Kibana advanced settings

Serverless Stack

Advanced Settings control the behavior of Kibana. You can change the settings that apply to a specific space only, or to all of Kibana. For example, you can change the format used to display dates, specify the default data view, and apply your own branding.

Warning

Changing a setting can affect Kibana performance and cause problems that are difficult to diagnose. Setting a property value to a blank field reverts to the default behavior, which might not be compatible with other configuration settings. Deleting a custom setting permanently removes it from Kibana.

Settings on this page are ordered as they appear in Kibana.

Required permissions

You must have the Advanced Settings Kibana privilege to access the Advanced Settings page.

When you have insufficient privileges to edit advanced settings, the edit options are not visible, and the following indicator shows:

To add the privilege, go to the Roles management page using the navigation menu or the global search field.

For more information on granting access to Kibana, refer to Granting access to Kibana.

Change the space-specific setting

Change the settings that apply only to a specific Kibana space.

Go to the Advanced settings page using the navigation menu or the global search field.
Click Space Settings.
Scroll or search for the setting.
Make your change, then click Save changes.

General

hideAnnouncements Stack Serverless Unavailable

Stops showing messages and tours that highlight new features. false by default.

dateFormat Stack Serverless Unavailable

The format to use for displaying pretty formatted dates.

dateFormat:tz Stack Serverless

The timezone that Kibana uses. Browser by default, which uses the timezone detected by the browser.

dateFormat:scaled Stack Serverless

The values that define the format to use to render ordered time-based data. Formatted timestamps must adapt to the interval between measurements. Keys are ISO8601 intervals.

dateFormat:dow Stack Serverless

The day that a week should start on.

dateNanosFormat Stack Serverless

The format to use for displaying pretty formatted dates of Elasticsearch date_nanos type.

theme:darkMode Stack Deprecated 9.0.0 Serverless Unavailable

The UI theme that the Kibana UI should use. Set to enabled or disabled to enable or disable the dark theme. Set to system to have the Kibana UI theme follow the system theme. You must refresh the page to apply the setting.

state:storeInSessionStorage Stack Preview Serverless Unavailable

Kibana tracks UI state in the URL, which can lead to problems when there is a lot of state information, and the URL gets long. Enabling this setting stores part of the URL in your browser session to keep the URL short.

savedObjects:perPage Stack Serverless Unavailable

The number of objects to show on each page of the list of saved objects. 20 by default.

savedObjects:listingLimit Stack Serverless Unavailable

The number of objects to fetch for lists of saved objects. 1000 by default. Do not set above 10000.

csv:separator Stack Serverless Unavailable

The separator for exported values. , by default.

csv:quoteValues Stack Serverless

Quotes exported values in CSV exports when activated. true by default.

shortDots:enable Stack Serverless Unavailable

Shortens long field names in visualizations. For example, shows f.b.baz instead of foo.bar.baz. false by default.

format:defaultTypeMap Stack Serverless Unavailable

A map of the default format name for each field type. Field types that are not explicitly mentioned use "default".

format:number:defaultPattern Stack Serverless

The numeral pattern for the "number" format. 0,0.[000] by default.

format:percent:defaultPattern Stack Serverless

The numeral pattern for the "percent" format. 0,0.[000]% by default.

format:bytes:defaultPattern Stack Serverless

The default numeral pattern format for the "bytes" format. 0,0.[0]b by default.

format:currency:defaultPattern Stack Serverless

The default numeral pattern format for the "currency" format. ($0,0.[00]) by default.

format:number:defaultLocale Stack Serverless

The numeral pattern locale. en by default.

data_views:fields_excluded_data_tiers Stack Serverless Unavailable

Allows the exclusion of listed data tiers when getting a field list for faster performance.

data_views:cache_max_age Stack Serverless Unavailable

Sets how long data view fields API requests are cached in seconds. A value of 0 turns off caching. Modifying this value might not take immediate effect, users need to clear browser cache or wait until the current cache expires. To get immediate changes, try a hard reload of Kibana. 5 by default.

metaFields Stack Serverless

Fields that exist outside of _source. Kibana merges these fields into the document when displaying it. _source, _id, _index, _score, _ignored by default.

query:queryString:options Stack Serverless Unavailable

Options for the Lucene query string parser. Only used when search:queryLanguage is set to Lucene.

query:allowLeadingWildcards Stack Serverless Unavailable

Allows a wildcard (*) as the first character in a query clause. To disallow leading wildcards in Lucene queries, use query:queryString:options. True by default.

search:queryLanguage Stack Serverless Unavailable

The query language to use in the query bar. Choices are KQL(default), a language built specifically for Kibana, and the Lucene query syntax.

sort:options Stack Serverless Unavailable

Options for the Elasticsearch sort parameter.

defaultIndex Stack Serverless

The default data view to access if none is set in Discover and Dashboards. null by default.

histogram:barTarget Stack Serverless Unavailable

When date histograms use the auto interval, Kibana attempts to generate this number of bars. 50 by default.

histogram:maxBars Stack Serverless Unavailable

Limits the density of date and number histograms across Kibana using a test query to improve performance. When the test query contains too many buckets, the interval between buckets increases. Applies separately to each histogram aggregation, and does not apply to other types of aggregations. To find the maximum value, divide the Elasticsearch search.max_buckets value by the maximum number of aggregations in each visualization. 1000 by default.

history:limit Stack Serverless Unavailable

In fields that have history, such as query inputs, shows this many recent values. 10 by default.

timepicker:refreshIntervalDefaults Stack Serverless Unavailable

The default refresh interval for the time filter. Specify the value parameter in milliseconds. {"pause": true, "value": 60000} by default.

timepicker:timeDefaults Stack Serverless

The default selection in the time filter. Must be an object containing "from" and "to" (refer to accepted formats). {"from": "now-15m", "to": "now"} by default.

timepicker:quickRanges Stack Serverless

The list of ranges to show in the Quick section of the time filter. This must be an array of objects, with each object containing from, to (refer to accepted formats), and display (the title to be displayed).

filters:pinnedByDefault Stack Serverless

Makes filters have a global state and be pinned by default when activated. false by default.

filterEditor:suggestValues Stack Serverless Unavailable

Enables the filter editor and KQL autocomplete to suggest values for fields. true by default.

defaultRoute Stack Serverless Observability

The default route when opening Kibana. Use this setting to route users to a specific dashboard, application, or saved object as they enter each space.

fileUpload:maxFileSize Stack Serverless Unavailable

Sets the file size limit when importing files. 100MB by default. The highest supported value for this setting is 1GB.

enableESQL Stack Serverless Unavailable

Enables ES|QL in Kibana. true by default.

When deactivated, hides the ES|QL user interface from various applications. However, users can still access existing ES|QL-based Discover sessions, visualizations, and other objects.

metrics:max_buckets Stack Serverless Unavailable

Affects the TSVB histogram density. Must be set higher than histogram:maxBars. 2000 by default.

metrics:allowStringIndices Stack Serverless Unavailable

Enables you to use Elasticsearch indices in TSVB visualizations. false by default.

agentBuilder:enabled Stack Preview 9.2.0 Serverless Elasticsearch Preview

Enables Elastic Agent Builder.

Stack false by default.
Serverless Elasticsearch true by default.

fields:popularLimit Stack Serverless Unavailable

The top N most popular fields to show. 10 by default.

aiAssistant:preferredAIAssistantType Stack 9.1.0 Serverless Unavailable

This setting allows you to choose which AI Assistants are available to use and where. You can choose to only show the AI Assistants in their solutions, in other Kibana applications (for example, Discover, Dashboards, and Stack Management pages), or nowhere.

Note Stack 9.2.0

Configure the aiAssistant:preferredAIAssistantType setting from the GenAI Settings page, which you can find using the Classic navigation menu or the global search field. Note that this setting is unavailable from the GenAI Settings page when using a solution view.

Presentation Labs

labs:dashboard:deferBelowFold Stack Serverless Unavailable: Enables deferred loading of dashboard panels below the fold. Below the fold refers to panels that are not immediately visible when you open a dashboard, but become visible as you scroll. false by default.
labs:canvas:byValueEmbeddable Stack Serverless Unavailable: Enables support for by-value embeddables in Canvas. true by default.
labs:dashboard:enable_ui Stack Serverless Unavailable: Provides access to the experimental Labs features for Dashboard when activated. false by default.
labs:canvas:enable_ui Stack Serverless Unavailable: Provides access to the experimental Labs features for Canvas when activated. false by default.

Accessibility

accessibility:disableAnimations Stack Serverless: Turns off all optional animations in the Kibana UI. Refresh the page to apply the changes. false by default.

Autocomplete

autocomplete:valueSuggestionMethod Stack Serverless Unavailable

The method to retrieve values for KQL autocomplete suggestions. terms_enum by default.

When set to terms_enum, autocomplete uses the terms enum API for value suggestions. Kibana returns results faster, but suggestions are approximate, sorted alphabetically, and can be outside the selected time range. (Note that this API is incompatible with Document-Level-Security.)
When set to terms_agg, Kibana uses a terms aggregation for value suggestions, which is slower, but suggestions include all values that optionally match your time range and are sorted by popularity.

autocomplete:useTimeRange Stack Serverless Unavailable

When off, autocomplete suggestions come from your data set instead of the time range. true by default.

Banners

Note

Banners are a subscription feature.

banners:placement Stack Serverless: The placement of the banner for this space. Set to Top to display a banner above the Elastic header. Uses the value of the xpack.banners.placement configuration property by default.
banners:textContent Stack Serverless: The text to display inside the banner for this space, either plain text or Markdown. Uses the value of the xpack.banners.textContent configuration property by default.
banners:textColor Stack Serverless: The color for the banner text for this space. Uses the value of the xpack.banners.textColor configuration property by default.
banners:linkColor Stack 9.1.0 Serverless Unavailable: The color for the banner link text for this space. Uses the value of the xpack.banners.linkColor configuration property by default.
banners:backgroundColor Stack Serverless: The color of the banner background for this space. Uses the value of the xpack.banners.backgroundColor configuration property by default.

Discover

doc_table:highlight Stack Serverless Unavailable: Highlights search results in Discover and Discover session panels on dashboards. Highlighting slows requests when working on large documents. true by default.
defaultColumns Stack Serverless: The columns that appear by default on the Discover page. When empty, displays a summary of the document. Empty by default.
discover:maxDocFieldsDisplayed Stack Serverless Unavailable: Specifies the maximum number of fields to show in the document column of the Discover table. 200 by default.
discover:sampleSize Stack Serverless Unavailable: Sets the maximum number of rows for the entire document table. This is the maximum number of documents fetched from Elasticsearch. 500 by default.
discover:sampleRowsPerPage Stack Serverless Unavailable: Limits the number of rows per page in the document table. 100 by default.
discover:sort:defaultOrder Stack Serverless Unavailable: The default sort direction for time-based data views. Descending by default.
discover:searchOnPageLoad Stack Serverless Unavailable: Controls whether a search runs when Discover first loads. This setting does not have an effect when loading a saved Discover session. true by default.
doc_table:hideTimeColumn Stack Serverless Unavailable: Hides the "Time" column in Discover and in all Discover session panels on dashboards. false by default.
context:defaultSize Stack Serverless Unavailable: The number of surrounding entries to display in the context view. 5 by default.
context:step Stack Serverless Unavailable: The number by which to increment or decrement the context size. 5 by default.
context:tieBreakerFields Stack Serverless Unavailable: A comma-separated list of fields to use for breaking a tie between documents that have the same timestamp value. The first field that is present and sortable in the current data view is used. _doc by default.
discover:modifyColumnsOnSwitch Stack Serverless Unavailable: Removes columns that are not in the newly selected data view when changing data views. true by default.
discover:showFieldStatistics Stack Beta: Enables the Field statistics view. Examine details such as the minimum and maximum values of a numeric field or a map of a geo field. true by default.
discover:showMultiFields Stack Serverless Unavailable: Controls the display of multi-fields in the expanded document view. This option is only available when searchFieldsFromSource is off. false by default.
discover:rowHeightOption Stack Serverless Unavailable: The number of lines to allow in a row. A value of -1 automatically adjusts the row height to fit the contents. A value of 0 displays the content in a single line. 3 by default.

Machine Learning

ml:anomalyDetection:results:enableTimeDefaults Stack Serverless Observability Serverless Security: Uses the default time filter in the Single Metric Viewer and Anomaly Explorer when activated. When deactivated, shows results for the full time range. false by default.
ml:anomalyDetection:results:timeDefaults Stack Serverless Observability Serverless Security: The default time filter for viewing anomaly detection job results. Must contain from and to values (refer to accepted formats). Ignored unless the ml:anomalyDetection:results:enableTimeDefaults setting is activated. {"from": "now-15m", "to": "now"} by default.

Notifications

notifications:banner Stack Serverless: A custom banner intended for temporary notices to all users. Supports Markdown syntax.
notifications:lifetime:banner Stack Serverless: The duration, in milliseconds, for banner notification displays. 3000000 by default.
notifications:lifetime:error Stack Serverless: The duration, in milliseconds, for error notification displays. 300000 by default.
notifications:lifetime:warning Stack Serverless: The duration, in milliseconds, for warning notification displays. 10000 by default.
notifications:lifetime:info Stack Serverless: The duration, in milliseconds, for information notification displays. 5000 by default.

Observability

ai:anonymizationSettings Stack Preview Serverless Observability Preview Serverless Elasticsearch Preview

List of anonymization rules for AI Assistant. Includes rules for Named Entity Recognition (NER) models and regular expression patterns to identify and anonymize sensitive data.

		{
  "rules": [
    {
      "entityClass": "EMAIL",
      "type": "RegExp",
      "pattern": "([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,})",
      "enabled": false
    },
    {
      "type": "NER",
      "modelId": "elastic__distilbert-base-uncased-finetuned-conll03-english",
      "enabled": false,
      "allowedEntityClasses": [
        "PER",
        "ORG",
        "LOC"
      ],
      "timeoutSeconds": 30
    }
  ]
}
		
	

observability:logSources Stack Serverless Observability

Sources to use for logs data. If the data of these indices is not logs data, you can experience degraded functionality. Changes to this setting can potentially impact the sources queried in Log Threshold rules. logs-*-*, logs-*, filebeat-* by default.

observability:streamsEnableContentPacks Stack Preview Serverless Observability Preview

Enable Streams content packs. false by default.

observability:aiAssistantSimulatedFunctionCalling Stack Preview Serverless Observability Preview Serverless Elasticsearch Preview

Simulated function calling does not need API support for functions or tools, but it can decrease performance. Currently always activated for connectors that do not have API support for Native function calling. false by default.

observability:aiAssistantSearchConnectorIndexPattern Stack Preview Serverless Observability Serverless Elasticsearch

Index pattern used by the AI Assistant when querying search connectors indices (part of the knowledge base). Empty by default: the index for every search connector is queried.

observability:newLogsOverview Stack Preview Serverless Observability Preview

Enable the new logs overview experience. true by default.

observability:enableInspectEsQueries Stack Serverless Observability

When activated, allows you to inspect Elasticsearch queries in API responses. false by default.

observability:maxSuggestions Stack Serverless Unavailable

Maximum number of suggestions fetched in autocomplete selection boxes. 100 by default.

observability:enableComparisonByDefault Stack Serverless Observability

Enables the comparison feature by default in the APM app. true by default.

observability:apmDefaultServiceEnvironment Stack Serverless Observability

The default environment for the APM app. When left empty, displays data from all environments by default. Empty by default.

observability:apmProgressiveLoading Stack GA 9.1.0 Serverless Observability

Enables progressive loading of some APM views. Data can be requested with a lower sampling rate first, with lower accuracy but faster response times, while the unsampled data loads in the background. Off by default.

observability:apmServiceInventoryOptimizedSorting Stack Removed 9.1.0

Sort services without anomaly detection rules on the APM Service inventory page by service name. false by default.

observability:apmServiceGroupMaxNumberOfServices Stack Serverless Observability

Limit the number of services in a given service group. 500 by default.

observability:apmTraceExplorerTab Stack Removed 9.1.0

Enable the APM Trace Explorer feature, that allows you to search and inspect traces with KQL or EQL. true by default.

observability:apmLabsButton Stack Removed 9.1.0 Serverless Unavailable

Activates the APM Labs button, a quick way to enable and disable technical preview features in APM. false by default.

observability:enableInfrastructureProfilingIntegration Stack Removed 9.1.0

Enables the Profiling view in Host details within Infrastructure. true by default.

observability:enableInfrastructureAssetCustomDashboards Stack Removed 9.1.0

Enables the option to link custom dashboards in the Asset Details view. false by default.

observability:enableAwsLambdaMetrics Stack Removed 9.1.0

Display Amazon Lambda metrics in the service metrics tab. true by default.

observability:apmAgentExplorerView Stack Removed 9.1.0 Serverless Unavailable

Enable the Agent explorer view. true by default.

observability:apmEnableTableSearchBar Stack Preview Serverless Observability Preview

Enables faster searching in APM tables by adding a handy search bar with live filtering. Available for the following tables: Services, Transactions, and Errors. true by default.

observability:apmEnableServiceInventoryTableSearchBar Stack Preview Serverless Observability Preview

Enables faster searching in the APM Service inventory table by adding a handy search bar with live filtering. true by default.

observability:apmAWSLambdaPriceFactor Stack Serverless Observability

Set the price per Gb-second for your AWS Lambda functions. {"x86_64": 0.0000166667,"arm": 0.0000133334} by default.

observability:apmAWSLambdaRequestCostPerMillion Stack Serverless Observability

Set the AWS Lambda cost per million requests. 0.2 by default.

observability:apmEnableServiceMetrics Stack Removed 9.1.0 Serverless Unavailable

Enable the usage of service transaction metrics, which are low cardinality metrics that can be used by certain views like the service inventory for faster loading times. true by default.

observability:apmEnableContinuousRollups Stack Removed 9.1.0 Serverless Unavailable

When continuous rollups is activated, the UI selects metrics with the appropriate resolution. On larger time ranges, lower resolution metrics are used, which improves loading times. true by default.

observability:apmEnableCriticalPath Stack Removed 9.1.0 Serverless Unavailable

When activated, displays the critical path of a trace. false by default.

observability:syntheticsThrottlingEnabled Stack Preview Serverless Unavailable

Enable the throttling setting in Synthetics monitor configurations. Throttling might still not be available for your monitors even if the setting is active. false by default.

Warning

This setting is intended for Elastic-internal use only. Learn more

observability:enableLegacyUptimeApp Stack Serverless Unavailable

By default, the legacy Uptime app is hidden from the interface when it doesn't have any data for more than a week. Enabling this option always shows it. false by default.

observability:apmEnableProfilingIntegration Stack Removed 9.1.0 Serverless Unavailable

Enable the Universal Profiling integration in APM. true by default.

observability:profilingShowErrorFrames Stack Serverless Unavailable

Show error frames in the Universal Profiling views to indicate stack unwinding failures. false by default.

observability:profilingPervCPUWattX86 Stack Serverless Unavailable

The average amortized per-core power consumption (based on 100% CPU utilization) for x86 architecture. 7 by default.

observability:profilingPervCPUWattArm64 Stack Serverless Unavailable

The average amortized per-core power consumption (based on 100% CPU utilization) for arm64 architecture. 2,8 by default.

observability:profilingDatacenterPUE Stack Serverless Unavailable

Data center power usage effectiveness (PUE) measures how efficiently a data center uses energy. 1.7 by default, the average on-premise data center PUE according to the Uptime Institute survey.

observability:profilingCo2PerKWH Stack Serverless Unavailable

Carbon intensity measures how clean your data center electricity is. Specifically, it measures the average amount of CO2 emitted per kilowatt-hour (kWh) of electricity consumed in a particular region. Use the cloud carbon footprint data sheet to update this value according to your region. Defaults to US East (N. Virginia).

observability:profilingAWSCostDiscountRate Stack Serverless Unavailable

If you're enrolled in the AWS Enterprise Discount Program (EDP), enter your discount rate to update the profiling cost calculation. Empty by default.

observability:profilingAzureCostDiscountRate Stack Serverless Unavailable

If you have an Azure Enterprise Agreement with Microsoft, enter your discount rate to update the profiling cost calculation. Empty by default.

observability:profilingCostPervCPUPerHour Stack Serverless Unavailable

Default Hourly Cost per CPU Core for machines not on AWS or Azure. 0,0425 by default.

observability:apmEnableTransactionProfiling Stack Serverless Unavailable

Enables Universal Profiling on Transaction view. true by default.

observability:profilingFetchTopNFunctionsFromStacktraces Stack Removed 9.1.0 Serverless Unavailable

Switch to fetch the TopN Functions from the Stacktraces API. false by default.

observability:searchExcludedDataTiers Stack Preview Serverless Unavailable

Specify the data tiers to exclude from search, such as data_cold or data_frozen. When configured, indices allocated in the selected tiers are ignored from search requests. Affected apps: APM, Infrastructure. Empty by default.

observability:enableDiagnosticMode Stack Preview Serverless Observability Preview

Enable diagnostic mode for debugging and troubleshooting capabilities. Currently available only in the Service map view. false by default.

observability:streamsEnableSignificantEvents Stack Preview Serverless Observability Preview

Enable streams significant events. false by default.

Reporting

xpackReporting:customPdfLogo Stack Serverless Unavailable: A custom image to use in the footer of the PDF. None by default.

Rollup

Warning - Rollups were deprecated in 8.11.0.

Rollups are deprecated and will be removed in a future version. Use downsampling instead.

rollups:enableIndexPatterns Stack Deprecated 8.15.0 Serverless Unavailable: Enables the creation of data views that capture rollup indices, which in turn enables visualizations based on rollup data. Refresh the page to apply the changes.

Elasticsearch

courier:ignoreFilterIfFieldNotInIndex Stack Serverless Elasticsearch

Enhances support for dashboards containing visualizations accessing several dissimilar data views. When activated, filters are ignored for a visualization when the visualization's data view does not contain the filtering field. When deactivated, all filters are applied to all visualizations. false by default.

courier:setRequestPreference Stack Serverless Unavailable

Sets which shards handle your search requests.

Session ID (default): Restricts operations to execute all search requests on the same shards. This has the benefit of reusing shard caches across requests.
Custom: Allows you to define your own preference. Use courier:customRequestPreference to customize your preference value.
None: Do not set a preference. This might provide better performance because requests can be spread across all shard copies. However, results might be inconsistent because different shards might be in different refresh states.

courier:customRequestPreference Stack Serverless Unavailable

Request preference to use when courier:setRequestPreference uses custom. _local by default.

courier:maxConcurrentShardRequests Stack Serverless Unavailable

Controls the max_concurrent_shard_requests setting used for _msearch requests sent by Kibana. Set to 0 to disable this config and use the Elasticsearch default. 0 by default.

search:includeFrozen Stack Deprecated 7.16.0 Serverless Unavailable

Includes frozen indices in results. Searching through frozen indices might increase the search time. false by default.

search:timeout Stack Serverless Unavailable

The maximum timeout, in milliseconds, for search requests. To deactivate the timeout and allow queries to run to completion, set to 0. 600000 (10 minutes) by default.

Security solution

securitySolution:refreshIntervalDefaults Stack Serverless Security

The default refresh interval for the Security time filter, in milliseconds. 300000 by default.

securitySolution:timeDefaults Stack Serverless Security

The default period of time of the Security solution time filter. {"from": "now/d","to": "now/d"} by default.

securitySolution:defaultIndex Stack Serverless Security

A comma-delimited list of Elasticsearch indices from which the Elastic Security app collects events.

apm-*-transaction*, auditbeat-*, endgame-*, filebeat-*, logs-*, packetbeat-*, traces-apm*, winlogbeat-*, -*elastic-cloud-logs-*

by default.

securitySolution:defaultThreatIndex Stack Serverless Security

A comma-delimited list of Threat Intelligence indices from which the Elastic Security app collects indicators. logs-ti_* by default.

securitySolution:defaultAnomalyScore Stack Serverless Security

The threshold above which machine learning job anomalies are displayed in the Elastic Security app. The value must be between 0 and 100. 50 by default.

securitySolution:enableNewsFeed Stack Serverless Security

Enables the security news feed on the Security Overview page. true by default.

securitySolution:excludeColdAndFrozenTiersInAnalyzer Stack Serverless Unavailable

Skips cold and frozen tiers in Analyzer's queries when activated. false by default.

securitySolution:enableGraphVisualization Stack Preview Serverless Security Preview

Enables the Graph Visualization feature within the Security solution. false by default.

securitySolution:enableAssetInventory Stack Preview Serverless Security Preview

Enables the Asset Inventory experience within the Security solution. When activated, you can access the Inventory feature through the Security solution navigation. false by default.

Note

Disabling this setting will not disable the Entity Store or clear persistent Entity metadata. To manage or disable the Entity Store, visit the Entity Store Management page.

securitySolution:enableCloudConnector Stack Preview Serverless Security Preview

Enables the Cloud Connector experience within the Security solution. true by default.

securitySolution:rulesTableRefresh Stack Serverless Security

Enables auto refresh on the rules and monitoring tables, in milliseconds. {"on": true,"value": 60000} by default.

securitySolution:newsFeedUrl Stack Serverless Security

The URL to retrieve the security news feed content from. https://feeds.elastic.co/security-solution by default.

securitySolution:ipReputationLinks Stack Serverless Security

A JSON array containing links for verifying the reputation of an IP address. The links are displayed on IP detail pages.

		[
  { "name": "virustotal.com", "url_template": "https://www.virustotal.com/gui/search/{{ip}}" },
  { "name": "talosIntelligence.com", "url_template": "https://talosintelligence.com/reputation_center/lookup?search={{ip}}" }
]
		
	

securitySolution:enableCcsWarning Stack Serverless Unavailable

Enables privilege check warnings in rules for CCS indices. true by default.

securitySolution:suppressionBehaviorOnAlertClosure Stack Serverless Security

If an alert is closed while suppression is active, you can choose whether suppression continues or resets. Restart suppression by default.

securitySolution:showRelatedIntegrations Stack Serverless Security

Shows related integrations on the rules and monitoring tables. true by default.

securitySolution:alertTags Stack Serverless Security

List of tag options for use with alerts generated by Security Solution rules. Duplicate, False Positive, Further investigation required by default.

securitySolution:excludedDataTiersForRuleExecution Stack Serverless Security

Specifies data tiers to exclude from searching during rule execution. Excludes events from the specified data tiers, which might help improve rule performance or reduce execution time. For example: data_frozen,data_cold. Empty by default.

securitySolution:enablePrivilegedUserMonitoring Stack Preview Serverless Unavailable

Enables the privileged user monitoring dashboard and onboarding experience, which are in technical preview. true by default.

securitySolution:enableEsqlRiskScoring Stack Preview Serverless Unavailable

Enables risk scoring based on ES|QL queries. Disabling this reverts to using scripted metrics. true by default.

securitySolution:defaultAIConnector Stack Unavailable Serverless Security

Default AI connector for serverless AI features (Elastic AI SOC Engine). Elastic Managed LLM by default.

securitySolution:defaultValueReportMinutes Stack Unavailable Serverless Security

The average review time in minutes for an analyst to review an alert. Used for calculations in the Value report. 8 by default.

securitySolution:defaultValueReportRate Stack Unavailable Serverless Security

The average hourly rate for a security analyst. Used for calculations in the Value report. 75 by default.

securitySolution:defaultValueReportTitle Stack Unavailable Serverless Security

The title of the Value report. Elastic AI value report by default.

Timelion

timelion:es.timefield Stack Serverless Unavailable: The default field containing a timestamp when using the .es() query. @timestamp by default.
timelion:es.default_index Stack Serverless Unavailable: The default index when using the .es() query. _all by default.
timelion:target_buckets Stack Serverless Unavailable: Used for calculating automatic intervals in visualizations, this is the number of buckets to try to represent. 200 by default.
timelion:max_buckets Stack Serverless Unavailable: The maximum number of buckets a single data source can return. This value is used for calculating automatic intervals in visualizations. 2000 by default.
timelion:min_interval Stack Serverless Unavailable: The smallest interval to calculate when using "auto". 1ms by default.

Visualization

visualization:heatmap:maxBuckets Stack Serverless Unavailable: The maximum number of buckets a datasource can return. High numbers can have a negative impact on your browser rendering performance. 50 by default.
visualization:visualize:legacyHeatmapChartsLibrary Stack Deprecated Serverless Unavailable: Enables legacy charts library for heatmap charts in visualize. false by default.
visualization:useLegacyTimeAxis Stack Removed 9.1.0 Serverless Unavailable: Enables the legacy time axis for charts in Lens, Discover, Visualize, and TSVB. true by default.

Developer tools

devTools:enablePersistentConsole Stack Serverless Elasticsearch: Enables a persistent console in the Kibana UI. This setting does not affect the standard Console in Dev Tools. true by default.

Change the global settings

Serverless Unavailable Stack

Change the settings that apply to all of Kibana.

Go to the Advanced settings page using the navigation menu or the global search field.
Click Global Settings.
Scroll or search for the setting.
Make your change, then click Save changes.

Custom branding

Note

Custom branding is a subscription feature.

xpackCustomBranding:logo Stack Serverless Unavailable: A custom image that appears in the header of all Kibana pages. Images must have a transparent background, and 128x128 pixels or smaller.
xpackCustomBranding:customizedLogo Stack Serverless Unavailable: The custom text that appears in the header of all Kibana pages. Images must have a transparent background, and 200x84 pixels or smaller.
xpackCustomBranding:pageTitle Stack Serverless Unavailable: The custom text that appears on Kibana browser tabs.
xpackCustomBranding:faviconSVG Stack Serverless Unavailable: The URL of a custom SVG image that appears on Kibana browser tabs. Images must be 16x16 pixels.
xpackCustomBranding:faviconPNG Stack Serverless Unavailable: The URL of a custom PNG image that appears on Kibana browser tabs.