From 3a6435a82727cb4e5db7be8478bc53f4fd0aaeb8 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 30 Jan 2026 13:35:58 -0500 Subject: [PATCH 1/7] First draft --- docs/release-notes/8.18.asciidoc | 76 ++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 2e84dfbc7f..52ac0d1f87 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -286,6 +286,8 @@ This issue is fixed in {stack} version 8.18.2. ==== // end::known-issue[] +include::8.18.asciidoc[tag=known-issue-4770] + [discrete] [[enhancements-8.18.1]] ==== Enhancements @@ -447,6 +449,80 @@ This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. ==== // end::known-issue[] +// tag::known-issue-4770 +[discrete] +.Details about gap fills aren't properly updated +[%collapsible] +==== +*Details* + + +After upgrading to 9.3 from a {stack} version earlier than 8.9, you might encounter the following issues with gap fill functionality: + +* **Gap fills**: Manual runs are scheduled to fill gaps, but gap statuses aren't updated to `Filled` after the manual runs complete. + +* **Rule deletion**: If a rule has gaps and you delete the rule, the rule is removed but the gaps are not marked as deleted. You may see incorrect numbers when viewing total rules with gaps. + +**Root cause** + +When upgrading from {stack} versions earlier than 8.9, the old event log index is reindexed with a new name: + +* Old index: `.reindexed-v8-kibana-event-log-{version}-000001` +* Aliases: `.kibana-event-log-{version}`, `.kibana-event-log-{version}-000001` + +Starting in {stack} 8.9.0, a new data stream (`.kibana-event-log-ds`) was introduced for event log storage. + +The `elastic/kibana` service account has permissions to access the new data stream but does not have permissions to access the old reindexed indices. When {kib} queries `.kibana-event-log-*`, it matches both the new data stream and the old reindexed index, causing Point-in-Time (PIT) operations to fail. + +*Workaround* + + +Migrate data from the old reindexed index to the new data stream, then delete the old index. + +1. **Identify the old index**: + + ```console + GET .kibana-event-log-* + ``` + + Look for indices with names like `.reindexed-v8-kibana-event-log-{version}-*`. + +2. **Reindex data to the new data stream**: + + ```console + POST _reindex + { + "source": { + "index": ".reindexed-v8-kibana-event-log-7.17.29-000001" <1> + }, + "dest": { + "index": ".kibana-event-log-ds", + "op_type": "create" + } + } + ``` + + 1. Replace `7.17.29` with your version number. + +3. **Delete the old index**: + + ```console + DELETE .reindexed-v8-kibana-event-log-7.17.29-000001 + ``` + +4. **Verify**: + + ```console + GET .kibana-event-log-* + ``` + + Only the data stream (`.kibana-event-log-ds`) and its backing indices (`.ds-.kibana-event-log-ds-*`) should remain. + +**IMPORTANT** +* **Backup**: Consider backing up your data before performing these operations in production environments. +* **Event log retention**: Event log data has a default retention of 90 days. If you don't need historical data, you can skip the reindex step and simply delete the old index and its aliases. + +==== +// end::known-issue[4770] + [discrete] [[deprecations-8.18.0]] ==== Deprecations From b270133facbec3add272dd6d822e39471fceb190 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 2 Feb 2026 09:58:44 -0500 Subject: [PATCH 2/7] Adding to other 8.x releases --- docs/release-notes/8.18.asciidoc | 112 +++++++++++++++++++++++++++++-- 1 file changed, 108 insertions(+), 4 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 52ac0d1f87..e6fa0602e8 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -5,6 +5,12 @@ [[release-notes-8.18.8]] === 8.18.8 +[discrete] +[[known-issue-8.18.8]] +==== Known issues + +include::8.18.asciidoc[tag=known-issue-4770] + [discrete] [[features-8.18.8]] ==== New features @@ -32,6 +38,12 @@ [[release-notes-8.18.7]] === 8.18.7 +[discrete] +[[known-issue-8.18.7]] +==== Known issues + +include::8.18.asciidoc[tag=known-issue-4770] + [discrete] [[bug-fixes-8.18.7]] ==== Fixes @@ -45,6 +57,12 @@ [[release-notes-8.18.6]] === 8.18.6 +[discrete] +[[known-issue-8.18.6]] +==== Known issues + +include::8.18.asciidoc[tag=known-issue-4770] + [discrete] [[enhancements-8.18.6]] ==== Enhancements @@ -64,6 +82,12 @@ [[release-notes-8.18.5]] === 8.18.5 +[discrete] +[[known-issue-8.18.5]] +==== Known issues + +include::8.18.asciidoc[tag=known-issue-4770] + [discrete] [[enhancements-8.18.5]] ==== Enhancements @@ -86,6 +110,12 @@ [[release-notes-8.18.4]] === 8.18.4 +[discrete] +[[known-issue-8.18.4]] +==== Known issues + +include::8.18.asciidoc[tag=known-issue-4770] + [discrete] [[enhancements-8.18.4]] ==== Enhancements @@ -138,6 +168,8 @@ This issue is fixed in {stack} version 8.18.4. ==== // end::known-issue[] +include::8.18.asciidoc[tag=known-issue-4770] + [discrete] [[enhancements-8.18.3]] @@ -286,7 +318,79 @@ This issue is fixed in {stack} version 8.18.2. ==== // end::known-issue[] -include::8.18.asciidoc[tag=known-issue-4770] +// tag::known-issue-4770 +[discrete] +.Details about gap fills aren't properly updated +[%collapsible] +==== +*Details* + + +After upgrading to 8.18.0 from a {stack} version earlier than 8.9, you might encounter the following issues with gap fill functionality: + +* **Gap fills**: Manual runs are scheduled to fill gaps, but gap statuses aren't updated to `Filled` after the manual runs complete. + +* **Rule deletion**: If a rule has gaps and you delete the rule, the rule is removed but the gaps are not marked as deleted. You may see incorrect numbers when viewing total rules with gaps. + +**Root cause** + +When upgrading from {stack} versions earlier than 8.9, the old event log index is reindexed with a new name: + +* Old index: `.reindexed-v8-kibana-event-log-{version}-000001` +* Aliases: `.kibana-event-log-{version}`, `.kibana-event-log-{version}-000001` + +Starting in {stack} 8.9.0, a new data stream (`.kibana-event-log-ds`) was introduced for event log storage. + +The `elastic/kibana` service account has permissions to access the new data stream but does not have permissions to access the old reindexed indices. When {kib} queries `.kibana-event-log-*`, it matches both the new data stream and the old reindexed index, causing Point-in-Time (PIT) operations to fail. + +*Workaround* + + +Migrate data from the old reindexed index to the new data stream, then delete the old index. + +1. **Identify the old index**: + + ```console + GET .kibana-event-log-* + ``` + + Look for indices with names like `.reindexed-v8-kibana-event-log-{version}-*`. + +2. **Reindex data to the new data stream**: + + ```console + POST _reindex + { + "source": { + "index": ".reindexed-v8-kibana-event-log-7.17.29-000001" <1> + }, + "dest": { + "index": ".kibana-event-log-ds", + "op_type": "create" + } + } + ``` + + <1> Replace `7.17.29` with your version number. + +3. **Delete the old index**: + + ```console + DELETE .reindexed-v8-kibana-event-log-7.17.29-000001 + ``` + +4. **Verify**: + + ```console + GET .kibana-event-log-* + ``` + + Only the data stream (`.kibana-event-log-ds`) and its backing indices (`.ds-.kibana-event-log-ds-*`) should remain. + +**IMPORTANT** +* **Backup**: Consider backing up your data before performing these operations in production environments. +* **Event log retention**: Event log data has a default retention of 90 days. If you don't need historical data, you can skip the reindex step and simply delete the old index and its aliases. + +==== +// end::known-issue-4770[] [discrete] [[enhancements-8.18.1]] @@ -456,7 +560,7 @@ This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. ==== *Details* + -After upgrading to 9.3 from a {stack} version earlier than 8.9, you might encounter the following issues with gap fill functionality: +After upgrading to 8.18.0 from a {stack} version earlier than 8.9, you might encounter the following issues with gap fill functionality: * **Gap fills**: Manual runs are scheduled to fill gaps, but gap statuses aren't updated to `Filled` after the manual runs complete. @@ -500,7 +604,7 @@ Migrate data from the old reindexed index to the new data stream, then delete th } ``` - 1. Replace `7.17.29` with your version number. + <1> Replace `7.17.29` with your version number. 3. **Delete the old index**: @@ -521,7 +625,7 @@ Migrate data from the old reindexed index to the new data stream, then delete th * **Event log retention**: Event log data has a default retention of 90 days. If you don't need historical data, you can skip the reindex step and simply delete the old index and its aliases. ==== -// end::known-issue[4770] +// end::known-issue-4770 [discrete] [[deprecations-8.18.0]] From 0ce466f39646fab67ba78254d26c63b5afbe06b7 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 2 Feb 2026 12:26:17 -0500 Subject: [PATCH 3/7] fix? --- docs/release-notes/8.18.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index e6fa0602e8..fd9dba7ae0 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -318,7 +318,7 @@ This issue is fixed in {stack} version 8.18.2. ==== // end::known-issue[] -// tag::known-issue-4770 +// tag::known-issue-4770[] [discrete] .Details about gap fills aren't properly updated [%collapsible] @@ -553,7 +553,7 @@ This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. ==== // end::known-issue[] -// tag::known-issue-4770 +// tag::known-issue-4770[] [discrete] .Details about gap fills aren't properly updated [%collapsible] @@ -625,7 +625,7 @@ Migrate data from the old reindexed index to the new data stream, then delete th * **Event log retention**: Event log data has a default retention of 90 days. If you don't need historical data, you can skip the reindex step and simply delete the old index and its aliases. ==== -// end::known-issue-4770 +// end::known-issue-4770[] [discrete] [[deprecations-8.18.0]] From 52ea0f73d62cb3ee22047b6d9f0de021a40be04c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 2 Feb 2026 13:26:21 -0500 Subject: [PATCH 4/7] double mention --- docs/release-notes/8.18.asciidoc | 76 +------------------------------- 1 file changed, 2 insertions(+), 74 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index fd9dba7ae0..b910cddff5 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -318,79 +318,7 @@ This issue is fixed in {stack} version 8.18.2. ==== // end::known-issue[] -// tag::known-issue-4770[] -[discrete] -.Details about gap fills aren't properly updated -[%collapsible] -==== -*Details* + - -After upgrading to 8.18.0 from a {stack} version earlier than 8.9, you might encounter the following issues with gap fill functionality: - -* **Gap fills**: Manual runs are scheduled to fill gaps, but gap statuses aren't updated to `Filled` after the manual runs complete. - -* **Rule deletion**: If a rule has gaps and you delete the rule, the rule is removed but the gaps are not marked as deleted. You may see incorrect numbers when viewing total rules with gaps. - -**Root cause** - -When upgrading from {stack} versions earlier than 8.9, the old event log index is reindexed with a new name: - -* Old index: `.reindexed-v8-kibana-event-log-{version}-000001` -* Aliases: `.kibana-event-log-{version}`, `.kibana-event-log-{version}-000001` - -Starting in {stack} 8.9.0, a new data stream (`.kibana-event-log-ds`) was introduced for event log storage. - -The `elastic/kibana` service account has permissions to access the new data stream but does not have permissions to access the old reindexed indices. When {kib} queries `.kibana-event-log-*`, it matches both the new data stream and the old reindexed index, causing Point-in-Time (PIT) operations to fail. - -*Workaround* + - -Migrate data from the old reindexed index to the new data stream, then delete the old index. - -1. **Identify the old index**: - - ```console - GET .kibana-event-log-* - ``` - - Look for indices with names like `.reindexed-v8-kibana-event-log-{version}-*`. - -2. **Reindex data to the new data stream**: - - ```console - POST _reindex - { - "source": { - "index": ".reindexed-v8-kibana-event-log-7.17.29-000001" <1> - }, - "dest": { - "index": ".kibana-event-log-ds", - "op_type": "create" - } - } - ``` - - <1> Replace `7.17.29` with your version number. - -3. **Delete the old index**: - - ```console - DELETE .reindexed-v8-kibana-event-log-7.17.29-000001 - ``` - -4. **Verify**: - - ```console - GET .kibana-event-log-* - ``` - - Only the data stream (`.kibana-event-log-ds`) and its backing indices (`.ds-.kibana-event-log-ds-*`) should remain. - -**IMPORTANT** -* **Backup**: Consider backing up your data before performing these operations in production environments. -* **Event log retention**: Event log data has a default retention of 90 days. If you don't need historical data, you can skip the reindex step and simply delete the old index and its aliases. - -==== -// end::known-issue-4770[] +include::8.18.asciidoc[tag=known-issue-4770] [discrete] [[enhancements-8.18.1]] @@ -560,7 +488,7 @@ This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. ==== *Details* + -After upgrading to 8.18.0 from a {stack} version earlier than 8.9, you might encounter the following issues with gap fill functionality: +After upgrading to 8.18 (or one of the 8.18 patch releases) from a {stack} version earlier than 8.9, you might encounter the following issues with gap fill functionality: * **Gap fills**: Manual runs are scheduled to fill gaps, but gap statuses aren't updated to `Filled` after the manual runs complete. From 31f43541429bd6907aa5ce2f1743b58dfa9ca49c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 2 Feb 2026 14:29:30 -0500 Subject: [PATCH 5/7] fix note formatting --- docs/release-notes/8.18.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index b910cddff5..309bfa3084 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -548,7 +548,8 @@ Migrate data from the old reindexed index to the new data stream, then delete th Only the data stream (`.kibana-event-log-ds`) and its backing indices (`.ds-.kibana-event-log-ds-*`) should remain. -**IMPORTANT** +**IMPORTANT:** + * **Backup**: Consider backing up your data before performing these operations in production environments. * **Event log retention**: Event log data has a default retention of 90 days. If you don't need historical data, you can skip the reindex step and simply delete the old index and its aliases. From b95c58372fec58b1d891714c544d623abe2195d3 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 2 Feb 2026 15:35:13 -0500 Subject: [PATCH 6/7] code examples --- docs/release-notes/8.18.asciidoc | 70 +++++++++++++++++--------------- 1 file changed, 37 insertions(+), 33 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 309bfa3084..3156fd5f54 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -488,7 +488,7 @@ This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. ==== *Details* + -After upgrading to 8.18 (or one of the 8.18 patch releases) from a {stack} version earlier than 8.9, you might encounter the following issues with gap fill functionality: +After upgrading to 8.18.x from a {stack} version earlier than 8.9, you might encounter the following issues with gap fill functionality: * **Gap fills**: Manual runs are scheduled to fill gaps, but gap statuses aren't updated to `Filled` after the manual runs complete. @@ -509,46 +509,50 @@ The `elastic/kibana` service account has permissions to access the new data stre Migrate data from the old reindexed index to the new data stream, then delete the old index. -1. **Identify the old index**: - - ```console - GET .kibana-event-log-* - ``` - - Look for indices with names like `.reindexed-v8-kibana-event-log-{version}-*`. - -2. **Reindex data to the new data stream**: +. **Identify the old index**: ++ +[source,console] +---- +GET .kibana-event-log-* +---- ++ +Look for indices with names like `.reindexed-v8-kibana-event-log-{version}-*`. - ```console - POST _reindex - { - "source": { - "index": ".reindexed-v8-kibana-event-log-7.17.29-000001" <1> +. **Reindex data to the new data stream**: ++ +[source,console] +---- +POST _reindex +{ + "source": { + "index": ".reindexed-v8-kibana-event-log-7.17.29-000001" <1> }, - "dest": { + "dest": { "index": ".kibana-event-log-ds", "op_type": "create" } - } - ``` - - <1> Replace `7.17.29` with your version number. - -3. **Delete the old index**: - - ```console - DELETE .reindexed-v8-kibana-event-log-7.17.29-000001 - ``` - -4. **Verify**: +} +---- ++ + <1> Replace `7.17.29` with your version number. ++ +. **Delete the old index**: ++ +[source,console] +---- +DELETE .reindexed-v8-kibana-event-log-7.17.29-000001 +---- - ```console - GET .kibana-event-log-* - ``` +. **Verify**: ++ +[source,console] +---- +GET .kibana-event-log-* +---- - Only the data stream (`.kibana-event-log-ds`) and its backing indices (`.ds-.kibana-event-log-ds-*`) should remain. +Only the data stream (`.kibana-event-log-ds`) and its backing indices (`.ds-.kibana-event-log-ds-*`) should remain. -**IMPORTANT:** +IMPORTANT: * **Backup**: Consider backing up your data before performing these operations in production environments. * **Event log retention**: Event log data has a default retention of 90 days. If you don't need historical data, you can skip the reindex step and simply delete the old index and its aliases. From bd2f51dceb4eb7b5179016737923f29de4410c06 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 2 Feb 2026 16:05:46 -0500 Subject: [PATCH 7/7] Formatting fixes --- docs/release-notes/8.18.asciidoc | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 3156fd5f54..ca285c4a02 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -494,7 +494,7 @@ After upgrading to 8.18.x from a {stack} version earlier than 8.9, you might enc * **Rule deletion**: If a rule has gaps and you delete the rule, the rule is removed but the gaps are not marked as deleted. You may see incorrect numbers when viewing total rules with gaps. -**Root cause** +*Root cause* + When upgrading from {stack} versions earlier than 8.9, the old event log index is reindexed with a new name: @@ -520,21 +520,21 @@ Look for indices with names like `.reindexed-v8-kibana-event-log-{version}-*`. . **Reindex data to the new data stream**: + -[source,console] ----- +[source,sh] +-------------------------------------------------- POST _reindex { "source": { - "index": ".reindexed-v8-kibana-event-log-7.17.29-000001" <1> - }, - "dest": { - "index": ".kibana-event-log-ds", - "op_type": "create" - } + "index": ".reindexed-v8-kibana-event-log-7.17.29-000001" + }, + "dest": { + "index": ".kibana-event-log-ds", + "op_type": "create" + } } ----- +-------------------------------------------------- + - <1> Replace `7.17.29` with your version number. +NOTE: Replace `7.17.29` with your version number. + . **Delete the old index**: + @@ -542,14 +542,14 @@ POST _reindex ---- DELETE .reindexed-v8-kibana-event-log-7.17.29-000001 ---- - ++ . **Verify**: + [source,console] ---- GET .kibana-event-log-* ---- - ++ Only the data stream (`.kibana-event-log-ds`) and its backing indices (`.ds-.kibana-event-log-ds-*`) should remain. IMPORTANT: @@ -557,6 +557,7 @@ IMPORTANT: * **Backup**: Consider backing up your data before performing these operations in production environments. * **Event log retention**: Event log data has a default retention of 90 days. If you don't need historical data, you can skip the reindex step and simply delete the old index and its aliases. + ==== // end::known-issue-4770[]