Kibana 8.3.0edit

Review the following information about the Kibana 8.3.0 release.

Known issuesedit

Alerting users who are running 8.2 should not upgrade to either 8.3.0 or 8.3.1. Both 8.3.0 and 8.3.1 have a bug where alerting rules that were created or edited in 8.2 will stop running on upgrade. If you have upgraded to 8.3.0 or 8.3.1 and your alerting rules have stopped running with an error similar to the following example, you will need to go to Stack Management > Rules and Connectors, multi-select the failed rules, click on Manage rules > Disable and then click on Manage rules > Enable. Disabling and re-enabling the rule will generate a new API key using the credentials of the user performing these actions and reset the rule state. For more details about API key authorization, refer to API keys.

Example error message
<rule-type>:<UUID>: execution failed - security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: ""

Breaking changeedit

Breaking changes can prevent your application from optimal operation and performance. Before you upgrade, review the breaking change, then mitigate the impact to your application.

Removes Quandl and Graphite integrations

The experimental .quandl and .graphite functions and advanced settings are removed from Timelion. For more information, check #129581.

When you use the vis_type_timelion.graphiteUrls kibana.yml setting, Kibana successfully starts, but logs a [WARN ][config.deprecation] You no longer need to configure "vis_type_timelion.graphiteUrls". warning.

To leave your feedback about the removal of .quandl and .graphite, go to the discuss forum.

Makes Osquery All with All base privilege

The Osquery Kibana privilege has been updated, so that when the Privileges for all features level is set to All, this now applies All to Osquery privileges as well. Previously, users had to choose the Customize option to grant any access to Osquery. For more information, refer to #130523.

This impacts user roles that have Privileges for all features set to All. After this update, users with this role will have access to the Osquery page in Kibana. However, to use the Osquery feature fully, these requirements remain the same: users also need Read access to the logs-osquery_manager.result* index and the Osquery Manager integration must be deployed to Elastic Agents.

To review the breaking changes in previous versions, refer to the following:

8.2.0 | 8.1.0 | 8.0.0 | 8.0.0-rc2 | 8.0.0-rc1 | 8.0.0-beta1 | 8.0.0-alpha2 | 8.0.0-alpha1


The following functionality is deprecated in 8.3.0, and will be removed in 9.0.0. Deprecated functionality does not have an immediate impact on your application, but we strongly recommend you make the necessary updates after you upgrade to 8.3.0.

Removes apm_user

Removes the apm_user role. For more information, check #132790.

In the APM documentation, the apm_user`role is replaced with the `viewer and editor built-in roles.

Deprecates input controls

The input control panels, which allow you to add interactive filters to dashboards, are deprecated. For more information, check #132562.

To add interactive filters to your dashboards, use the new controls.

Deprecates anonymous authentication credentials

The apiKey, including key and ID/key pair, and elasticsearch_anonymous_user credential types for anonymous authentication providers are deprecated. For more information, check #131636.

If you have anonymous authentication provider configured with apiKey or elasticsearch_anonymous_user credential types, a deprecation warning appears, even when the provider is not enabled.

Deprecates v1 and v2 security_linux and security_windows jobs

The v1 and v2 job configurations for security_linux and security_windows are deprecated. For more information, check #131166.

The following security_linux and security_windows job configurations are updated to v3:

  • security_linux:

    • v3_linux_anomalous_network_activity
    • v3_linux_anomalous_network_port_activity_ecs
    • v3_linux_anomalous_process_all_hosts_ecs
    • v3_linux_anomalous_user_name_ecs
    • v3_linux_network_configuration_discovery
    • v3_linux_network_connection_discovery
    • v3_linux_rare_metadata_process
    • v3_linux_rare_metadata_user
    • v3_linux_rare_sudo_user
    • v3_linux_rare_user_compiler
    • v3_linux_system_information_discovery
    • v3_linux_system_process_discovery
    • v3_linux_system_user_discovery
    • v3_rare_process_by_host_linux_ecs
  • security_windows:

    • v3_rare_process_by_host_windows_ecs
    • v3_windows_anomalous_network_activity_ecs
    • v3_windows_anomalous_path_activity_ecs
    • v3_windows_anomalous_process_all_hosts_ecs
    • v3_windows_anomalous_process_creation
    • v3_windows_anomalous_script
    • v3_windows_anomalous_service
    • v3_windows_anomalous_user_name_ecs
    • v3_windows_rare_metadata_process
    • v3_windows_rare_metadata_user
    • v3_windows_rare_user_runas_event
    • v3_windows_rare_user_type10_remote_login
Updates the default legend size

In the Lens visualization editor, the Auto default for Legend width has been deprecated. For more information, check #130336.

When you create Lens visualization, the default for the Legend width is now Medium.

Deprecates xpack.data_enhanced.*

In kibana.yml, the xpack.data_enhanced.* setting is deprecated. For more information, check #122075.

Use the data.* configuration parameters instead.


Kibana 8.3.0 adds the following new and notable features.

  • Adds circuit breaker for max number of actions by connector type #128319
  • Adds bulkEdit method to alerting rulesClient and internal _bulk_edit API, that allow bulk editing of rules #126904
  • Adds average time to close metric in Cases #131909
  • View all alerts attached to a case in the alerts table. The feature is experimental #131883
  • Adds severity field to Cases #131626
  • Adds the ability to delete comments in Cases #130254
Enables the new controls by default #131341
  • To enable Threshold Alerts, adds the ability to edit dataView, query, & filters #131688
  • To enable Threshold Alerts, extended the Elasticsearch query rule with search source-based data fetching #124534
Elastic Security
For the Elastic Security 8.3.0 release information, refer to Elastic Security Solution Release Notes.
Changes to agent upgrade modal to allow for rolling upgrades #132421
Lens & Visualizations
  • Adds method to re-link visualizations with missing SavedSearch #132729
  • Adds support of Data View switching for Agg-Based visualizations #132184
Machine Learning
  • Adds the ability to create anomaly detection jobs from Lens visualizations #129762
  • Adds trained model testing for additional pytorch models #129209
  • Adds saved object relationships to data view management #132385
  • Adds support for feature_states #131310
Adds the Stack monitoring health API #132705
  • Adds the ability to bulk attach multiple alerts to a Case #130958
  • Adds rule details page #130330
  • Adds span link #126630
  • Adds ML expected model bounds as an option to Comparison controls #132456
Adds xyVis and layeredXyVis #128255
Querying & Filtering
Improves the current filter/search experience #128401
Adds method to re-link visualizations with missing index-pattern #132336

For more information about the features introduced in 8.3.0, refer to What’s new in 8.3.