Merge branch 'main' into 2036-CSPM-kibana-space-update

Author: benironside

deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md

@@ -72,7 +72,7 @@ $$$ec-restrictions-apis-kibana$$$
 * {{es}} plugins, are not enabled by default for security purposes. Reach out to support if you would like to enable {{es}} plugins support on your account.
 * Some {{es}} plugins do not apply to {{ecloud}}. For example, you won’t ever need to change discovery, as {{ecloud}} handles how nodes discover one another.
 % * In {{es}} 5.0 and later, site plugins are no longer supported. This change does not affect the site plugins {{ecloud}} might provide out of the box, such as Kopf or Head, since these site plugins are serviced by our proxies and not {{es}} itself.
-% * In {{es}} 5.0 and later, site plugins such as Kopf and Paramedic are no longer provided. We recommend that you use our [cluster performance metrics](../../monitor/stack-monitoring.md), [X-Pack monitoring features](../../monitor/stack-monitoring.md) and Kibana’s (6.3+) [Index Management UI](/manage-data/lifecycle/index-lifecycle-management/index-management-in-kibana.md) if you want more detailed information or perform index management actions.
+% * In {{es}} 5.0 and later, site plugins such as Kopf and Paramedic are no longer provided. We recommend that you use our [cluster performance metrics](../../monitor/stack-monitoring.md), [X-Pack monitoring features](../../monitor/stack-monitoring.md) and Kibana’s (6.3+) [Index Management UI](/manage-data/data-store/index-basics.md#manage-indices) if you want more detailed information or perform index management actions.
 
 
 ## Watcher [ec-restrictions-watcher]

deploy-manage/deploy/self-managed/installing-elasticsearch.md

@@ -108,7 +108,7 @@ If you decide to run {{es}} using a version of Java that is different from the b
 To use your own version of Java, set the `ES_JAVA_HOME` environment variable to the path to your own JVM installation. The bundled JVM is located within the `jdk` subdirectory of the {{es}} home directory. You may remove this directory if using your own JVM.
 
 :::{warning}
-Don’t use third-party Java agents that attach to the JVM. These agents can reduce {{es}} performance, including freezing or crashing nodes.
+Don’t use third-party Java agents that attach to the JVM. Such agents can be harmful to {{es}} stability and performance. In some cases they may cause nodes to freeze, crash, or fail to start up, or to lose or corrupt your data.
 :::
 
 ## Third-party dependencies [dependencies-versions]

docset.yml

@@ -278,7 +278,7 @@ subs:
   fleet-server-issue:   "https://github.com/elastic/fleet-server/issues/"
   fleet-server-pull:   "https://github.com/elastic/fleet-server/pull/"
   kib-pull:   "https://github.com/elastic/kibana/pull/"
-  stack-version: "9.0.0"
+  stack-version: "9.0.3"
   ece_version: "4.0.1"
   eck_version: "3.0.0"
   eck_release_branch: "3.0"

explore-analyze/alerts-cases/alerts/rule-type-es-query.md

@@ -26,7 +26,7 @@ When you create an {{es}} query rule, your choice of query type affects the info
 
 1. Define your query
 
-    If you use [query DSL](../../query-filter/languages/querydsl.md), you must select an index and time field then provide your query. Only the `query`, `fields`, `_source` and `runtime_mappings` fields are used, other DSL fields are not considered. For example:
+    * If you use [query DSL](../../query-filter/languages/querydsl.md), you must select an index and time field then provide your query. Only the `query`, `fields`, `_source` and `runtime_mappings` fields are used, other DSL fields are not considered. For example:
 
     ```sh
     {
@@ -36,34 +36,45 @@ When you create an {{es}} query rule, your choice of query type affects the info
      }
     ```
 
-    If you use [KQL](../../query-filter/languages/kql.md) or [Lucene](../../query-filter/languages/lucene-query-syntax.md), you must specify a data view then define a text-based query. For example, `http.request.referrer: "https://example.com"`.
+    * If you use [KQL](../../query-filter/languages/kql.md) or [Lucene](../../query-filter/languages/lucene-query-syntax.md), you must specify a data view then define a text-based query. For example, `http.request.referrer: "https://example.com"`.
 
-    If you use [ES|QL](../../query-filter/languages/esql.md), you must provide a source command followed by an optional series of processing commands, separated by pipe characters (|).
+   * If you use [ES|QL](../../query-filter/languages/esql.md), you must provide a source command followed by an optional series of processing commands, separated by pipe characters (|).
 
-    :::{admonition} Added in 8.16.0
-    This functionality was added in 8.16.0.
-    :::
+        :::{admonition} Added in 8.16.0
+        This functionality was added in 8.16.0.
+        :::
 
-    For example:
+        For example:
 
-    ```sh
-    FROM kibana_sample_data_logs
-    | STATS total_bytes = SUM(bytes) BY host
-    | WHERE total_bytes > 200000
-    | SORT total_bytes DESC
-    | LIMIT 10
-    ```
+        ```sh
+        FROM kibana_sample_data_logs
+        | STATS total_bytes = SUM(bytes) BY host
+        | WHERE total_bytes > 200000
+        | SORT total_bytes DESC
+        | LIMIT 10
+        ```
+
+2. Specify details for grouping alerts based on your query language.
+
+    * If you use query DSL, KQL, or Lucene, set the group and theshold.
+
+        When
+        :   Specify how to calculate the value that is compared to the threshold. The value is calculated by aggregating a numeric field within the time window. The aggregation options are: `count`, `average`, `sum`, `min`, and `max`. When using `count` the document count is used and an aggregation field is not necessary.
+
+        Over or Grouped Over
+        :   Specify whether the aggregation is applied over all documents or split into groups using up to four grouping fields. If you choose to use grouping, it’s a [terms](elasticsearch://reference/aggregations/search-aggregations-bucket-terms-aggregation.md) or [multi terms aggregation](elasticsearch://reference/aggregations/search-aggregations-bucket-multi-terms-aggregation.md); an alert will be created for each unique set of values when it meets the condition. To limit the number of alerts on high cardinality fields, you must specify the number of groups to check against the threshold. Only the top groups are checked.
 
-2. If you use query DSL, KQL, or Lucene, set the group and theshold.
+        Threshold
+        :   Defines a threshold value and a comparison operator  (`is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The value calculated by the aggregation is compared to this threshold.
 
-    When
-    :   Specify how to calculate the value that is compared to the threshold. The value is calculated by aggregating a numeric field within the time window. The aggregation options are: `count`, `average`, `sum`, `min`, and `max`. When using `count` the document count is used and an aggregation field is not necessary.
+    * {applies_to}`stack: ga 9.2` If you use {{esql}}, specify a time field and how to group alerts. 
 
-    Over or Grouped Over
-    :   Specify whether the aggregation is applied over all documents or split into groups using up to four grouping fields. If you choose to use grouping, it’s a [terms](elasticsearch://reference/aggregations/search-aggregations-bucket-terms-aggregation.md) or [multi terms aggregation](elasticsearch://reference/aggregations/search-aggregations-bucket-multi-terms-aggregation.md); an alert will be created for each unique set of values when it meets the condition. To limit the number of alerts on high cardinality fields, you must specify the number of groups to check against the threshold. Only the top groups are checked.
+        Time field
+        :   Choose the time field to use when filtering query results by the time window that you later specify for the rule. You can choose any time field that's availble on the index you're querying, for example, the `@timestamp` field.
 
-    Threshold
-    :   Defines a threshold value and a comparison operator  (`is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The value calculated by the aggregation is compared to this threshold.
+        Alert group
+        :   Select **Create an alert if matches are found** to create a single alert for multiple events matching the {{esql}} query. Select **Create an alert for each row** to create a separate alert for each event that matches the {{esql}} query. Whenever possible, each alert is given a unique ID. 
+ 
 
 3. Set the time window, which defines how far back to search for documents.
 4. If you use query DSL, KQL, or Lucene, set the number of documents to send to the configured actions when the threshold condition is met.

explore-analyze/alerts-cases/watcher/watcher-ui.md

@@ -30,7 +30,7 @@ To use Watcher in {{kib}}, you must have the built-in `kibana_admin` role and ei
 To manage roles, go to the **Roles** management page, or use the [role APIs](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-roles). Watches are shared between all users with the same role.
 
 ::::{note}
-If you are creating a threshold watch, you must also have the `view_index_metadata` index privilege. See [Index management](../../../manage-data/lifecycle/index-lifecycle-management/index-management-in-kibana.md) for detailed information.
+If you are creating a threshold watch, you must also have the `view_index_metadata` index privilege. See [Index management](/manage-data/data-store/index-basics.md#index-management) for detailed information.
 ::::
 
 ## Create a threshold alert [watcher-create-threshold-alert]

explore-analyze/images/kibana-rule-types-esql-query-valid.png

@@ -48,7 +48,7 @@ PUT _index_template/my-index-template
 
 After the index template is created, new indices that use the template will be configured as a logs data stream. You can start indexing data and [using the data stream](use-data-stream.md).
 
-You can also set the index mode and adjust other template settings in [the Elastic UI](../../lifecycle/index-lifecycle-management/index-management-in-kibana.md).
+You can also set the index mode and adjust other template settings in [the Elastic UI](/manage-data/data-store/index-basics.md#index-management-manage-index-templates).
 
 
 ## Synthetic source [logsdb-synthetic-source]