Merge branch 'main' into 3183-ms-defender-for-endpoint

Author: benironside

deploy-manage/deploy/elastic-cloud/regions.md

@@ -26,9 +26,11 @@ The following AWS regions are currently available:
 
 | Region | Name |
 | :--- | :--- |
+| ap-northeast-1 | Asia Pacific (Tokyo) |
 | ap-southeast-1 | Asia Pacific (Singapore) |
 | eu-central-1 | Europe (Frankfurt) |
 | eu-west-1 | Europe (Ireland) |
+| eu-west-2 | Europe (London) |
 | us-east-1 | US East (N. Virginia) |
 | us-east-2 | US East (Ohio) |
 | us-west-2 | US West (Oregon) |

deploy-manage/security/private-connectivity-aws.md

@@ -301,7 +301,7 @@ If the policy doesn't contain a VPC filter, then the association can serve as a
 
 ## Access the deployment over a PrivateLink [ec-access-the-deployment-over-private-link]
 
-For traffic to connect with the deployment over Azure PrivateLink, the client making the request needs to be located within the VPC where you’ve created the VPC endpoint. You can also set up network traffic to flow through the originating VPC from somewhere else, such as another VPC or VPN from your corporate network. This assumes that the VPC endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
+For traffic to connect with the deployment over AWS PrivateLink, the client making the request needs to be located within the VPC where you’ve created the VPC endpoint. You can also set up network traffic to flow through the originating VPC from somewhere else, such as another VPC or VPN from your corporate network. This assumes that the VPC endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
 
 ::::{important}
 Use the alias you’ve set up as CNAME DNS record to access your deployment.
@@ -408,4 +408,4 @@ To delete a policy:
 
 :::{include} _snippets/network-security-page.md
 :::
-4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments associated with the policy.
+4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments associated with the policy.

explore-analyze/_snippets/import-discover-query-controls-into-dashboard.md

@@ -0,0 +1,17 @@
+To add a Discover query to a dashboard in a way that preserves the [controls created from Discover](/explore-analyze/discover/try-esql.md#add-variable-control-discover) and also adds them to the dashboard, do as follows:
+
+1. Save the {{esql}} query containing the variable control into a Discover session. If your Discover session contains several tabs, only the first tab will be imported to the dashboard.
+
+1. Go to **Dashboards** and open or create one.
+
+1. Select **Add**, then **From library**.
+
+1. Find and select the Discover session you saved earlier.
+
+A new panel appears on the dashboard with the results of the query along with any attached controls.
+
+![Importing Discover controls into a dashboard](/explore-analyze/images/import-discover-control-dashboard.png " =40%")
+
+:::{note}
+When you add a visualization to a dashboard using the {icon}`save` **Save visualization** option, controls are not added to the dashboard.
+:::

explore-analyze/_snippets/variable-control-examples.md

@@ -0,0 +1,25 @@
+**Examples**
+
+* Integrate filtering into your {{esql}} experience
+
+  ```esql
+  | WHERE field == ?value
+  ```
+
+* Fields in controls for dynamic group by
+
+  ```esql
+  | STATS count=COUNT(*) BY ??field
+  ```
+
+* Variable time ranges? Bind function configuration settings to a control
+
+  ```esql
+  | BUCKET(@timestamp, ?interval),
+  ```
+
+* Make the function itself dynamic
+
+  ```esql
+  | STATS metric = ??function
+  ```

explore-analyze/_snippets/variable-control-form.md

@@ -0,0 +1,11 @@
+* The type of the control. 
+  * For controls with **Static values**, enter available controls manually or select them from the dropdown list. 
+  * For controls with **Values from a query**, write an {{esql}} query to populate the list of options.
+* The name of the control. This name is used to reference the control in {{esql}} queries. 
+  * Start the name with `?` if you want the options to be simple static values.
+  * {applies_to}`stack: ga 9.1` Start the name with `??` if you want the options to be fields or functions.
+* The values users can select for this control. You can add multiple values from suggested fields, or type in custom values. If you selected **Values from a query**, you must instead write an {{esql}} query at this step.
+* The label of the control. This is the label displayed in **Discover** or in the dashboard.
+* The width of the control.
+
+  ![ESQL control settings](/explore-analyze/images/esql-visualization-control-settings.png "title =50%")

explore-analyze/dashboards/add-controls.md

@@ -90,6 +90,10 @@ You can add one interactive time slider control to a dashboard.
 
 
 ## Add variable controls [add-variable-control]
+```{applies_to}
+stack: preview 9.0
+serverless: preview
+```
 
 :::{note}
 In versions `9.0` and `9.1`, variable controls are called {{esql}} controls.
@@ -113,17 +117,8 @@ Only **Options lists** are supported for {{esql}}-based controls. Options can be
 
 2. A menu opens to let you configure the control. This is where you can specify:
 
-    * The type of the control. 
-      * For controls with **Static values**, select the options available in the controls by entering them manually or by using a dropdown listing available values. 
-      * For controls with **Values from a query**, write an {{esql}} query to populate the list of options.
-    * The name of the control. This name is used to reference the control in {{esql}} queries. 
-      * Start the name with `?` if you want the options to be simple static values.
-      * Start the name with `??` if you want the options of the control to be fields or functions. {applies_to}`stack: ga 9.1`
-    * The values users can select for this control. You can add multiple values from suggested fields, or type in custom values. If you selected **Values from a query**, you must instead write an {{esql}} query at this step.
-    * The label of the control. This is the label displayed for users viewing the dashboard for that control.
-    * The width of the control.
-
-    ![ESQL control settings](/explore-analyze/images/esql-visualization-control-settings.png "title =50%")
+   :::{include} ../_snippets/variable-control-form.md
+   :::
 
 3. Save the control. 
 
@@ -132,34 +127,19 @@ If you added it by starting from a query, the control is directly inserted in th
 
 You can then insert it in any other {{esql}} visualization queries by typing the control's name.
 
+:::{include} ../_snippets/variable-control-examples.md
+:::
 
-**Examples**
-
-* Integrate filtering into your {{esql}} experience
-
-  ```esql
-  | WHERE field == ?value
-  ```
-
-* Fields in controls for dynamic group by
-
-  ```esql
-  | STATS count=COUNT(*) BY ?field
-  ```
-
-* Variable time ranges? Bind function configuration settings to a control
-
-  ```esql
-  | BUCKET(@timestamp, ?interval),
-  ```
-
-* Make the function itself dynamic
+![Editing {{esql}} controls from a dashboard](https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blte42dfaa404bfc2d6/67d2e31e2e4dc59da190d78f/dashboard-esql-controls.gif)
 
-  ```esql
-  | STATS metric = ?function
-  ```
+### Import a Discover query along with its controls into a dashboard
+```{applies_to}
+stack: preview 9.2
+serverless: preview
+```
 
-![Editing {{esql}} controls from a dashboard](https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blte42dfaa404bfc2d6/67d2e31e2e4dc59da190d78f/dashboard-esql-controls.gif)
+:::{include} ../_snippets/import-discover-query-controls-into-dashboard.md
+:::
 
 ## Configure the controls settings [configure-controls-settings]
 

explore-analyze/dashboards/using.md

@@ -1,6 +1,7 @@
 ---
 mapped_pages:
   - https://www.elastic.co/guide/en/kibana/current/_use_and_filter_dashboards.html
+description: Learn how to explore and interact with Kibana dashboards using filters, time ranges, and controls to uncover insights in your data.
 applies_to:
   stack: ga
   serverless: ga
@@ -10,6 +11,11 @@ products:
 
 # Exploring dashboards [_use_and_filter_dashboards]
 
+Kibana dashboards support filtering, time range adjustments, and interactive controls that let you focus on specific data segments or time periods.
+
+This page covers the main ways to explore dashboard data: using KQL queries, filter pills, time ranges, and dashboard controls. You'll also learn how to view underlying data and switch between different display modes.
+
+
 
 ## Search and filter your dashboard data [search-or-filter-your-data]
 
@@ -23,6 +29,20 @@ products:
 
 This section shows the most common ways for you to filter dashboard data. For more information about {{kib}} and {{es}} filtering capabilities, refer to [](/explore-analyze/query-filter.md).
 
+### Filter dashboards using the KQL query bar [_filter_dashboards_using_the_kql_query_bar]
+
+The query bar lets you build filters using [{{kib}} Query Language (KQL)](../query-filter/languages/kql.md). When typing, it dynamically suggests matching fields, operators, and values to help you get the exact results that you want.
+
+You can use KQL to create complex queries that filter your dashboard data. For example:
+- `status:error` to show only error records
+- `response_time > 1000` to display requests slower than 1 second
+- `user.name:"john doe" AND status:active` to combine multiple conditions
+
+:::{tip}
+:applies_to: {"stack": "preview 9.2", "serverless": "unavailable"}
+When working with large datasets, complex KQL queries might cause dashboards to load slowly. In versions 9.2 and later, you can [send long-running searches to the background](../discover/background-search.md) and continue working on other tasks while the data loads.
+:::
+
 
 ### Use filter pills [_use_filter_pills]
 

explore-analyze/discover/background-search.md

@@ -0,0 +1,111 @@
+---
+navigation_title: "Run queries in the background"
+mapped_pages:
+  - https://www.elastic.co/guide/en/kibana/current/search-sessions.html
+applies_to:
+  stack: preview 9.2
+  serverless: unavailable
+products:
+  - id: kibana
+description: Send your long-running queries to run in the background with background searches and search sessions, and focus on your other tasks while they complete.
+---
+
+# Run Discover and Dashboards queries in the background
+
+::::{important} - Background search replaces Search sessions
+
+Background search is a feature introduced in version 9.2. It replaces the deprecated **Search sessions** feature.
+If you have been using search sessions and upgrade to 9.2, your search sessions aren't lost and become background searches.
+::::
+
+Sometimes you might need to search through large amounts of data, no matter how long the search takes. Consider a threat hunting scenario, where you need to search through years of data. 
+
+You can send your long-running searches to the background from **Discover** or **Dashboards** and let them run while you continue your work. 
+
+You can access your list of background searches at any time to check their status and manage them from the {icon}`background_task` **Background searches** button in the toolbar.
+
+![Send search to background](https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/bltee31dcf0d3917c75/68ecf412e5bae49d65a286ff/background-search.gif " =75%")
+
+
+## Enable background searches
+
+This feature is disabled by default. You can enable background searches in versions 9.2 and later, or search sessions in versions 9.1 and earlier, by setting [`data.search.sessions.enabled`](kibana://reference/configuration-reference/search-sessions-settings.md) to `true` in the [`kibana.yml`](/deploy-manage/stack-settings.md) configuration file.
+
+:::{note} - Exception for search sessions users
+If you upgrade to version 9.2 or later with search sessions enabled in the version you upgrade from, background searches are automatically enabled.
+:::
+
+## Usage requirements [_requirements]
+
+The background searches that you run are personal and only visible by you. To use this feature, you must have the following minimum permissions:
+
+:::::{tab-set}
+:group: background search
+
+::::{tab-item} 9.2 and later
+:sync: 92
+To send searches to the background, and to view and interact with the list of background searches from **Discover** and **Dashboards** apps, you must have permissions for **Discover** and **Dashboard**, and for the [Background search subfeature](../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges).
+::::
+
+::::{tab-item} 9.1 and earlier
+:sync: 91
+In versions 9.1 and earlier, this feature is named **Search sessions**.
+* To save a session, you must have permissions for **Discover** and **Dashboard**, and the [Search sessions subfeature](../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges).
+* To view and restore a saved session, you must have access to **Stack Management**.
+::::
+
+:::::
+
+## Send a search to the background
+
+You can send a search to the background only after it starts running. Until then, the **Send to background** button is disabled.
+
+1. Write or edit the query.
+
+1. Select {icon}`play` **Run** (or {icon}`refresh` **Refresh** if you already ran the query at least once) to start executing the query. At this point, the {icon}`background_task` **Send to background** button becomes available.
+
+1. Select {icon}`background_task` **Send to background**. The search is sent to the background and added to the queue of background searches.
+
+You can resume your other tasks, for example start a new search, navigate to a different application, or close the browser. Once the search has completed, a notification informs you and lets you access the search to view its results.
+
+Background searches expire after 7 days. Beyond that period, you must run the search again. You can change this default value by editing the [`data.search.sessions.defaultExpiration`](kibana://reference/configuration-reference/search-sessions-settings.md) setting.
+
+## Reopen or manage background searches
+
+From the list of background searches, you can reopen and edit any searches, but also extend their validity period or delete them to keep only searches that you care about.
+
+1. Open your list of background searches using one of the following methods:
+   - Once a background search is sent to the background, a notification appears to inform you, with a link to open the list of background searches.
+   - If you miss the notification or need to access this list at any time, go to **Discover** or **Dashboards** and select the {icon}`background_task` **Background searches** button in the toolbar. This option is only available from version 9.2.
+
+     :::{tip}
+     From **Discover**, you can only view Discover background searches. And from **Dashboards**, you can only see Dashboards background searches.
+     :::
+   - Open the **Background Search** management page in {{kib}}.
+
+1. Find the background search that you want to interact with using the search or status filter options.
+   - To open it to view its results and continue your explorations, select its name. Relative dates are converted to absolute dates.
+   - To rename it, select the {icon}`boxes_horizontal` **More actions** button, then select {icon}`pencil` **Edit name**. By default, background searches get default names that indicate their execution date and time.
+   - To extend its current expiration date by another 7 days, select the {icon}`boxes_horizontal` More actions button, then select **Extend**.
+   - To delete it, select the {icon}`boxes_horizontal` More actions button, then select {icon}`trash` **Delete**.
+
+
+## Background search limitations in dashboards [_limitations]
+
+Some visualization features do not fully support background searches. When you restore a dashboard, panels with unsupported features won’t load immediately, but instead send out additional data requests, which can take a while to complete. The **Your background search is still running** warning appears. You can either wait for these additional requests to complete or come back to the dashboard later when all data requests have finished.
+
+A panel on a dashboard can behave like this if one of the following features is used:
+
+**Lens**
+
+* A **top values** dimension with an enabled **Group other values as "Other"** setting. This is configurable in the **Advanced** section of the dimension.
+* An **intervals** dimension.
+
+**Aggregation-based** visualizations
+
+* A **terms** aggregation with an enabled **Group other values in separate bucket** setting.
+* A **histogram** aggregation.
+
+**Maps**
+
+* Layers using joins, blended layers, or tracks layers.

explore-analyze/discover/discover-get-started.md

@@ -308,6 +308,14 @@ Learn more about how to use ES|QL queries in [Using ES|QL](try-esql.md).
 :::{include} ../_snippets/inspect-request.md
 :::
 
+### Run long-running queries in the background
+```{applies_to}
+stack: ga 9.2
+serverless: unavailable
+```
+
+You can send your long-running KQL or {{esql}} queries to the background from **Discover** and let them run while you continue exploring your data. Refer to [Run queries in the background](/explore-analyze/discover/background-search.md).
+
 
 ### Save your Discover session for later use [save-discover-search]