Skip to content

[Security][Release notes][8.18.x] Gap auto fill known issue #7130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nastasha-solomon merged 8 commits into from
Feb 2, 2026
Merged

[Security][Release notes][8.18.x] Gap auto fill known issue #7130

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
3a6435a
First draft
nastasha-solomon Jan 30, 2026
b270133
Adding to other 8.x releases
nastasha-solomon Feb 2, 2026
0ce466f
fix?
nastasha-solomon Feb 2, 2026
52ea0f7
double mention
nastasha-solomon Feb 2, 2026
31f4354
fix note formatting
nastasha-solomon Feb 2, 2026
7f5d473
Merge branch '8.19' into issue-4770-8.18.x
nastasha-solomon Feb 2, 2026
b95c583
code examples
nastasha-solomon Feb 2, 2026
bd2f51d
Formatting fixes
nastasha-solomon Feb 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 114 additions & 0 deletions docs/release-notes/8.18.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@
[[release-notes-8.18.8]]
=== 8.18.8

[discrete]
[[known-issue-8.18.8]]
==== Known issues

include::8.18.asciidoc[tag=known-issue-4770]

[discrete]
[[features-8.18.8]]
==== New features
Expand Down Expand Up @@ -32,6 +38,12 @@
[[release-notes-8.18.7]]
=== 8.18.7

[discrete]
[[known-issue-8.18.7]]
==== Known issues

include::8.18.asciidoc[tag=known-issue-4770]

[discrete]
[[bug-fixes-8.18.7]]
==== Fixes
Expand All @@ -45,6 +57,12 @@
[[release-notes-8.18.6]]
=== 8.18.6

[discrete]
[[known-issue-8.18.6]]
==== Known issues

include::8.18.asciidoc[tag=known-issue-4770]

[discrete]
[[enhancements-8.18.6]]
==== Enhancements
Expand All @@ -64,6 +82,12 @@
[[release-notes-8.18.5]]
=== 8.18.5

[discrete]
[[known-issue-8.18.5]]
==== Known issues

include::8.18.asciidoc[tag=known-issue-4770]

[discrete]
[[enhancements-8.18.5]]
==== Enhancements
Expand All @@ -86,6 +110,12 @@
[[release-notes-8.18.4]]
=== 8.18.4

[discrete]
[[known-issue-8.18.4]]
==== Known issues

include::8.18.asciidoc[tag=known-issue-4770]

[discrete]
[[enhancements-8.18.4]]
==== Enhancements
Expand Down Expand Up @@ -138,6 +168,8 @@ This issue is fixed in {stack} version 8.18.4.
====
// end::known-issue[]

include::8.18.asciidoc[tag=known-issue-4770]


[discrete]
[[enhancements-8.18.3]]
Expand Down Expand Up @@ -286,6 +318,8 @@ This issue is fixed in {stack} version 8.18.2.
====
// end::known-issue[]

include::8.18.asciidoc[tag=known-issue-4770]

[discrete]
[[enhancements-8.18.1]]
==== Enhancements
Expand Down Expand Up @@ -447,6 +481,86 @@ This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1.
====
// end::known-issue[]

// tag::known-issue-4770[]
[discrete]
.Details about gap fills aren't properly updated
[%collapsible]
====
*Details* +

After upgrading to 8.18.x from a {stack} version earlier than 8.9, you might encounter the following issues with gap fill functionality:

* **Gap fills**: Manual runs are scheduled to fill gaps, but gap statuses aren't updated to `Filled` after the manual runs complete.

* **Rule deletion**: If a rule has gaps and you delete the rule, the rule is removed but the gaps are not marked as deleted. You may see incorrect numbers when viewing total rules with gaps.

*Root cause* +

When upgrading from {stack} versions earlier than 8.9, the old event log index is reindexed with a new name:

* Old index: `.reindexed-v8-kibana-event-log-{version}-000001`
* Aliases: `.kibana-event-log-{version}`, `.kibana-event-log-{version}-000001`

Starting in {stack} 8.9.0, a new data stream (`.kibana-event-log-ds`) was introduced for event log storage.

The `elastic/kibana` service account has permissions to access the new data stream but does not have permissions to access the old reindexed indices. When {kib} queries `.kibana-event-log-*`, it matches both the new data stream and the old reindexed index, causing Point-in-Time (PIT) operations to fail.

*Workaround* +

Migrate data from the old reindexed index to the new data stream, then delete the old index.

. **Identify the old index**:
+
[source,console]
----
GET .kibana-event-log-*
----
+
Look for indices with names like `.reindexed-v8-kibana-event-log-{version}-*`.

. **Reindex data to the new data stream**:
+
[source,sh]
--------------------------------------------------
POST _reindex
{
"source": {
"index": ".reindexed-v8-kibana-event-log-7.17.29-000001"
},
"dest": {
"index": ".kibana-event-log-ds",
"op_type": "create"
}
}
--------------------------------------------------
+
NOTE: Replace `7.17.29` with your version number.
+
. **Delete the old index**:
+
[source,console]
----
DELETE .reindexed-v8-kibana-event-log-7.17.29-000001
----
+
. **Verify**:
+
[source,console]
----
GET .kibana-event-log-*
----
+
Only the data stream (`.kibana-event-log-ds`) and its backing indices (`.ds-.kibana-event-log-ds-*`) should remain.

IMPORTANT:

* **Backup**: Consider backing up your data before performing these operations in production environments.
* **Event log retention**: Event log data has a default retention of 90 days. If you don't need historical data, you can skip the reindex step and simply delete the old index and its aliases.


====
// end::known-issue-4770[]

[discrete]
[[deprecations-8.18.0]]
==== Deprecations
Expand Down
Loading