show legacy Uptime app option. For synthetic monitoring, we now recommend to use the new Synthetics app. For more information, refer to #159118

[Uptime] Removed synthetics pattern from Uptime settings. (8.9)

Details
Data from browser monitors and monitors of all types created within the Synthetics App or via the Elastic Synthetics Fleet Integration will no longer appear in Uptime. For more information, refer to #159012

Elastic Search solution

edit
Required security plugin. (8.0)

Details
Enterprise Search now requires that you enable X-Pack Security. For more information, refer to #106307

Impact
Enable X-Pack Security.

Elastic Security solution

edit

For the complete Elastic Security solution release information, refer to Elastic Security Solution Release Notes.

Remove original user and host risk scoring and all associated UIs (9.0.0)

Details

The original host and risk score modules have been superseded since v8.10.0 by the Risk Engine.

In 9.0.0 these modules will no longer be supported, the scores will no longer display in the UI and all UI controls associated with managing or upgrading the legacy modules will be removed.

Impact
As well as the legacy risk scores not being shown in the UI, alerts will no longer have the legacy risk score added to them in the <host|user>.risk.calculated_level and <host|user>.risk.calculated_score_norm fields.

The legacy risk scores are stored in the ml_host_risk_score_<space_id> and ml_user_risk_score_<space_id> indices, these indices will not be deleted if the user chooses not to upgrade.

Legacy risk scores are generated by the following transforms:

  • ml_hostriskscore_pivot_transform_<space_id>
  • ml_hostriskscore_latest_transform_<space_id>
  • ml_userriskscore_pivot_transform_<space_id>
  • ml_userriskscore_latest_transform_<space_id>

If a user does not upgrade to use the Risk Engine, these transforms will continue to run in 9.0.0, but it will be up to the user to manage them.

Action

Upgrade to use the Risk Engine in all spaces which use the legacy risk scoring modules:

  • In the main menu, go to Security > Manage > Entity Risk Score.
  • If the original user and host risk score modules are enabled, you’ll see a button to "Start update". Click the button, and follow the instructions.
[Elastic Defend] Converted filterQuery to KQL.(8.11)

Details
Converts filterQuery to a KQL query string. For more information, refer to (#161806).

Deprecation notices

edit

The following functionality is deprecated and will be removed at a future date. Deprecated functionality does not have an immediate impact on your application, but we strongly recommend you make the necessary updates to avoid use of deprecated features.

Use the Kibana Upgrade Assistant to prepare for your upgrade to the next version of the Elastic Stack. The assistant identifies deprecated settings in your configuration and guides you through the process of resolving issues if any deprecated features are enabled. To access the assistant, go to Stack Management > Upgrade Assistant.

Kibana APIs

edit
Deprecated Agent reassign API PUT endpoint. (8.8)

Details
The PUT endpoint for the agent reassign API is deprecated. For more information, refer to #152236.

Impact
Use the POST endpoint for the agent reassign API.

Deprecated total in /agent_status Fleet API. (8.8)

Details
The total field in /agent_status Fleet API responses is deprecated. For more information, refer to #151564.

Impact
The /agent_status Fleet API now returns the following statuses:

  • all — All active and inactive
  • active — All active
Deprecated Saved objects APIs. (8.7)

Details
The following saved objects APIs have been deprecated.

/api/saved_objects/{type}/{id}
/api/saved_objects/resolve/{type}/{id}
/api/saved_objects/{type}/{id?}
/api/saved_objects/{type}/{id}
/api/saved_objects/_find
/api/saved_objects/{type}/{id}
/api/saved_objects/_bulk_get
/api/saved_objects/_bulk_create
/api/saved_objects/_bulk_resolve
/api/saved_objects/_bulk_update
/api/saved_objects/_bulk_delete

For more information, refer to (#150267).

Impact
Use dedicated public APIs instead, for example use Data views API to manage Data Views.

Updates Fleet API to improve consistency. (8.0)

Details
The Fleet API has been updated to improve consistency:

  • Hyphens are changed to underscores in some names.
  • The pkgkey path parameter in the packages endpoint is split.
  • The response and list properties are renamed to items or item in some responses.

For more information, refer to #119494.

Impact
When you upgrade to 8.0.0, use the following API changes:

  • Use enrollment_api_keys instead of enrollment-api-keys.
  • Use agent_status instead of agent-status.
  • Use service_tokens instead of service-tokens.
  • Use /epm/packages/{packageName}/{version} instead of /epm/packages/{pkgkey}.
  • Use items[] instead of response[] in:

    /api/fleet/enrollment_api_keys
    /api/fleet/agents
    /epm/packages/
    /epm/categories
    /epm/packages/_bulk
    /epm/packages/limited
    /epm/packages/{packageName}/{version} 

    Use items[] when the verb is POST or DELETE. Use item when the verb is GET or PUT.

For more information, refer to Fleet APIs.

Kibana platform

edit
[Alerting] Action variables in the UI and in tests that were no longer used have been replaced. (8.10)

Details
The following rule action variables have been deprecated. Use the recommended variables (in parentheses) instead:

  • alertActionGroup (alert.actionGroup)
  • alertActionGroupName (alert.actionGroupName)
  • alertActionSubgroup (alert.actionSubgroup)
  • alertId (rule.id)
  • alertInstanceId (alert.id)
  • alertName (rule.name)
  • params (rule.params)
  • spaceId (rule.spaceId)
  • tags (rule.tags)

For more information, refer to (#161136).

[Discover] Search sessions are deprecated in 8.15.0 and will be removed in a future version. (8.15)

Details
Search sessions are now deprecated and will be removed in a future version. By default, queries that take longer than 10 minutes (the default for the advanced setting search:timeout) will be canceled. To allow queries to run longer, consider increasing search:timeout or setting it to 0 which will allow queries to continue running as long as a user is waiting on-screen for results.

[General settings] Deprecated ephemeral Task Manager settings (8.8)

Details
The following Task Manager settings are deprecated:

  • xpack.task_manager.ephemeral_tasks.enabled
  • xpack.task_manager.ephemeral_tasks.request_capacity
  • xpack.alerting.maxEphemeralActionsPerAlert

For more information, refer to #154275.

Impact
To improve task execution resiliency, remove the deprecated settings from the kibana.yml file. For detailed information, check Task Manager settings in Kibana.

[General settings] Deprecated xpack.data_enhanced.* setting. (8.3)

Details
In kibana.yml, the xpack.data_enhanced.* setting is deprecated. For more information, check #122075.

Impact
Use the data.* configuration parameters instead.

[General settings] Removed xpack:defaultAdminEmail setting. (8.0)

Details
The xpack:default_admin_email setting for monitoring use has been removed. For more information, refer to #33603

Impact
Use the xpack.monitoring.clusterAlertsEmail in kibana.yml.

[Security] Deprecated ApiKey authentication for interactive users. (8.4)

Details
The ability to authenticate interactive users with ApiKey via a web browser has been deprecated, and will be removed in a future version.

For more information, refer to #136422.

Impact
To authenticate interactive users via a web browser, use another authentication method. Use API keys only for programmatic access to Kibana and Elasticsearch.

[Security] Deprecated anonymous authentication credentials. (8.3)

Details
The apiKey, including key and ID/key pair, and elasticsearch_anonymous_user credential types for anonymous authentication providers are deprecated. For more information, check #131636.

Impact
If you have anonymous authentication provider configured with apiKey or elasticsearch_anonymous_user credential types, a deprecation warning appears, even when the provider is not enabled.

[Security] Deprecated v1 and v2 security_linux and security_windows jobs. (8.3)

Details
The v1 and v2 job configurations for security_linux and security_windows are deprecated. For more information, check #131166.

Impact
The following security_linux and security_windows job configurations are updated to v3:

  • security_linux:

    • v3_linux_anomalous_network_activity
    • v3_linux_anomalous_network_port_activity_ecs
    • v3_linux_anomalous_process_all_hosts_ecs
    • v3_linux_anomalous_user_name_ecs
    • v3_linux_network_configuration_discovery
    • v3_linux_network_connection_discovery
    • v3_linux_rare_metadata_process
    • v3_linux_rare_metadata_user
    • v3_linux_rare_sudo_user
    • v3_linux_rare_user_compiler
    • v3_linux_system_information_discovery
    • v3_linux_system_process_discovery
    • v3_linux_system_user_discovery
    • v3_rare_process_by_host_linux_ecs
  • security_windows:

    • v3_rare_process_by_host_windows_ecs
    • v3_windows_anomalous_network_activity_ecs
    • v3_windows_anomalous_path_activity_ecs
    • v3_windows_anomalous_process_all_hosts_ecs
    • v3_windows_anomalous_process_creation
    • v3_windows_anomalous_script
    • v3_windows_anomalous_service
    • v3_windows_anomalous_user_name_ecs
    • v3_windows_rare_metadata_process
    • v3_windows_rare_metadata_user
    • v3_windows_rare_user_runas_event
    • v3_windows_rare_user_type10_remote_login
[Setup] New versions of Kibana for macOS x86_64 will end after 8.17.

Details
New versions of Kibana builds for macOS x86_64 are deprecated and will no longer be released after 8.17. Kibana for macOS AArch64 is unaffected.

Use Docker to run new versions of Kibana on macOS 86x_64.

[Sharing & Reporting] Downloading a CSV file from a saved search panel in a dashboard has become deprecated in favor of generating a CSV report. (8.14)

Details
The mechanism of exporting CSV data from a saved search panel in a dashboard has been changed to generate a CSV report, rather than allowing the CSV data to be downloaded without creating a report. To preserve the original behavior, it is necessary to update kibana.yml with the setting of xpack.reporting.csv.enablePanelActionDownload: true. The scope of this breaking change is limited to downloading CSV files from saved search panels only; downloading CSV files from other types of dashboard panels is unchanged. For more information, refer to #178159.

[Visualizations] Removed metrics:allowCheckingForFailedShards advanced setting. (8.17)

Details
The metrics:allowCheckingForFailedShards advanced setting has been removed. With this change, it is no longer possible to suppress warnings about failed shards in TSVB. For more information, refer to (#197227).

[Visualizations] The ability to create legacy input controls was hidden. (8.9)

Details
The option to create legacy input controls when creating a new visualization is hidden. For more information, refer to #156455

[Visualizations] Removed legacy field stats. (8.9)

Details
Legacy felid stats that were previously shown within a popover have been removed. For more information, refer to #155503

[Visualizations] Deprecated input control panels in dashboards. (8.3)

Details
The input control panels, which allow you to add interactive filters to dashboards, are deprecated. For more information, check #132562.

Impact
To add interactive filters to your dashboards, use the new controls.

[Visualizations] Deprecated the Auto default legend size in Lens. (8.3)

Details
In the Lens visualization editor, the Auto default for Legend width has been deprecated. For more information, check #130336.

Impact
When you create Lens visualization, the default for the Legend width is now Medium.

Elastic Observability solution

edit
The Observability > Logs > Explorer app is now deprecated in favor of Discover. (8.17)

Details
Both the Logs Explorer and Logs Stream applications are now deprecated and will be removed in 9.0. We continue to make enhancements to Discover to offer similar functionality in 9.x.

Deprecated the Observability AI Assistant specific advanced setting observability:aiAssistantLogsIndexPattern. (8.16)

Details
The Observability AI Assistant specific advanced setting for Logs index patterns observability:aiAssistantLogsIndexPattern is deprecated and no longer used. The AI Assistant will now use the existing Log sources setting observability:logSources instead. For more information, refer to (#192003).

The Logs Stream was hidden by default in favor of the Logs Explorer app. (8.16)

Details
You can find the Logs Explorer app in the navigation menu under Logs > Explorer, or as a separate tab in Discover. For more information, refer to (#194519).

Impact
You can still show the Logs Stream app again by navigating to Stack Management > Advanced Settings and by enabling the observability:enableLogsStream setting.

[APM] Renamed the autocreate data view APM setting. (8.0)

Details
The xpack.apm.autocreateApmIndexPattern APM setting has been removed. For more information, refer to #120689.

Impact
To automatically create data views in APM, use xpack.apm.autoCreateApmDataView.

[Uptime] Uptime is deprecated in 8.15.0. (8.15)

Details
The Uptime app is already hidden from Kibana when there is no recent Heartbeat data. Migrate to Synthetics as an alternative. For more details, refer to the Uptime documentation.

[Uptime] Deprecated Synthetics and Uptime monitor schedules (8.8)

Details
Synthetics and Uptime monitor schedules and zip URL fields are deprecated. For more information, refer to #154010 and #154952.

Impact
When you create monitors in Uptime Monitor Management and the Synthetics app, unsupported schedules are automatically transferred to the nearest supported schedule. To use zip URLs, use project monitors.

[Uptime] Deprecated Elastic Synthetics integration. (8.8)

Details
The Elastic Synthetics integration is deprecated. For more information, refer to #149506.

Impact
To monitor endpoints, pages, and user journeys, go to ObservabilitySynthetics (beta).

Elastic Security solution

edit

For the complete Elastic Security solution release information, refer to Elastic Security Solution Release Notes.