Upgrade notes
editUpgrade notes
editBefore you upgrade, review the breaking changes and deprecations introduced in Kibana 8.x, then mitigate the impact.
For Elastic Security release information, refer to Elastic Security Solution Release Notes.
Breaking changes
editKibana APIs
editRemoved legacy alerting endpoints (9.0.0)
Details
-
POST /api/alerts/alert/{id?}
has been replaced byPOST /api/alerting/rule/{id?}
-
GET /api/alerts/alert/{id}
has been replaced byGET /api/alerting/rule/{id}
-
PUT /api/alerts/alert/{id}
has been replaced byPUT /api/alerting/rule/rule/{id}
-
DELETE: /api/alerts/alert/{id}
has been replaced byDELETE /api/alerting/rule/{id}
-
POST /api/alerts/alert/{id}/_disable
has been replaced byPOST /api/alerting/rule/{id}/_disable
-
POST /api/alerts/alert/{id}/_enable
has been replaced byPOST /api/alerting/rule/{id}/_enable
-
GET /api/alerts/_find
has been replaced byGET /api/alerting/rules/_find
-
GET /api/alerts/_health
has been replaced byGET /api/alerting/rule/_health
-
GET /api/alerts/list_alert_types
has been replaced byGET /api/alerting/rule_types
-
POST /api/alerts/alert/{alert_id}/alert_instance/{alert_instance_id}/_mute
has been replaced byPOST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
-
POST /api/alerts/alert/{alert_id}/alert_instance/{alert_instance_id}/_unmute
has been replaced byPOST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
-
POST /api/alerts/alert/{id}/_mute_all
has been replaced byPOST /api/alerting/rule/{id}/_mute_all
-
POST /api/alerts/alert/{id}/_unmute_all
has been replaced byPOST /api/alerting/rule/{id}/_unmute_all
-
POST /api/alerts/alert/{id}/_update_api_key
has been replaced byPOST /api/alerting/rule/{id}/_update_api_key
-
GET /api/alerts/{id}/_instance_summary
has been deprecated without replacement. Will be removed in v9.0.0 -
GET /api/alerts/{id}/state
has been deprecated without replacement. Will be removed in v9.0.0
Impact
Deprecated endpoints will fail with a 404 status code starting from version 9.0.0
Action
Remove references to GET /api/alerts/{id}/_instance_summary
endpoint.
Remove references to GET /api/alerts/{id}/state
endpoint.
Replace references to endpoints listed as deprecated by it’s replacement. See Details
section.
The updated APIs can be found here https://www.elastic.co/docs/api/doc/kibana/v8/group/endpoint-alerting
Removed legacy cases endpoints (9.0.0)
Details
-
GET /api/cases/status
has been deprecated with no replacement. Deleted in v9.0.0 -
GET /api/cases/{case_id}/comments
has been replaced byGET /api/cases/{case_id}/comments/_find
released in v7.13 -
GET /api/cases/<case_id>/user_actions
has been replaced byGET /api/cases/<case_id>/user_actions/_find
released in v8.7 -
includeComments
parameter inGET /api/cases/{case_id}
has been deprecated. UseGET /api/cases/{case_id}/comments/_find
instead, released in v7.13
Impact
Deprecated endpoints will fail with a 404 status code starting from version 9.0.0
Action
Remove references to GET /api/cases/status
endpoint.
Replace references to deprecated endpoints with the replacements listed in the breaking change details.
Removed all security v1 endpoints (9.0.0)
Details
All v1
Kibana security HTTP endpoints have been removed.
GET /api/security/v1/logout
has been replaced by GET /api/security/logout
GET /api/security/v1/oidc/implicit
has been replaced by GET /api/security/oidc/implicit
GET /api/security/v1/oidc
has been replaced by GET /api/security/oidc/callback
POST /api/security/v1/oidc
has been replaced by POST /api/security/oidc/initiate_login
POST /api/security/v1/saml
has been replaced by POST /api/security/saml/callback
GET /api/security/v1/me
has been removed with no replacement.
For more information, refer to #199656.
Impact
Any HTTP API calls to the v1
Kibana security endpoints will fail with a 404 status code starting from version 9.0.0.
Third party OIDC and SAML identity providers configured with v1
endpoints will no longer work.
Action
Update any OIDC and SAML identity providers to reference the corresponding replacement endpoint listed above.
Remove references to the /api/security/v1/me
endpoint from any automations, applications, tooling, and scripts.
Access to all internal APIs is blocked (9.0.0)
Details
Access to internal Kibana HTTP APIs is restricted from version 9.0.0. This is to ensure
that HTTP API integrations with Kibana avoid unexpected breaking changes.
Refer to #193792.
Impact
Any HTTP API calls to internal Kibana endpoints will fail with a 400 status code starting
from version 9.0.0.
Action
Do not integrate with internal HTTP APIs. They may change or be removed without notice,
and lead to unexpected behaviors. If you would like some capability to be exposed over an
HTTP API, create an issue.
We would love to discuss your use case.
Get case metrics APIs became internal. (8.10)
Details
The get case metrics APIs are now internal. For more information, refer to (#162506).
Removed legacy project monitor API. (8.8)
Details
The project monitor API for Synthetics in Elastic Observability has been removed. For more information, refer to #155470.
Impact
In 8.8.0 and later, an error appears when you use the project monitor API.
Removed the current_upgrades
endpoint. (8.7)
Details
The /api/fleet/current_upgrades
endpoint has been removed. For more information, refer to #147616.
Impact
When you upgrade to 8.7.0, use the api/fleet/agents/action_status
endpoint.
Removed the preconfiguration
API route. (8.7)
Details
The /api/fleet/setup/preconfiguration
API, which was released as generally available by error, has been removed. For more information, refer to #147199.
Impact
Do not use /api/fleet/setup/preconfiguration
. To manage preconfigured agent policies, use kibana.yml. For more information, check Preconfigured settings.
Updated bulk action API to return actionId instead of agent success. (8.5)
Details
To make bulk action responses consistent, returns actionId
instead of agent ids with success: True
or success: False
results. For more information, refer to #141757.
Impact
When you use FleetBulkResponse
, you now receive only actionId
responses.
Removed deprecated config fields from Logs and Metrics APIs and saved objects. (8.0)
Details
On the Logs and Metrics UIs, references to the following API and saved object deprecated fields have been removed:
-
timestamp
-
tiebreaker
-
container
-
pod
-
host
For more information, refer to #116821 and #115874.
Impact
When you upgrade to 8.0.0, you are unable to use references to the deprecated fields.
Removed /api/settings
. (8.0)
Details
The /api/settings
REST API has been removed. For more information, refer to #114730.
Impact
Use /api/stats
.
Changed the GET /api/status
default behavior. (8.0)
Details
GET /api/status
reports a new and more verbose payload. For more information, refer to #110830.
Impact
To retrieve the Kibana status in the previous format, use GET /api/status?v7format=true
.
Kibana platform
edit[Alerting] A new sub-feature privilege to control user access to the cases settings. (8.12)
Details
Roles with at least a sub-feature privilege configured will not have access to the cases setting like they had previously. All roles without a sub-feature privilege configured will not be affected. For more information, refer to (#170635).
[Alerting] New case limits. (8.10)
Details
Limits are now imposed on the number of objects cases can process or the amount of data those objects can store.
For the full list, refer to #146945.
[Alerting] Changed privileges for alerts and cases. (8.8)
Details
The privileges for attaching alerts to cases has changed. For more information, refer to #147985.
Impact
To attach alerts to cases, you must have Read
access to an Observability or Security feature that has alerts and All
access to the Cases feature. For detailed information, check Kibana privileges and Configure access to cases.
[Alerting] Removed support for monitoring.cluster_alerts.allowedSpaces
. (8.0)
Details
The monitoring.cluster_alerts.allowedSpaces
setting, which Kibana uses to create Stack Monitoring alerts, has been removed. For more information, refer to #123229.
Impact
Before you upgrade to 8.0.0, remove monitoring.cluster_alerts.allowedSpaces
from kibana.yml.
[Alerting] Removed xpack.task_manager.index
setting. (8.0)
Details
The xpack.task_manager.index
setting has been removed. For more information, refer to #114558.
Impact
Before you upgrade to 8.0.0, remove xpack.task_manager.index
from kibana.yml.
[Alerting] Removed ability to remove Elastic-managed plugins. (8.0)
Details
The xpack.actions.enabled
setting has been removed. For more information, refer to #113461.
Impact
Before you upgrade to 8.0.0, remove xpack.actions.enabled
from kibana.yml.
[Alerting] Legacy RBAC exemption (9.0.0)
Details
The legacy role-based action control exemption for alerting rules has been removed in version 9.0.0.
Impact
Any alerting rules that rely on the legacy exemption will fail to trigger actions for alerts starting
from version 9.0.0.
Action
To identify the affected rules run the following query in Dev Tools:
GET .kibana*/_search { "runtime_mappings": { "apiKeyVersion": { "type": "keyword", "script": { "source": "def alert = params._source['alert']; if (alert != null) { def meta = alert.meta; if (meta != null) { emit(meta.versionApiKeyLastmodified); } else { emit('');}}" } } }, "size": 10000, "query": { "bool": { "filter": [ { "term": { "type": "alert" } }, { "term": { "apiKeyVersion": "pre-7.10.0" } } ] } }, "_source": ["alert.name", "namespaces"] }
To use normal RBAC authorization, edit each affected rule to update the API key.
[Data views] Removed filter validation for ad-hoc data views (8.5)
Details
Filters associated with unknown data views, such as deleted data views, are no longer automatically disabled. For more information, refer to #139431.
Impact
Filters associated with unknown data views now display a warning message instead of being automatically disabled.
[Dev tools] The addProcessorDefinition
function was removed from Console. (8.10)
Details
The function addProcessorDefinition
is removed from the Console plugin start contract (server side). For more information, refer to (#159041).
[Dev tools] Removed the console.ssl
setting. (8.0)
Details
The console.ssl
setting has been removed. For more information, refer to #123754.
Impact
Before you upgrade to 8.0.0, remove console.ssl
from kibana.yml.
[Elastic Common Schema] Moved doc_root.vulnerability.package
to doc_root.package (ECS). (8.11)
Details
This change updates all instances of vulnerability.package
to the ECS standard package fieldset. For more information, refer to (#164651).
[ES|QL] Renamed an advanced setting to enable ES|QL. (8.14)
Details
The advanced setting which hides ES|QL from the UI has been renamed from discover:enableESQL
to enableESQL
. It is enabled by default and must be switched off to disable ES|QL features from your Kibana applications. For more information, refer to (#182074).
[ES|QL] Removed is_nan
, is_finite
, and is_infinite
functions from ES|QL. (8.13)
Details
These functions have been removed from ES|QL queries as they are not supported. Errors would be thrown when trying to use them. For more information, refer to (#174674).
[Fleet] Added rate limiting to install by upload endpoint. (8.15)
Details
Rate limiting was added to the upload api/fleet/epm/packages
endpoint. For more information, refer to #184036.
Impact
If you do two or more requests in less than 10 seconds, the subsequent requests fail with 429 Too Many Requests
.
Wait 10 seconds before uploading again.
This change could potentially break automations for users that rely on frequent package uploads.
[Fleet]Removed conditional topics for Kafka outputs. (8.13)
Details
The Kafka output no longer supports conditional topics. For more information, refer to (#176879).
[Fleet]Most Fleet installed integrations are now read-only and labelled with a Managed tag in the Kibana UI. (8.13)
Details
Integration content installed by Fleet is no longer editable. This content is tagged with Managed in the Kibana UI, and is Elastic managed. This content cannot be edited or deleted. However, managed visualizations, dashboards, and saved searches can be cloned. The clones can be customized.
When cloning a dashboard the cloned panels become entirely independent copies that are unlinked from the original configurations and dependencies.
For managed content relating to specific visualization editors such as Lens, TSVB, and Maps, the clones retain the original reference configurations. The same applies to editing any saved searches in a managed visualization.
For more information, refer to (#172393).
[Fleet] Improved config output validation for default output. (8.11)
Details
Improve config output validation to not allow to defining multiple default outputs in Kibana configuration. For more information, refer to (#167085).
[Fleet] Removed the package_policies
field from the agent policy saved object. (8.5)
Details
The bidirectional foreign key between agent policy and package policy has been removed. For more information, refer to #138677.
Impact
The agent policy saved object no longer includes the package_policies
field.
[Fleet] xpack.agents.* are now uneditable in UI when defined in kibana.yml. (8.4)
Details
When you configure xpack.fleet.agents.fleet_server.hosts
and xpack.fleet.agents.elasticsearch.hosts
in kibana.yml, you are unable to update the fields on the Fleet UI.
For more information, refer to #135669.
Impact
To configure xpack.fleet.agents.fleet_server.hosts
and xpack.fleet.agents.elasticsearch.hosts
on the Fleet UI, avoid configuring the settings in kibana.yml.
[Fleet] Split package policy upgrade
endpoint for Fleet. (8.0)
Details
For package policy upgrades, the packagePolicy upgrade
endpoint format supports a mutative upgrade operation (when dryRun: false
) and a read-only dry run operation (when dryRun: true
):
POST /package_policies/upgrade { packagePolicyIds: [...], dryRun: false }
For more information, refer to #118854.
Impact
The endpoint is now split into two separate endpoints:
POST /package_policies/upgrade { packagePolicyIds: [...] } POST /package_policies/upgrade/dry_run { packagePolicyIds: [...] }
[General settings] Updated request processing during shutdown. (8.16)
Details
During shutdown, Kibana now waits for all the ongoing requests to complete according to the server.shutdownTimeout
setting. During that period, the incoming socket is closed and any new incoming requests are rejected. Before this update, new incoming requests received a response with the status code 503 and body {"message": "Kibana is shutting down and not accepting new incoming requests"}
. For more information, refer to #180986.
[General settings] Removed CONFIG_PATH
and DATA_PATH
environment variables. (8.0)
Details
The CONFIG_PATH
and DATA_PATH
environment variables have been removed. For more information, refer to #111535.
Impact
Replace the CONFIG_PATH
environment variable with KBN_PATH_CONF
, and replace DATA_PATH
with the path.data
setting.
[General settings] Removed support for csp.rules configuration. (8.0)
Details
Support for the csp.rules
configuration property has been removed. For more information, refer to #114379.
Impact
Configuring the default csp.script_src
, csp.workers_src
, and csp.style_src
values is not required.
[General settings] Changed and removed deprecated core settings and deprecated settings from core plugins. (8.0)
Details
The deprecation notice for server.cors
has changed from level:critical
to level:warning
.
The following settings have changed:
-
The
xpack.banners.placement
value ofheader
has been renamed totop
Support for the following configuration settings has been removed:
-
newsfeed.defaultLanguage
-
cpu.cgroup.path.override
-
cpuacct.cgroup.path.override
-
server.xsrf.whitelist
-
xpack.xpack_main.xpack_api_polling_frequency_millis
-
KIBANA_PATH_CONF
For more information, refer to #113653.
Impact
* The header
value provided to the xpack.banners.placement
configuration has been renamed to top
* The newsfeed.defaultLanguage
newsfeed items are retrieved based on the browser locale and default to English
* Replace cpu.cgroup.path.override
with ops.cGroupOverrides.cpuPath
* Replace cpuacct.cgroup.path.override
with ops.cGroupOverrides.cpuAcctPath
* Replace server.xsrf.whitelist
with server.xsrf.allowlist
* Replace xpack.xpack_main.xpack_api_polling_frequency_millis
with xpack.licensing.api_polling_frequency
* Replace KIBANA_PATH_CONF
path to the Kibana configuration file using the KBN_PATH_CONF
environment variable
[General settings] Removed enabled
settings from plugins. (8.0)
Details
Using {plugin_name}.enabled
to disable plugins has been removed. Some plugins, such as telemetry
, newsfeed
, reporting
, and the various vis_type
plugins will continue to support this setting. All other Kibana plugins will not support this setting. Any new plugin will support this setting only when specified in the configSchema
. For more information, refer to #113495.
The xpack.security.enabled
setting has been removed. For more information, refer to #111681.
Impact
Before you upgrade to 8.0.0:
-
Remove
{plugin_name}.enabled
from kibana.yml. If you use the setting to control user access to Kibana applications, use Features controls instead. -
Replace
xpack.security.enabled
withxpack.security.enabled
in elasticsearch.yml.
[General settings] Removed --plugin-dir
cli option. (8.0)
Details
The plugins.scanDirs
setting and --plugin-dir
cli option have been removed. For more information, refer to #113367.
Impact
Before you upgrade to 8.0.0, remove plugins.scanDirs
from kibana.yml.
[General settings] Removed support for optimize.*
settings. (8.0)
Details
The legacy optimize.*
settings have been removed. If your configuration uses the following legacy optimize.*
settings, Kibana fails to start:
-
optimize.lazy
-
optimize.lazyPort
-
optimize.lazyHost
-
optimize.lazyPrebuild
-
optimize.lazyProxyTimeout
-
optimize.enabled
-
optimize.bundleFilter
-
optimize.bundleDir
-
optimize.viewCaching
-
optimize.watch
-
optimize.watchPort
-
optimize.watchHost
-
optimize.watchPrebuild
-
optimize.watchProxyTimeout
-
optimize.useBundleCache
-
optimize.sourceMaps
-
optimize.workers
-
optimize.profile
-
optimize.validateSyntaxOfNodeModules
For more information, refer to #113296.
Impact
To run the @kbn/optimizer
separately in development, pass --no-optimizer
to yarn start
. For more details, refer to #73154.
[General settings] Removed so/server/es
settings. (8.0)
Details
Some of the savedObjects
, server
, and elasticsearch
settings have been removed. If your configuration uses the following settings, Kibana fails to start:
-
savedObjects.indexCheckTimeout
-
server.xsrf.token
-
elasticsearch.preserveHost
-
elasticsearch.startupTimeout
For more information, refer to #113173.
Impact
Before you upgrade to 8.0.0., remove these settings from kibana.yml.
[General settings] Added requirement for inline scripting. (8.0)
Details
To start Kibana, you must enable inline scripting in Elasticsearch. For more information, refer to #113068.
Impact
Enable inline scripting.
[General settings] Removed kibana.index
settings. (8.0)
Details
The kibana.index
, xpack.reporting.index
, and xpack.task_manager.index
settings have been removed. For more information, refer to #112773.
Impact
Use spaces, cross-cluster replication, or cross-cluster search. To migrate to spaces, export your saved objects from a tenant into the default space. For more details, refer to #82020.
[General settings] Removed legacy logging. (8.0)
Details
The logging configuration and log output format has changed. For more information, refer to #112305.
Impact
Use the new logging system configuration.
[General settings] Removed kibana.defaultAppId
setting. (8.0)
Details
The deprecated kibana.defaultAppId
setting in kibana.yml, which is also available as kibana_legacy.defaultAppId
, has been removed. For more information, refer to #109798.
Impact
When you upgrade, remove kibana.defaultAppId
from your kibana.yml file. To configure the default route for users when they enter a space, use the defaultRoute
in Advanced Settings.
[General settings] Removed courier:batchSearches
setting. (8.0)
Details
The deprecated courier:batchSearches
setting in Advanced Settings has been removed. For more information, refer to #109350.
Impact
When you upgrade, the courier:batchSearches
setting will no longer be available.
[General settings] New session timeout defaults. (8.0)
Details
The default values for the session timeout xpack.security.session.{lifespan|idleTimeout}
settings have changed. For more information, refer to #106061
Impact
The new default values are as follows:
-
xpack.security.session.idleTimeout: 3d
-
xpack.security.session.lifespan: 30d
[General settings] Removed support for setting server.host
to 0. (8.0)
Details
Support for configuring Kibana with 0
as the server.host
has been removed. Please use 0.0.0.0
instead. For more information, refer to #87114
Impact
You are now unable to use 0
as the server.host
.
[General settings] Removed xpack.security.public
and xpack.security.authProviders
settings. (8.0)
Details
The xpack.security.public
and xpack.security.authProviders
settings have been removed. For more information, refer to #38657
Impact
Use the xpack.security.authc.saml.realm
and xpack.security.authc.providers
settings.
[General settings] Removed logging.useUTC
setting. (8.0)
Details
The logging.useUTC
setting has been removed. For more information, refer to #22696
Impact
The default timezone is UTC. To change the timezone, set logging.timezone: false
in kibana.yml. Change the timezone when the system, such as a docker container, is configured for a nonlocal timezone.
[Index management] Removed support for time-based interval index patterns. (8.0)
Details
Time-based interval index patterns were deprecated in 5.x. In 6.x, you could no longer create time-based interval index patterns, but they continued to function as expected. Support for these index patterns has been removed in 8.0. For more information, refer to #35173
Impact
You must migrate your time_based index patterns to a wildcard pattern. For example, logstash-*.
[Logs] Removed deprecated alias config entries. (8.0)
[Logs] Removed configurable fields in settings. (8.0)
[Machine learning] Removed APM jobs from Machine Learning. (8.0)
Details
APM Node.js and RUM JavaScript anomaly detection job modules have been removed. For more information, refer to #119945.
Impact
When you upgrade to 8.0.0, you are unable to create and view the APM Node.js and RUM JavaScript jobs in Machine Learning.
[Machine learning] Granted access to machine learning features when base privileges are used. (8.0)
Details
Machine learning features are included as base privileges. For more information, refer to #115444.
Impact
If you do not want to grant users privileges to machine learning features, update Users and Roles.
[Osquery] "All" base privilege option now also applies to Osquery. (8.3)
Details
The Osquery Kibana privilege has been updated, so that when the Privileges for all features level is set to All, this now applies All to Osquery privileges as well. Previously, users had to choose the Customize option to grant any access to Osquery. For more information, refer to #130523.
Impact
This impacts user roles that have Privileges for all features set to All. After this update, users with this role will have access to the Osquery page in Kibana. However, to use the Osquery feature fully, these requirements remain the same: users also need Read access to the logs-osquery_manager.result* index and the Osquery Manager integration must be deployed to Elastic Agents.
[Saved objects] Fail migrations for saved objects with unknown types. (8.0)
Details
Unknown saved object types now cause Kibana migrations to fail. For more information, refer to #107678.
Impact
To complete the migration, re-enable plugins or delete documents from the index in the previous version.
[Saved objects] Removed support for legacy exports. (8.0)
Details
In Kibana 8.0.0 and later, the legacy format from Kibana 6.x is unsupported. For more information, refer to #110738
Impact
Using the user interface to import saved objects is restricted to .ndjson
format imports.
[Security] Removed legacy audit logger. (8.0)
Details
The legacy audit logger has been removed. For more information, refer to #116191.
Impact
Audit logs will be written to the default location in the new ECS format. To change the output file, filter events, and more, use the audit logging settings.
[Security] Legacy browsers rejected by default. (8.0)
Details
To provide the maximum level of protection for most installations, the csp.strict config is now enabled by default. Legacy browsers not supported by Kibana, such as Internet Explorer 11, are unable to access Kibana unless explicitly enabled. All browsers officially supported by Kibana do not have this issue. For more information, refer to #41700
Impact
To enable support for legacy browsers, set csp.strict: false
in kibana.yml. To effectively enforce the security protocol, we strongly discourage disabling csp.strict
unless it is critical that you support Internet Explorer 11.
[Setup] Removed platform from archive root directory. (8.0)
Details
After you extract an archive, the output directory no longer includes the target platform. For example, kibana-8.0.0-linux-aarch64.tar.gz
produces a kibana-8.0.0
folder. For more information, refer to #93835.
Impact
To use the new folder, update the configuration management tools and automation.
[Setup] Removed default support for TLS v1.0 and v1.1. (8.0)
Details
The default support for TLS v1.0 and v1.1 has been removed. For more information, refer to #90511.
Impact
To enable support, set --tls-min-1.0
in the node.options
configuration file. To locate the configuration file, go to the kibana/config folder or any other configuration with the KBN_PATH_CONF
environment variable. For example, if you are using a Debian-based system, the configuration file is located in /etc/kibana.
[Setup] Removed support for sysv init. (8.0)
Details
All supported operating systems use systemd service files. Any system that doesn’t have service
aliased to use kibana.service should use systemctl start kibana.service
instead of service start kibana
. For more information, refer to #74424.
Impact
If your installation uses .deb or .rpm packages with SysV, migrate to systemd.
[Setup] Disabled response logging as a default. (8.0)
Details
In previous versions, all events are logged in json
when logging.json:true
. With the new logging configuration, you can choose the json
and pattern output formats with layouts. For more information, refer to #42353.
Impact
To restore the previous behavior, configure the logging format for each custom appender with the appender.layout property
in kibana.yml. There is no default for custom appenders, and each appender must be configured explicitly.
[Sharing & Reporting] The Download CSV endpoint has changed. (8.10)
Details
The API endpoint for downloading a CSV file from a saved search in the Dashboard application has changed to reflect the fact that this is an internal API. The previous API path of
/api/reporting/v1/generate/immediate/csv_searchsource
has been changed to /internal/reporting/generate/immediate/csv_searchsource
. For more information, refer to #162288.
[Sharing & Reporting] CSV reports now use PIT instead of Scroll. (8.6)
Details
CSV reports now use PIT instead of Scroll. Previously generated CSV reports that used an index alias with alias-only privileges, but without privileges on the alias referenced-indices will no longer generate. For more information, refer to #158338.
Impact
To generate CSV reports, grant read
privileges to the underlying indices.
[Sharing & Reporting] Removed legacy CSV export type. (8.1)
Details
The /api/reporting/generate/csv
endpoint has been removed. For more information, refer to #121435.
Impact
If you are using 7.13.0 and earlier, regenerate the POST URLs that you use to automatically generate CSV reports.
[Sharing & Reporting]Removed legacy PDF shim. (8.1)
Details
The POST URLs that you generated in Kibana 6.2.0 no longer work. For more information, refer to #121369.
Impact
Regenerate the POST URLs that you use to automatatically generate PDF reports.
[Sharing & Reporting] Removed reporting settings. (8.0)
Details
The following settings have been removed:
-
xpack.reporting.capture.concurrency
-
xpack.reporting.capture.settleTime
-
xpack.reporting.capture.timeout
-
xpack.reporting.kibanaApp
For more information, refer to #114216.
Impact
Before you upgrade to 8.0.0, remove the settings from kibana.yml.
[Sharing & Reporting] Legacy job parameters are no longer supported. (8.0)
Details
Reporting is no longer compatible with POST URL snippets generated with Kibana 6.2.0 and earlier. For more information, refer to #52539
Impact
If you use POST URL snippets to automatically generate PDF reports, regenerate the POST URL strings.
[User management] Removed the ability to use elasticsearch.username: elastic
in production. (8.0)
Details
In production, you are no longer able to use the elastic
superuser to authenticate to Elasticsearch. For more information, refer to #122722.
Impact
When you configure elasticsearch.username: elastic
, Kibana fails.
[Visualizations] Removed the fields list sampling setting from Lens. (8.7)
Details
lens:useFieldExistenceSampling
has been removed from Advanced Settings. The setting allowed you to enable document sampling to determine the fields that are displayed in Lens. For more information, refer to #149482.
Impact
In 8.1.0 and later, Kibana uses the field caps API, by default, to determine the fields that are displayed in Lens.
[Visualizations] Removed legacy pie chart visualization setting. (8.7)
Details
visualization:visualize:legacyPieChartsLibrary
has been removed from Advanced Settings. The setting allowed you to create aggregation-based pie chart visualizations using the legacy charts library. For more information, refer to #146990.
Impact
In 7.14.0 and later, the new aggregation-based pie chart visualization is available by default. For more information, check Aggregation-based.
[Visualizations] Changed the histogram:maxBars
default setting. (8.6)
Details
To configure higher resolution data histogram aggregations without changing the Advanced Settings, the default histogram:maxBars setting is now 1000 instead of 100. For more information, refer to #143081.
Impact
For each space, complete the following to change histogram:maxBars to the previous default setting:
- Open the main menu, then click Stack Management > Advanced Settings.
- Scroll or search for histogram:maxBars.
-
Enter
100
, then click Save changes.
[Visualizations] Removed the legacy Timelion charts library. (8.4)
Details
The legacy implementation of the Timelion visualization charts library has been removed. All Timelion visualizations now use the elastic-charts library, which was introduced in 7.15.0.
For more information, refer to #134336.
Impact
In 8.4.0 and later, you are unable to configure the Timelion legacy charts library advanced setting. For information about visualization Advanced Settings, check Visualization.
[Visualizations] Removed Quandl and Graphite integrations. (8.3)
Details
The experimental .quandl
and .graphite
functions and advanced settings are removed from Timelion. For more information, check #129581.
Impact
When you use the vis_type_timelion.graphiteUrls
kibana.yml setting, Kibana successfully starts, but logs a [WARN ][config.deprecation] You no longer need to configure "vis_type_timelion.graphiteUrls".
warning.
To leave your feedback about the removal of .quandl
and .graphite
, go to the discuss forum.
[Visualizations] Removed display options from legacy gauge visualizations. (8.0)
Details
The Display warnings option has been removed from the aggregation-based gauge visualization. For more information, refer to #113516.
Impact
When you create aggregation-based gauge visualizations, the Display warnings option is no longer available in Options > Labels.
[Visualizations] Removed settings from visEditors plugins. (8.0)
Details
The following deprecated visEditors plugin settings have been removed:
-
metric_vis.enabled
-
table_vis.enabled
-
tagcloud.enabled
-
metrics.enabled
-
metrics.chartResolution
-
chartResolution
-
metrics.minimumBucketSize
-
minimumBucketSize
-
vega.enabled
-
vega.enableExternalUrls
-
vis_type_table.legacyVisEnabled
-
timelion_vis.enabled
-
timelion.enabled
-
timelion.graphiteUrls
-
timelion.ui.enabled
For more information, refer to #112643.
Impact
Before you upgrade, make the following changes in kibana.yml:
-
Replace
metric_vis.enabled
withvis_type_metric.enabled
-
Replace
table_vis.enabled
withvis_type_table.enabled
-
Replace
tagcloud.enabled
withvis_type_tagcloud.enabled
-
Replace
metrics.enabled
withvis_type_timeseries.enabled
-
Replace
metrics.chartResolution
andchartResolution
withvis_type_timeseries.chartResolution
-
Replace
metrics.minimumBucketSize
andminimumBucketSize
withvis_type_timeseries.minimumBucketSize
-
Replace
vega.enabled
withvis_type_vega.enabled
-
Replace
vega.enableExternalUrls
withvis_type_vega.enableExternalUrls
-
Remove
vis_type_table.legacyVisEnabled
-
Replace
timelion_vis.enabled
withvis_type_timelion.enabled
-
Replace
timelion.enabled
withvis_type_timelion.enabled
-
Replace
timelion.graphiteUrls
withvis_type_timelion.graphiteUrls
-
Remove
timelion.ui.enabled
[Visualizations] Removed dimming opacity setting. (8.0)
Details
The Dimming opacity setting in Advanced Settings has been removed. For more information, refer to #111704.
Impact
When you upgrade to 8.0.0, you are no longer able to configure the dimming opactiy for visualizations.
[Visualizations] Removes Less stylesheet support in TSVB. (8.0)
Details
In TSVB, custom Less stylesheets have been removed. For more information, refer to #110985.
Impact
Existing less stylesheets are automatically converted to CSS stylesheets.
[Visualizations] Disabled the input string mode in TSVB. (8.0)
Details
In TSVB, the Index pattern selection mode option has been removed. For more information, refer to #110571.
Impact
To use index patterns and Elasticsearch indices in TSVB visualizations:
- Open the main menu, then click Stack Management > Advanced Settings.
- Select Allow string indices in TSVB.
- Click Save changes.
[Visualizations] Removed proxyElasticMapsServiceInMaps Maps setting. (8.0)
Details
The map.proxyElasticMapsServiceInMaps
setting has been removed. For more information, refer to #116184.
Impact
Install the on-prem version of the Elastic Maps Service, which is a Docker service that resides in the Elastic Docker registry, in an accessible location on your internal network. When you complete the installation, update kibana.yml to point to the service.
[Visualizations] Removed map.regionmap.*
. (8.0)
Details
The deprecated map.regionmap.*
setting in kibana.yml has been removed. For more information, refer to #109896.
Impact
If you have maps that use map.regionmap
layers:
-
Remove the
map.regionmap
layer. - To recreate the choropleth layer, use GeoJSON upload to index your static vector data into Elasticsearch.
- Create a choropleth layer from the indexed vector data.
[Visualizations] Removed dashboard-only mode. (8.0)
Details
The legacy dashboard-only mode has been removed. For more information, refer to #108103.
Impact
To grant users access to only dashboards, create a new role, then assign only the Dashboard feature privilege. For more information, refer to Kibana privileges.
[Visualizations] Removed xpack.maps.showMapVisualizationTypes
setting. (8.0)
Details
The deprecated xpack.maps.showMapVisualizationTypes
setting in kibana.yml has been removed. For more information, refer to #105979
Impact
When you upgrade, remove xpack.maps.showMapVisualizationTypes
from your kibana.yml file.
Elastic Observability solution
edit[APM] Removed apm_user
. (8.3)
Details
Removes the apm_user
role. For more information, check #132790.
Impact
The apm_user
role is replaced with the viewer
and editor
built-in roles.
[SLOs]New SLO architecture. (8.12)
Details
We introduced a breaking change in the SLO features that will break any SLOs created before 8.12. These SLOs have to be manually reset through an API until we provide a UI for it. The data aggregated over time (rollup) is still available in the SLI v2 index, but won’t be used for summary calculation when reset.
The previous summary transforms summarizing every SLOs won’t be used anymore and can be stopped and deleted:
- slo-summary-occurrences-7d-rolling
- slo-summary-occurrences-30d-rolling
- slo-summary-occurrences-90d-rolling
- slo-summary-occurrences-monthly-aligned
- slo-summary-occurrences-weekly-aligned
- slo-summary-timeslices-7d-rolling
- slo-summary-timeslices-30d-rolling
- slo-summary-timeslices-90d-rolling
- slo-summary-timeslices-monthly-aligned
- slo-summary-timeslices-weekly-aligned
Be aware that when installing a new SLO (or after resetting an SLO), we install two transforms (one for the rollup data and one that summarize the rollup data). Do not delete the new slo-summary-{slo_id}-{slo_revision}
transforms. For more information, refer to (#172224).
[SLO] Introduced new summary search capabilities that will cause SLOs created before 8.10 to stop working. (8.10)
Details
- SLO find API body parameters have changed.
- The index mapping used by the rollup data has changed, and we have added a summary index that becomes the new source of truth for search.
- The rollup transforms have been updated, but existing SLO with their transforms won’t be updated.
If some SLOs have been installed in a prior version at 8.10, they won’t work after migrating to 8.10. There are two approaches to handle this breaking change. The recommended route is to delete all SLOs before migrating to 8.10. The alternative is to migrate to 8.10 and manually remove the SLOs.
Removing SLOs before migrating to 8.10
Use the SLO UI or the SLO delete API to delete all existing SLOs. This takes care of the saved object, transform and rollup data. When all SLOs have been deleted, then delete the residual rollup indices: .slo-observability.sli-v1*
. Note that this is v1.
Removing SLOs after migrating to 8.10
After migrating to 8.10, the previously created SLOs won’t appear in the UI because the API is using a new index. The previously created SLOs still exist, and associated transforms are still rolling up data into the previous index .slo-observability.sli-v1*
. The SLO delete API can’t be used now, so remove the resources resources manually:
-
Find all existing transforms All SLO related transforms start with the
slo-
prefix, this request returns them all:GET _transform/slo-*
Make a note of all the transforms IDs for later.
-
Stop all transforms
POST _transform/slo-*/_stop?force=true
-
Remove all transforms
From the list of transforms returned during the first step, now delete them one by one:
DELETE _transform/{transform_id}?force=true
-
Find the SLO saved objects
This request lists all the SLO saved objects. The SLO IDs and the saved object IDs are not the same.
GET kbn:/api/saved_objects/_find?type=slo
Make a note of all the saved object IDs from the response.
-
Remove the SLO saved objects
For each saved object ID, run the following:
DELETE kbn:/api/saved_objects/slo/{Saved_Object_Id}
-
Delete the rollup indices v1
Note that this is v1.
DELETE .slo-observability.sli-v1*
[Uptime] Uptime app now hidden when no data is available. (8.9)
Details
The Uptime app now gets hidden from the interface when it doesn’t have any data for more than a week. If you have a standalone Heartbeat pushing data to Elasticsearch, the Uptime app is considered active. You can disable this automatic behavior from the advanced settings in Kibana using the Always show legacy Uptime app option.
For synthetic monitoring, we now recommend to use the new Synthetics app. For more information, refer to #159118
[Uptime] Removed synthetics pattern from Uptime settings. (8.9)
Details
Data from browser monitors and monitors of all types created within the Synthetics App or via the Elastic Synthetics Fleet Integration will no longer appear in Uptime. For more information, refer to #159012
Elastic Search solution
editRequired security plugin. (8.0)
Details
Enterprise Search now requires that you enable X-Pack Security. For more information, refer to #106307
Impact
Enable X-Pack Security.
Elastic Security solution
editFor the complete Elastic Security solution release information, refer to Elastic Security Solution Release Notes.
Remove original user and host risk scoring and all associated UIs (9.0.0)
Details
The original host and risk score modules have been superseded since v8.10.0 by the Risk Engine.
In 9.0.0 these modules will no longer be supported, the scores will no longer display in the UI and all UI controls associated with managing or upgrading the legacy modules will be removed.
Impact
As well as the legacy risk scores not being shown in the UI, alerts will no longer have the legacy risk score added to them in the <host|user>.risk.calculated_level
and <host|user>.risk.calculated_score_norm
fields.
The legacy risk scores are stored in the ml_host_risk_score_<space_id>
and ml_user_risk_score_<space_id>
indices, these indices will not be deleted if the user chooses not to upgrade.
Legacy risk scores are generated by the following transforms:
-
ml_hostriskscore_pivot_transform_<space_id>
-
ml_hostriskscore_latest_transform_<space_id>
-
ml_userriskscore_pivot_transform_<space_id>
-
ml_userriskscore_latest_transform_<space_id>
If a user does not upgrade to use the Risk Engine, these transforms will continue to run in 9.0.0, but it will be up to the user to manage them.
Action
Upgrade to use the Risk Engine in all spaces which use the legacy risk scoring modules:
- In the main menu, go to Security > Manage > Entity Risk Score.
- If the original user and host risk score modules are enabled, you’ll see a button to "Start update". Click the button, and follow the instructions.
[Elastic Defend] Converted filterQuery to KQL.(8.11)
Details
Converts filterQuery
to a KQL query string. For more information, refer to (#161806).
Deprecation notices
editThe following functionality is deprecated and will be removed at a future date. Deprecated functionality does not have an immediate impact on your application, but we strongly recommend you make the necessary updates to avoid use of deprecated features.
Use the Kibana Upgrade Assistant to prepare for your upgrade to the next version of the Elastic Stack. The assistant identifies deprecated settings in your configuration and guides you through the process of resolving issues if any deprecated features are enabled. To access the assistant, go to Stack Management > Upgrade Assistant.
Kibana APIs
editDeprecated Agent reassign API PUT endpoint. (8.8)
Details
The PUT endpoint for the agent reassign API is deprecated. For more information, refer to #152236.
Impact
Use the POST endpoint for the agent reassign API.
Deprecated total
in /agent_status
Fleet API. (8.8)
Details
The total
field in /agent_status
Fleet API responses is deprecated. For more information, refer to #151564.
Impact
The /agent_status
Fleet API now returns the following statuses:
-
all
— All active and inactive -
active
— All active
Deprecated Saved objects APIs. (8.7)
Details
The following saved objects APIs have been deprecated.
/api/saved_objects/{type}/{id} /api/saved_objects/resolve/{type}/{id} /api/saved_objects/{type}/{id?} /api/saved_objects/{type}/{id} /api/saved_objects/_find /api/saved_objects/{type}/{id} /api/saved_objects/_bulk_get /api/saved_objects/_bulk_create /api/saved_objects/_bulk_resolve /api/saved_objects/_bulk_update /api/saved_objects/_bulk_delete
For more information, refer to (#150267).
Impact
Use dedicated public APIs instead, for example use Data views API to manage Data Views.
Updates Fleet API to improve consistency. (8.0)
Details
The Fleet API has been updated to improve consistency:
- Hyphens are changed to underscores in some names.
-
The
pkgkey
path parameter in the packages endpoint is split. -
The
response
andlist
properties are renamed toitems
oritem
in some responses.
For more information, refer to #119494.
Impact
When you upgrade to 8.0.0, use the following API changes:
-
Use
enrollment_api_keys
instead ofenrollment-api-keys
. -
Use
agent_status
instead ofagent-status
. -
Use
service_tokens
instead ofservice-tokens
. -
Use
/epm/packages/{packageName}/{version}
instead of/epm/packages/{pkgkey}
. -
Use
items[]
instead ofresponse[]
in:
For more information, refer to Fleet APIs.
Kibana platform
edit[Alerting] Action variables in the UI and in tests that were no longer used have been replaced. (8.10)
Details
The following rule action variables have been deprecated. Use the recommended variables (in parentheses) instead:
- alertActionGroup (alert.actionGroup)
- alertActionGroupName (alert.actionGroupName)
- alertActionSubgroup (alert.actionSubgroup)
- alertId (rule.id)
- alertInstanceId (alert.id)
- alertName (rule.name)
- params (rule.params)
- spaceId (rule.spaceId)
- tags (rule.tags)
For more information, refer to (#161136).
[Discover] Search sessions are deprecated in 8.15.0 and will be removed in a future version. (8.15)
Details
Search sessions are now deprecated and will be removed in a future version. By default, queries that take longer than 10 minutes (the default for the advanced setting search:timeout
) will be canceled. To allow queries to run longer, consider increasing search:timeout
or setting it to 0
which will allow queries to continue running as long as a user is waiting on-screen for results.
[General settings] Deprecated ephemeral Task Manager settings (8.8)
Details
The following Task Manager settings are deprecated:
-
xpack.task_manager.ephemeral_tasks.enabled
-
xpack.task_manager.ephemeral_tasks.request_capacity
-
xpack.alerting.maxEphemeralActionsPerAlert
For more information, refer to #154275.
Impact
To improve task execution resiliency, remove the deprecated settings from the kibana.yml
file. For detailed information, check Task Manager settings in Kibana.
[General settings] Deprecated xpack.data_enhanced.*
setting. (8.3)
Details
In kibana.yml, the xpack.data_enhanced.*
setting is deprecated. For more information, check #122075.
Impact
Use the data.*
configuration parameters instead.
[General settings] Removed xpack:defaultAdminEmail
setting. (8.0)
Details
The xpack:default_admin_email
setting for monitoring use has been removed. For more information, refer to #33603
Impact
Use the xpack.monitoring.clusterAlertsEmail
in kibana.yml.
[Security] Deprecated ApiKey authentication for interactive users. (8.4)
Details
The ability to authenticate interactive users with ApiKey via a web browser has been deprecated, and will be removed in a future version.
For more information, refer to #136422.
Impact
To authenticate interactive users via a web browser, use another authentication method. Use API keys only for programmatic access to Kibana and Elasticsearch.
[Security] Deprecated anonymous authentication credentials. (8.3)
Details
The apiKey, including key and ID/key pair, and elasticsearch_anonymous_user
credential types for anonymous authentication providers are deprecated. For more information, check #131636.
Impact
If you have anonymous authentication provider configured with apiKey or elasticsearch_anonymous_user
credential types, a deprecation warning appears, even when the provider is not enabled.
[Security] Deprecated v1 and v2 security_linux and security_windows jobs. (8.3)
Details
The v1 and v2 job configurations for security_linux and security_windows are deprecated. For more information, check #131166.
Impact
The following security_linux and security_windows job configurations are updated to v3:
-
security_linux:
- v3_linux_anomalous_network_activity
- v3_linux_anomalous_network_port_activity_ecs
- v3_linux_anomalous_process_all_hosts_ecs
- v3_linux_anomalous_user_name_ecs
- v3_linux_network_configuration_discovery
- v3_linux_network_connection_discovery
- v3_linux_rare_metadata_process
- v3_linux_rare_metadata_user
- v3_linux_rare_sudo_user
- v3_linux_rare_user_compiler
- v3_linux_system_information_discovery
- v3_linux_system_process_discovery
- v3_linux_system_user_discovery
- v3_rare_process_by_host_linux_ecs
-
security_windows:
- v3_rare_process_by_host_windows_ecs
- v3_windows_anomalous_network_activity_ecs
- v3_windows_anomalous_path_activity_ecs
- v3_windows_anomalous_process_all_hosts_ecs
- v3_windows_anomalous_process_creation
- v3_windows_anomalous_script
- v3_windows_anomalous_service
- v3_windows_anomalous_user_name_ecs
- v3_windows_rare_metadata_process
- v3_windows_rare_metadata_user
- v3_windows_rare_user_runas_event
- v3_windows_rare_user_type10_remote_login
[Setup] New versions of Kibana for macOS x86_64 will end after 8.17.
Details
New versions of Kibana builds for macOS x86_64 are deprecated and will no longer be released after 8.17. Kibana for macOS AArch64 is unaffected.
Use Docker to run new versions of Kibana on macOS 86x_64.
[Sharing & Reporting] Downloading a CSV file from a saved search panel in a dashboard has become deprecated in favor of generating a CSV report. (8.14)
Details
The mechanism of exporting CSV data from a saved search panel in a dashboard has been changed to generate a CSV report, rather than allowing the CSV data to be downloaded
without creating a report. To preserve the original behavior, it is necessary to update kibana.yml
with the setting of xpack.reporting.csv.enablePanelActionDownload:
true
. The scope of this breaking change is limited to downloading CSV files from saved search panels only; downloading CSV files from other types of dashboard panels is
unchanged. For more information, refer to #178159.
[Visualizations] Removed metrics:allowCheckingForFailedShards
advanced setting. (8.17)
Details
The metrics:allowCheckingForFailedShards
advanced setting has been removed. With this change, it is no longer possible to suppress warnings about failed shards in TSVB. For more information, refer to (#197227).
[Visualizations] The ability to create legacy input controls was hidden. (8.9)
Details
The option to create legacy input controls when creating a new visualization is hidden. For more information, refer to #156455
[Visualizations] Removed legacy field stats. (8.9)
Details
Legacy felid stats that were previously shown within a popover have been removed. For more information, refer to #155503
[Visualizations] Deprecated input control panels in dashboards. (8.3)
Details
The input control panels, which allow you to add interactive filters to dashboards, are deprecated. For more information, check #132562.
Impact
To add interactive filters to your dashboards, use the new controls.
[Visualizations] Deprecated the Auto
default legend size in Lens. (8.3)
Details
In the Lens visualization editor, the Auto default for Legend width has been deprecated. For more information, check #130336.
Impact
When you create Lens visualization, the default for the Legend width is now Medium.
Elastic Observability solution
editThe Observability > Logs > Explorer app is now deprecated in favor of Discover. (8.17)
Details
Both the Logs Explorer and Logs Stream applications are now deprecated and will be removed in 9.0. We continue to make enhancements to Discover to offer similar functionality in 9.x.
Deprecated the Observability AI Assistant specific advanced setting observability:aiAssistantLogsIndexPattern
. (8.16)
Details
The Observability AI Assistant specific advanced setting for Logs index patterns observability:aiAssistantLogsIndexPattern
is deprecated and no longer used. The AI Assistant will now use the existing Log sources setting observability:logSources
instead. For more information, refer to (#192003).
The Logs Stream was hidden by default in favor of the Logs Explorer app. (8.16)
Details
You can find the Logs Explorer app in the navigation menu under Logs > Explorer, or as a separate tab in Discover. For more information, refer to (#194519).
Impact
You can still show the Logs Stream app again by navigating to Stack Management > Advanced Settings and by enabling the observability:enableLogsStream
setting.
[APM] Renamed the autocreate
data view APM setting. (8.0)
Details
The xpack.apm.autocreateApmIndexPattern
APM setting has been removed. For more information, refer to #120689.
Impact
To automatically create data views in APM, use xpack.apm.autoCreateApmDataView
.
[Uptime] Uptime is deprecated in 8.15.0. (8.15)
Details
The Uptime app is already hidden from Kibana when there is no recent Heartbeat data. Migrate to Synthetics as an alternative. For more details, refer to the Uptime documentation.
[Uptime] Deprecated Synthetics and Uptime monitor schedules (8.8)
Details
Synthetics and Uptime monitor schedules and zip URL fields are deprecated. For more information, refer to #154010 and #154952.
Impact
When you create monitors in Uptime Monitor Management and the Synthetics app, unsupported schedules are automatically transferred to the nearest supported schedule. To use zip URLs, use project monitors.
[Uptime] Deprecated Elastic Synthetics integration. (8.8)
Details
The Elastic Synthetics integration is deprecated. For more information, refer to #149506.
Impact
To monitor endpoints, pages, and user journeys, go to Observability → Synthetics (beta).
Elastic Security solution
editFor the complete Elastic Security solution release information, refer to Elastic Security Solution Release Notes.