Merge branch 'master' into cypress-pipe

.ci/es-snapshots/Jenkinsfile_verify_es

@@ -19,7 +19,7 @@ currentBuild.description = "ES: ${SNAPSHOT_VERSION}<br />Kibana: ${params.branch
 
 def SNAPSHOT_MANIFEST = "https://storage.googleapis.com/kibana-ci-es-snapshots-daily/${SNAPSHOT_VERSION}/archives/${SNAPSHOT_ID}/manifest.json"
 
-kibanaPipeline(timeoutMinutes: 150) {
+kibanaPipeline(timeoutMinutes: 210) {
   catchErrors {
     slackNotifications.onFailure(
       title: "*<${env.BUILD_URL}|[${SNAPSHOT_VERSION}] ES Snapshot Verification Failure>*",

.github/CODEOWNERS

@@ -74,7 +74,13 @@
 #CC# /src/plugins/apm_oss/ @elastic/apm-ui
 #CC# /x-pack/plugins/observability/ @elastic/apm-ui
 
-# Client Side Monitoring (lives in APM directories but owned by Uptime)
+# Uptime
+/x-pack/plugins/uptime @elastic/uptime
+/x-pack/test/functional_with_es_ssl/apps/uptime  @elastic/uptime
+/x-pack/test/functional/apps/uptime @elastic/uptime
+/x-pack/test/api_integration/apis/uptime @elastic/uptime
+
+# Client Side Monitoring / Uptime (lives in APM directories but owned by Uptime)
 /x-pack/plugins/apm/e2e/cypress/support/step_definitions/csm @elastic/uptime
 /x-pack/plugins/apm/e2e/cypress/integration/csm_dashboard.feature @elastic/uptime
 /x-pack/plugins/apm/public/application/csmApp.tsx @elastic/uptime
@@ -106,7 +112,6 @@
 /x-pack/plugins/fleet/ @elastic/fleet
 /x-pack/plugins/observability/ @elastic/observability-ui
 /x-pack/plugins/monitoring/ @elastic/stack-monitoring-ui
-/x-pack/plugins/uptime @elastic/uptime
 
 # Machine Learning
 /x-pack/plugins/ml/  @elastic/ml-ui

.github/workflows/backport.yml

@@ -18,34 +18,20 @@ jobs:
       )
     runs-on: ubuntu-latest
     steps:
-      - name: 'Get backport config'
-        run: |
-          curl 'https://raw.githubusercontent.com/elastic/kibana/master/.backportrc.json' > .backportrc.json
-
-      - name: Use Node.js 14.x
-        uses: actions/setup-node@v1
+      - name: Checkout Actions
+        uses: actions/checkout@v2
         with:
-          node-version: 14.x
-
-      - name: Install backport CLI
-        run: npm install -g [email protected]
+          repository: 'elastic/kibana-github-actions'
+          ref: main
+          path: ./actions
 
-      - name: Backport PR
-        run: |
-          git config --global user.name "kibanamachine"
-          git config --global user.email "[email protected]"
-          backport --fork true --username kibanamachine --accessToken "${{ secrets.KIBANAMACHINE_TOKEN }}" --ci --pr "$PR_NUMBER" --labels backport --assignee "$PR_OWNER" | tee 'output.log'
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          PR_OWNER: ${{ github.event.pull_request.user.login }}
+      - name: Install Actions
+        run: npm install --production --prefix ./actions
 
-      - name: Report backport status
-        run: |
-          COMMENT="Backport result
-          \`\`\`
-          $(cat output.log)
-          \`\`\`"
-
-          GITHUB_TOKEN="${{ secrets.KIBANAMACHINE_TOKEN }}" gh api -X POST repos/elastic/kibana/issues/$PR_NUMBER/comments -F body="$COMMENT"
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
+      - name: Run Backport
+        uses: ./actions/backport
+        with:
+          branch: master
+          github_token: ${{secrets.KIBANAMACHINE_TOKEN}}
+          commit_user: kibanamachine
+          commit_email: [email protected]

.gitignore

@@ -61,9 +61,6 @@ npm-debug.log*
 .ci/bash_standard_lib.sh
 .gradle
 
-# apm plugin
-/x-pack/plugins/apm/tsconfig.json
-apm.tsconfig.json
 ## @cypress/snapshot from apm plugin
 snapshots.js
 

Jenkinsfile

@@ -3,7 +3,7 @@
 library 'kibana-pipeline-library'
 kibanaLibrary.load()
 
-kibanaPipeline(timeoutMinutes: 155, checkPrChanges: true, setCommitStatus: true) {
+kibanaPipeline(timeoutMinutes: 210, checkPrChanges: true, setCommitStatus: true) {
   slackNotifications.onFailure(disabled: !params.NOTIFY_ON_FAILURE) {
     githubPr.withDefaultPrComments {
       ciStats.trackBuild {

docs/development/core/server/kibana-plugin-core-server.loggingservicesetup.configure.md

@@ -34,7 +34,7 @@ Customize the configuration for the plugins.data.search context.
 core.logging.configure(
   of({
     appenders: new Map(),
-    loggers: [{ context: 'search', appenders: ['default'] }]
+    loggers: [{ name: 'search', appenders: ['default'] }]
   })
 )
 

docs/discover/kuery.asciidoc

@@ -1,55 +1,63 @@
 [[kuery-query]]
 === Kibana Query Language
 
-The Kibana Query Language (KQL) makes it easy to find
-the fields and syntax for your {es} query. If you have the
-https://www.elastic.co/subscriptions[Basic tier] or above,
-simply place your cursor in the *Search* field. As you type, you’ll get suggestions for fields,
-values, and operators.
+The Kibana Query Language (KQL) is a simple syntax for filtering {es} data using
+free text search or field-based search. KQL is only used for filtering data, and has
+no role in sorting or aggregating the data.
+
+KQL is able to suggest field names, values, and operators as you type.
+The performance of the suggestions is controlled by <<settings, {kib} settings>>:
 
 [role="screenshot"]
 image::images/kql-autocomplete.png[Autocomplete in Search bar]
 
-If you prefer to use Kibana’s legacy query language, based on the
-<<lucene-query, Lucene query syntax>>, click *KQL* next to the *Search* field, and then turn off KQL.
+KQL has a different set of features than the <<lucene-query>>. KQL is able to query
+nested fields and <<scripted-fields, scripted fields>>. KQL does not support regular expressions
+or searching with fuzzy terms. To use the legacy Lucene syntax, click *KQL* next to the *Search* field,
+and then turn off KQL.
 
 [discrete]
 === Terms query
 
-A terms query matches documents that contain one or more *exact* terms in a field.
+A terms query uses *exact search terms*. Spaces separate each search term, and only one term
+is required to match the document. Use quotation marks to indicate a *phrase match*.
 
-To match documents where the response field is `200`:
+To query using *exact search terms*, enter the field name followed by `:` and
+then the values separated by spaces:
 
 [source,yaml]
 -------------------
-response:200
+http.response.status_code:400 401 404
 -------------------
 
-To match documents with the phrase "quick brown fox" in the `message` field.
+For text fields, this will match any value regardless of order:
 
 [source,yaml]
 -------------------
-message:"quick brown fox"
+http.response.body.content.text:quick brown fox
 -------------------
 
-Without the quotes,
-the query matches documents regardless of the order in which
-they appear. Documents with "quick brown fox" match,
-and so does "quick fox brown".
+To query for an *exact phrase*, use quotation marks around the values:
+
+[source,yaml]
+-------------------
+http.response.body.content.text:"quick brown fox"
+-------------------
 
-NOTE: Terms without fields are matched against the default field in your index settings.
-If a default field is not
-set, terms are matched against all fields. For example, a query
-for `response:200` searches for the value 200
-in the response field, but a query for just `200` searches for 200
-across all fields in your index.
+Field names are not required by KQL. When a field name is not provided, terms
+will be matched by the default fields in your index settings. To search across fields:
 
+[source,yaml]
+-------------------
+"quick brown fox"
+-------------------
 
 [discrete]
 === Boolean queries
 
 KQL supports `or`, `and`, and `not`. By default, `and` has a higher precedence than `or`.
-To override the default precedence, group operators in parentheses.
+To override the default precedence, group operators in parentheses. These operators can
+be upper or lower case.
 
 To match documents where response is `200`, extension is `php`, or both:
 
@@ -143,18 +151,24 @@ but in some cases you might need to search on dates. Include the date range in q
 [discrete]
 === Exist queries
 
-An exist query matches documents that contain a value for a field, in this case,
+An exist query matches documents that contain any value for a field, in this case,
 response:
 
 [source,yaml]
 -------------------
 response:*
 -------------------
 
+Existence is defined by {es} and includes all values, including empty text.
+
 [discrete]
 === Wildcard queries
 
-To match documents where machine.os starts with `win`, such
+Wildcards queries can be used to *search by a term prefix* or to *search multiple fields*.
+The default settings of {kib} *prevent leading wildcards* for performance reasons,
+but this can be allowed with an <<query-allowleadingwildcards, advanced setting>>.
+
+To match documents where `machine.os` starts with `win`, such
 as "windows 7" and "windows 10":
 
 [source,yaml]

docs/discover/search.asciidoc

@@ -53,36 +53,55 @@ include::kuery.asciidoc[]
 
 [[lucene-query]]
 === Lucene query syntax
-Kibana's legacy query language was based on the Lucene query syntax. For the time being this syntax
-is still available under the options menu in the Query Bar and in Advanced Settings. The following
-are some tips that can help get you started.
+Lucene query syntax is available to {kib} users who opt out of the <<kuery-query>>.
+Full documentation for this syntax is available as part of {es}
+{ref}/query-dsl-query-string-query.html#query-string-syntax[query string syntax].
 
-* To perform a free text search, simply enter a text string. For example, if
+The main reason to use the Lucene query syntax in {kib} is for advanced
+Lucene features, such as regular expressions or fuzzy term matching. However,
+Lucene syntax is not able to search nested objects or scripted fields.
+
+To perform a free text search, simply enter a text string. For example, if
 you're searching web server logs, you could enter `safari` to search all
-fields for the term `safari`.
+fields:
+
+[source,yaml]
+-------------------
+safari
+-------------------
+
+To search for a value in a specific field, prefix the value with the name
+of the field:
 
-* To search for a value in a specific field, prefix the value with the name
-of the field. For example, you could enter `status:200` to find all of
-the entries that contain the value `200` in the `status` field.
+[source,yaml]
+-------------------
+status:200
+-------------------
 
-* To search for a range of values, you can use the bracketed range syntax,
+To search for a range of values, use the bracketed range syntax,
 `[START_VALUE TO END_VALUE]`. For example, to find entries that have 4xx
 status codes, you could enter `status:[400 TO 499]`.
 
-* To specify more complex search criteria, you can use the Boolean operators
-`AND`, `OR`, and `NOT`. For example, to find entries that have 4xx status
-codes and have an extension of `php` or `html`, you could enter `status:[400 TO
-499] AND (extension:php OR extension:html)`.
+[source,yaml]
+-------------------
+status:[400 TO 499]
+-------------------
+
+For an open range, use a wildcard:
 
-IMPORTANT: When you use the Lucene Query Syntax in the *KQL* search bar, {kib} is unable to search on nested objects and perform aggregations across fields that contain nested objects.
-Using `include_in_parent` or `copy_to` as a workaround can cause {kib} to fail.
+[source,yaml]
+-------------------
+status:[400 TO *]
+-------------------
 
-For more detailed information about the Lucene query syntax, see the
-{ref}/query-dsl-query-string-query.html#query-string-syntax[Query String Query]
-docs.
+To specify more complex search criteria, use the boolean operators
+`AND`, `OR`, and `NOT`. For example, to find entries that have 4xx status
+codes and have an extension of `php` or `html`:
 
-NOTE: These examples use the Lucene query syntax. When lucene is selected as your
-query language you can also submit queries using the {ref}/query-dsl.html[Elasticsearch Query DSL].
+[source,yaml]
+-------------------
+status:[400 TO 499] AND (extension:php OR extension:html)
+-------------------
 
 
 [[save-open-search]]

docs/management/advanced-options.asciidoc

@@ -258,8 +258,12 @@ Highlights results in *Discover* and saved searches on dashboards. Highlighting
 slows requests when working on big documents.
 
 [[doctable-legacy]]`doc_table:legacy`:: 
-Control the way the Discover's table looks and works. Set this property to `true` to revert to the legacy implementation.
+Controls the way the document table looks and works. Set this property to `true` to revert to the legacy implementation.
 
+[[discover-searchFieldsFromSource]]`discover:searchFieldsFromSource`::
+Load fields from the original JSON {ref}/mapping-source-field.html[`_source`].
+When disabled, *Discover* loads fields using the {es} search API's
+{ref}/search-fields.html#search-fields-param[`fields`] parameter.
 
 [float]
 [[kibana-ml-settings]]

docs/settings/security-settings.asciidoc

@@ -356,26 +356,26 @@ To enable the <<xpack-security-ecs-audit-logging, ECS audit logger>>, specify wh
 [source,yaml]
 ----------------------------------------
 xpack.security.audit.appender:
-  kind: rolling-file
-  path: ./audit.log
+  type: rolling-file
+  fileName: ./audit.log
   policy:
-    kind: time-interval
+    type: time-interval
     interval: 24h <1>
   strategy:
-    kind: numeric
+    type: numeric
     max: 10 <2>
   layout:
-    kind: json
+    type: json
 ----------------------------------------
 <1> Rotates log files every 24 hours.
 <2> Keeps maximum of 10 log files before deleting older ones.
 
-| `xpack.security.audit.appender.kind`
+| `xpack.security.audit.appender.type`
 | Required. Specifies where audit logs should be written to. Allowed values are `console`, `file`, or `rolling-file`. 
 
 Refer to <<audit-logging-file-appender>> and <<audit-logging-rolling-file-appender>> for appender specific settings.
 
-| `xpack.security.audit.appender.layout.kind`
+| `xpack.security.audit.appender.layout.type`
 | Required. Specifies how audit logs should be formatted. Allowed values are `json` or `pattern`.
 
 Refer to <<audit-logging-pattern-layout>> for layout specific settings.
@@ -396,7 +396,7 @@ The `file` appender writes to a file and can be configured using the following s
 
 [cols="2*<"]
 |======
-| `xpack.security.audit.appender.path`
+| `xpack.security.audit.appender.fileName`
 | Required. Full file path the log file should be written to.
 |======
 
@@ -408,14 +408,14 @@ The `rolling-file` appender writes to a file and rotates it using a rolling stra
 
 [cols="2*<"]
 |======
-| `xpack.security.audit.appender.path`
+| `xpack.security.audit.appender.fileName`
 | Required. Full file path the log file should be written to.
 
-| `xpack.security.audit.appender.policy.kind`
+| `xpack.security.audit.appender.policy.type`
 | Specifies when a rollover should occur. Allowed values are `size-limit` and `time-interval`. *Default:* `time-interval`.
 
 Refer to <<audit-logging-size-limit-policy>> and <<audit-logging-time-interval-policy>> for policy specific settings.
-| `xpack.security.audit.appender.strategy.kind`
+| `xpack.security.audit.appender.strategy.type`
 | Specifies how the rollover should occur. Only allowed value is currently `numeric`. *Default:* `numeric`
 
 Refer to <<audit-logging-numeric-strategy>> for strategy specific settings.

docs/user/dashboard/url-drilldown.asciidoc

@@ -256,7 +256,7 @@ Note:
 | *Range selection*
 | event.from +
 event.to
-| `from` and `to` values of selected range. Depending on your data, could be either a date or number. +
+| `from` and `to` values of the selected range as numbers. +
 Tip: Consider using <<helpers, date>> helper for date formatting.
 
 |

package.json

@@ -98,7 +98,7 @@
     "@elastic/datemath": "link:packages/elastic-datemath",
     "@elastic/elasticsearch": "npm:@elastic/elasticsearch-canary@^8.0.0-canary",
     "@elastic/ems-client": "7.12.0",
-    "@elastic/eui": "31.4.0",
+    "@elastic/eui": "31.7.0",
     "@elastic/filesaver": "1.1.2",
     "@elastic/good": "^9.0.1-kibana3",
     "@elastic/node-crypto": "1.2.1",