Kibana 8.3.0edit

Review the following information about the Kibana 8.3.0 release.

Known issuesedit

Alerting rules stop running on upgradeedit

Alerting users who are running 8.2 should not upgrade to either 8.3.0 or 8.3.1. Both 8.3.0 and 8.3.1 have a bug where alerting rules that were created or edited in 8.2 will stop running on upgrade. If you have upgraded to 8.3.0 or 8.3.1 and your alerting rules have stopped running with an error similar to the following example, you will need to go to Stack Management > Rules and Connectors, multi-select the failed rules, click on Manage rules > Disable and then click on Manage rules > Enable. Disabling and re-enabling the rule will generate a new API key using the credentials of the user performing these actions and reset the rule state. For more details about API key authorization, refer to Authorization.

Example error message
<rule-type>:<UUID>: execution failed - security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: ""

Snoozed alerting rules need to be cancelled before upgradeedit

If you have alerting rules that have been snoozed, do not upgrade Kibana from 8.3.3 to 8.4.0. Upgrade to 8.4.1 instead.

To determine if you have snoozed alerting rules, open the main menu, then click Stack ManagementRules and Connectors. Filter the rule list by selecting ViewSnoozed. If you must upgrade to 8.4.0, for each space, cancel the snooze for all affected rules before you upgrade.

To identify snoozed rules in all Spaces using Dev Tools, run the following query:

GET /.kibana/_search
{
  "query": {
    "exists": {
      "field": "alert.isSnoozedUntil"
    }
  }
}

If you upgraded Kibana from 8.3.3 to 8.4.0 and you had alerting rules configured to snooze notifications, you will receive the following error message:

FATAL  Error: Unable to complete saved object migrations for the [.kibana] index.

To fix than problem, restore your previous version, then upgrade to 8.4.1 instead.

Breaking changeedit

Breaking changes can prevent your application from optimal operation and performance. Before you upgrade, review the breaking change, then mitigate the impact to your application.

Removes Quandl and Graphite integrations

Details
The experimental .quandl and .graphite functions and advanced settings are removed from Timelion. For more information, check #129581.

Impact
When you use the vis_type_timelion.graphiteUrls kibana.yml setting, Kibana successfully starts, but logs a [WARN ][config.deprecation] You no longer need to configure "vis_type_timelion.graphiteUrls". warning.

To leave your feedback about the removal of .quandl and .graphite, go to the discuss forum.

Makes Osquery All with All base privilege

Details
The Osquery Kibana privilege has been updated, so that when the Privileges for all features level is set to All, this now applies All to Osquery privileges as well. Previously, users had to choose the Customize option to grant any access to Osquery. For more information, refer to #130523.

Impact
This impacts user roles that have Privileges for all features set to All. After this update, users with this role will have access to the Osquery page in Kibana. However, to use the Osquery feature fully, these requirements remain the same: users also need Read access to the logs-osquery_manager.result* index and the Osquery Manager integration must be deployed to Elastic Agents.

To review the breaking changes in previous versions, refer to the following:

8.2.0 | 8.1.0 | 8.0.0 | 8.0.0-rc2 | 8.0.0-rc1 | 8.0.0-beta1 | 8.0.0-alpha2 | 8.0.0-alpha1

Deprecationsedit

The following functionality is deprecated in 8.3.0, and will be removed in 9.0.0. Deprecated functionality does not have an immediate impact on your application, but we strongly recommend you make the necessary updates after you upgrade to 8.3.0.

Removes apm_user

Details
Removes the apm_user role. For more information, check #132790.

Impact
In the APM documentation, the apm_user`role is replaced with the `viewer and editor built-in roles.

Deprecates input controls

Details
The input control panels, which allow you to add interactive filters to dashboards, are deprecated. For more information, check #132562.

Impact
To add interactive filters to your dashboards, use the new controls.

Deprecates anonymous authentication credentials

Details
The apiKey, including key and ID/key pair, and elasticsearch_anonymous_user credential types for anonymous authentication providers are deprecated. For more information, check #131636.

Impact
If you have anonymous authentication provider configured with apiKey or elasticsearch_anonymous_user credential types, a deprecation warning appears, even when the provider is not enabled.

Deprecates v1 and v2 security_linux and security_windows jobs

Details
The v1 and v2 job configurations for security_linux and security_windows are deprecated. For more information, check #131166.

Impact
The following security_linux and security_windows job configurations are updated to v3:

  • security_linux:

    • v3_linux_anomalous_network_activity
    • v3_linux_anomalous_network_port_activity_ecs
    • v3_linux_anomalous_process_all_hosts_ecs
    • v3_linux_anomalous_user_name_ecs
    • v3_linux_network_configuration_discovery
    • v3_linux_network_connection_discovery
    • v3_linux_rare_metadata_process
    • v3_linux_rare_metadata_user
    • v3_linux_rare_sudo_user
    • v3_linux_rare_user_compiler
    • v3_linux_system_information_discovery
    • v3_linux_system_process_discovery
    • v3_linux_system_user_discovery
    • v3_rare_process_by_host_linux_ecs
  • security_windows:

    • v3_rare_process_by_host_windows_ecs
    • v3_windows_anomalous_network_activity_ecs
    • v3_windows_anomalous_path_activity_ecs
    • v3_windows_anomalous_process_all_hosts_ecs
    • v3_windows_anomalous_process_creation
    • v3_windows_anomalous_script
    • v3_windows_anomalous_service
    • v3_windows_anomalous_user_name_ecs
    • v3_windows_rare_metadata_process
    • v3_windows_rare_metadata_user
    • v3_windows_rare_user_runas_event
    • v3_windows_rare_user_type10_remote_login
Updates the default legend size

Details
In the Lens visualization editor, the Auto default for Legend width has been deprecated. For more information, check #130336.

Impact
When you create Lens visualization, the default for the Legend width is now Medium.

Deprecates xpack.data_enhanced.*

Details
In kibana.yml, the xpack.data_enhanced.* setting is deprecated. For more information, check #122075.

Impact
Use the data.* configuration parameters instead.

Featuresedit

Kibana 8.3.0 adds the following new and notable features.

Alerting
  • Adds circuit breaker for max number of actions by connector type #128319
  • Adds bulkEdit method to alerting rulesClient and internal _bulk_edit API, that allow bulk editing of rules #126904
Cases
  • Adds average time to close metric in Cases #131909
  • View all alerts attached to a case in the alerts table. The feature is experimental #131883
  • Adds severity field to Cases #131626
  • Adds the ability to delete comments in Cases #130254
Dashboard
Enables the new controls by default #131341
Discover
  • To enable Threshold Alerts, adds the ability to edit dataView, query, & filters #131688
  • To enable Threshold Alerts, extended the Elasticsearch query rule with search source-based data fetching #124534
Elastic Security
For the Elastic Security 8.3.0 release information, refer to Elastic Security Solution Release Notes.
Fleet
Changes to agent upgrade modal to allow for rolling upgrades #132421
Lens & Visualizations
  • Adds method to re-link visualizations with missing SavedSearch #132729
  • Adds support of Data View switching for Agg-Based visualizations #132184
Machine Learning
  • Adds the ability to create anomaly detection jobs from Lens visualizations #129762
  • Adds trained model testing for additional pytorch models #129209
Management
  • Adds saved object relationships to data view management #132385
  • Adds support for feature_states #131310
Monitoring
Adds the Stack monitoring health API #132705
Observability
  • Adds the ability to bulk attach multiple alerts to a Case #130958
  • Adds rule details page #130330
  • Adds span link #126630
  • Adds ML expected model bounds as an option to Comparison controls #132456
Platform
Adds xyVis and layeredXyVis #128255
Querying & Filtering
Improves the current filter/search experience #128401
Sharing
Adds method to re-link visualizations with missing index-pattern #132336

For more information about the features introduced in 8.3.0, refer to What’s new in 8.3.