What’s new in Elastic 9.4

image1211×678 37.5 KB

Elastic 9.4 continues to reinforce the Elasticsearch Platform's role as the context and retrieval layer for AI workloads, while dramatically expanding its capabilities in metrics and time-series analysis.

The Elastic Platform

ES|QL continues to advance, notably adding:

• Subqueries: Combine independent pipelines in a single statement.
• Logical Views: Define complex query logic once for reuse across dashboards and alerts.
• JSON Function Extraction: Pull specific elements from any JSON-mapped field without reindexing.
• Access to All Ingested Fields: Query fields missed at mapping time, eliminating the "ignorance cliff".

Here is an example of subqueries:

FROM
  (
    FROM kibana_sample_data_ecommerce
    | WHERE taxful_total_price >= 1000
    | EVAL ts = order_date
    | EVAL domain = "business"
    | EVAL summary = CONCAT("Large order from ", customer_full_name)
    | KEEP ts, domain, summary
  ),
  (
    FROM kibana_sample_data_logs
    | WHERE response >= "500"
    | EVAL ts = @timestamp
    | EVAL domain = "operations"
    | EVAL summary = CONCAT("Server error on ", host, " - ", request)
    | KEEP ts, domain, summary
  )
| SORT ts
| LIMIT 100

Which combines both business data and operational data:

ts                      |    domain     |                                      summary                                      
------------------------+---------------+-----------------------------------------------------------------------------------
2026-04-27T06:16:12.000Z|business       |Large order from Wagdi Shaw                                                        
2026-04-27T07:21:43.501Z|operations     |Server error on www.elastic.co - /beats                                            
2026-04-27T07:55:24.154Z|operations     |Server error on www.elastic.co - /app-search                                       
2026-04-27T10:01:54.933Z|operations     |Server error on artifacts.elastic.co - /apm-server/apm-server-6.3.2-windows-x86.zip
2026-04-27T11:31:39.847Z|operations     |Server error on artifacts.elastic.co - /beats/metricbeat/metricbeat-6.3.2-amd64.deb
2026-04-27T13:11:54.457Z|operations     |Server error on artifacts.elastic.co - /beats/metricbeat/metricbeat-6.3.2-i686.rpm 
2026-04-27T13:21:36.244Z|operations     |Server error on www.elastic.co - /                                                 
2026-04-27T14:02:56.566Z|operations     |Server error on artifacts.elastic.co - /apm-server/apm-server-6.3.2-amd64.deb      
2026-04-27T16:05:56.195Z|operations     |Server error on cdn.elastic-elastic-elastic.org - /styles/ad-blocker.css           
2026-04-27T16:18:02.028Z|operations     |Server error on cdn.elastic-elastic-elastic.org - /styles/ad-blocker.css           
2026-04-27T19:36:37.755Z|operations     |Server error on www.elastic.co - /enterprise

VectorDB Enhancements: Speed and Efficiency

• DiskBBQ updates have improved Elasticsearch's vector indexing and search algorithm. Query latency is now improved by at least 3X for queries with restrictive filters. Performance of vector comparisons is enhanced via extensive use of native code.
• GPU-accelerated vector indexing graduates to General Availability. By integrating NVIDIA cuVS, self-managed customers can expect up to a 12x improvement in indexing throughput and 7x faster force merging.
• Quantization: It is now possible to use DiskBBQ to quantize vectors to elements of 2, 4, and 7 bits, enabling better recall when single-bit quantization is insufficient.

PUT bbq_disk-index
{
  "mappings": {
    "properties": {
      "my_vector": {
        "type": "dense_vector",
        "dims": 64,
        "index": true,
        "index_options": {
          "type": "bbq_disk",
          "bits": 2 // Just change the value here to be 2, 4 or 7
        }
      }
    }
  }
}

On the Kibana side:

• AI-Powered Dashboard Creation: Analysts can describe desired dashboards in natural language for iterative, conversational building.
• Agent Builder has been extended with new primitives to optimize context management, ensuring agents acquire context, use it efficiently, and act effectively. New capabilities include native support for Skills, Attachments, Connectors, and Plugins. Context management is improved through query result offloading, compaction, and summarization, delivering better performance and cost-efficiency for long, multi-turn interactions.
• Dashboards as Code: Platform teams can manage dashboards as version-controlled, code-reviewable assets deployed through CI/CD pipelines:

POST kbn:/api/dashboards
{
    "title": "My first API dashboard",
    "panels": [
      {
        "grid": {
          "x": 0,
          "y": 0,
          "w": 24,
          "h": 10
        },
        "type": "vis",
        "config": {
          "type": "xy",
          "title": "Total log entries over time",
          "layers": [
            {
              "type": "line",
              "data_source": {
                "type": "esql",
                "query": "FROM kibana_sample_data_logs | STATS count = COUNT() BY BUCKET(@timestamp, 75, ?_tstart, ?_tend)"
              },
              "x": {
                "column": "BUCKET(@timestamp, 75, ?_tstart, ?_tend)"
              },
              "y": [
                {
                  "column": "count"
                }
              ]
            }
          ],
          "axis": {
            "x": {
              "title": {
                "visible": false
              }
            }
          }
        }
      }
    ]
  }

Which gives:

image959×513 53.2 KB

Elastic Observability: Consolidate Logs and Metrics

• Elasticsearch TSDB Performance Improvements deliver a significant storage reduction, making it 2.6x more efficient than Prometheus. Query performance is also improved, up to 25x faster than Prometheus and Mimir.
• ES|QL time-series support enables large-scale time-series analysis with expanded aggregation functions: rate, changes, cumulative, trange, and clamp.
• Native Prometheus and PromQL support allows shipping Prometheus metrics directly to Elasticsearch and executing PromQL queries in Kibana.

# Pipe PromQL results into ES|QL commands for further aggregation
PROMQL index=k8s step=1h bytes=(max by (cluster) (network.bytes_in))
| STATS max_bytes=MAX(bytes) BY cluster
| SORT cluster

Elastic Security: Native Automation and Identity Resolution

This release solves identity noise at the data model level by providing one authoritative record per person:

• Precision Entity Identification: Unifies disparate logs into high-confidence, verified identity profiles.
• Entity Resolution: Consolidates fragmented digital accounts (e.g., Okta, Entra) into a single unified employee record.
• Dynamic Watchlists: Injects risk-score multipliers for high-value entities, making organizational context a first-class input to risk scoring.
• Entity-Driven Hunting Leads: Shifts hunting from reactive to proactive by surfacing risk-based leads tailored to behavioral patterns.

Endpoint investigation depth is extended through Runscript Response Action and Script Library, Memory Dump Response Action for Linux, Osquery Enhancements and Jumplists Osquery Table Extension and Forensic Query Packs.

Elastic 9.4 is available now on Elastic Cloud and for self-managed deployments.