Merge remote-tracking branch 'origin/main' into esql_date_range_data_type

Author: craigtaverner

docs/changelog/136610.yaml

@@ -0,0 +1,6 @@
+pr: 136610
+summary: Pushing down eval expression when it requires data access
+area: ES|QL
+type: bug
+issues:
+ - 133462

docs/changelog/136720.yaml

@@ -0,0 +1,6 @@
+pr: 136720
+summary: Use Suppliers To Get Inference Results In Semantic Queries
+area: Vector Search
+type: bug
+issues:
+ - 136621

docs/changelog/136759.yaml

@@ -0,0 +1,5 @@
+pr: 136759
+summary: Avoid counting snapshot failures twice in SLM
+area: ILM+SLM
+type: bug
+issues: []

docs/changelog/136805.yaml

@@ -0,0 +1,6 @@
+pr: 136805
+summary: Allow single fork branch
+area: ES|QL
+type: enhancement
+issues:
+ - 135825

docs/reference/enrich-processor/normalize-for-stream.md

@@ -44,12 +44,12 @@ If the document is not OpenTelemetry-compliant, the processor normalizes it as f
   | `log.level` | `severity_text`                |
 
   The processor first looks for the nested form of the ECS field and if such does not exist, it looks for a top-level field with the dotted field name.
-* Other specific ECS fields that describe resources and have corresponding counterparts in the OpenTelemetry Semantic Conventions are moved to the `resource.attribtues` map. Fields that are considered resource attributes are such that conform to the following conditions:
+* Other specific ECS fields that describe resources and have corresponding counterparts in the OpenTelemetry Semantic Conventions are moved to the `resource.attributes` map. Fields that are considered resource attributes are such that conform to the following conditions:
     * They are ECS fields that have corresponding counterparts (either with
       the same name or with a different name) in OpenTelemetry Semantic Conventions.
     * The corresponding OpenTelemetry attribute is defined in
       [Semantic Conventions](https://github.com/open-telemetry/semantic-conventions/tree/main/model)
-      within a group that is defined as `type: enitity`.
+      within a group that is defined as `type: entity`.
 * All other fields, except for `@timestamp`, are moved to the `attributes` map.
 * All non-array entries of the `attributes` and `resource.attributes` maps are flattened. Flattening means that nested objects are merged into their parent object, and the keys are concatenated with a dot. See examples below.
 
@@ -149,6 +149,7 @@ will be normalized into the following form:
       }
     ]
   },
+  "severity_text": "INFO",
   "body": {
     "text": "Hello, world!"
   },

docs/reference/query-languages/esql/esql-use-cases.md

@@ -0,0 +1,13 @@
+---
+applies_to:
+  stack:
+  serverless:
+navigation_title: "Use cases"
+---
+
+# Use cases for {{esql}}
+
+These pages detail how to use {{esql}} for search and cybersecurity use cases:
+
+- [ES|QL for search](docs-content://solutions/search/esql-for-search.md): Learn how to use {{esql}} for lexical (keyword) search, relevance scoring, semantic and hybrid search, semantic reranking, and more.
+- [ES|QL for security](docs-content://solutions/security/esql-for-security.md): Learn how to use {{esql}} for threat hunting, timeline investigation, detection rules, and migrating Splunk queries.

docs/reference/query-languages/toc.yml

@@ -87,6 +87,12 @@ toc:
   - file: esql.md
     children:
       - file: esql/esql-getting-started.md
+      - file: esql/esql-use-cases.md
+        children:
+          - title: "ES|QL for search"
+            crosslink: docs-content://solutions/search/esql-for-search.md
+          - title: "ES|QL for cybersecurity"
+            crosslink: docs-content://solutions/security/esql-for-security.md
       - file: esql/esql-rest.md
       - file: esql/esql-syntax-reference.md
         children:
@@ -155,6 +161,8 @@ toc:
       - file: esql/esql-examples.md
         children:
           - file: esql/esql-search-tutorial.md
+          - title: "ES|QL for threat hunting"
+            crosslink: docs-content://solutions/security/esql-for-security/esql-threat-hunting-tutorial.md
       - file: esql/esql-troubleshooting.md
         children:
           - file: esql/esql-query-log.md

server/src/main/java/org/elasticsearch/index/IndexSettings.java

@@ -671,7 +671,7 @@ public boolean isES87TSDBCodecEnabled() {
     public static final boolean DOC_VALUES_SKIPPER = new FeatureFlag("doc_values_skipper").isEnabled();
     public static final Setting<Boolean> USE_DOC_VALUES_SKIPPER = Setting.boolSetting(
         "index.mapping.use_doc_values_skipper",
-        false,
+        true,
         Property.IndexScope,
         Property.Final
     );

server/src/main/java/org/elasticsearch/index/IndexVersions.java

@@ -191,6 +191,7 @@ private static Version parseUnchecked(String version) {
     public static final IndexVersion UPGRADE_TO_LUCENE_10_3_1 = def(9_041_0_00, Version.LUCENE_10_3_1);
 
     public static final IndexVersion REENABLED_TIMESTAMP_DOC_VALUES_SPARSE_INDEX = def(9_042_0_00, Version.LUCENE_10_3_1);
+    public static final IndexVersion SKIPPERS_ENABLED_BY_DEFAULT = def(9_043_0_00, Version.LUCENE_10_3_1);
 
     /*
      * STOP! READ THIS FIRST! No, really,

server/src/main/java/org/elasticsearch/index/mapper/DateFieldMapper.java

@@ -1100,7 +1100,7 @@ private DateFieldMapper(
      * Determines whether the doc values skipper (sparse index) should be used for the {@code @timestamp} field.
      * <p>
      * The doc values skipper is enabled only if {@code index.mapping.use_doc_values_skipper} is set to {@code true},
-     * the index was created on or after {@link IndexVersions#REENABLED_TIMESTAMP_DOC_VALUES_SPARSE_INDEX}, and the
+     * the index was created on or after {@link IndexVersions#SKIPPERS_ENABLED_BY_DEFAULT}, and the
      * field has doc values enabled. Additionally, the index mode must be {@link IndexMode#LOGSDB} or {@link IndexMode#TIME_SERIES}, and
      * the index sorting configuration must include the {@code @timestamp} field.
      *
@@ -1109,9 +1109,8 @@ private DateFieldMapper(
      * @param fullFieldName  The full name of the field being checked, expected to be {@code @timestamp}.
      * @return {@code true} if the doc values skipper should be used, {@code false} otherwise.
      */
-
     private static boolean shouldUseDocValuesSkipper(IndexSettings indexSettings, boolean hasDocValues, final String fullFieldName) {
-        return indexSettings.getIndexVersionCreated().onOrAfter(IndexVersions.REENABLED_TIMESTAMP_DOC_VALUES_SPARSE_INDEX)
+        return indexSettings.getIndexVersionCreated().onOrAfter(IndexVersions.SKIPPERS_ENABLED_BY_DEFAULT)
             && indexSettings.useDocValuesSkipper()
             && hasDocValues
             && (IndexMode.LOGSDB.equals(indexSettings.getMode()) || IndexMode.TIME_SERIES.equals(indexSettings.getMode()))