diff --git a/deploy-manage/_snippets/cps-billing.md b/deploy-manage/_snippets/cps-billing.md new file mode 100644 index 0000000000..e3ac512bfa --- /dev/null +++ b/deploy-manage/_snippets/cps-billing.md @@ -0,0 +1,9 @@ +{{cps-cap}} billing varies by project type: + +| Project type | Billing | +|--------------|---------| +| {{es-serverless}} | {{cps-cap}} federated queries are handled by search VCUs, which scale the origin project to accommodate cross-project workloads. Refer to [](/deploy-manage/cloud-organization/billing/elasticsearch-billing-dimensions.md) for information about search VCUs. | +| {{obs-serverless}}

{{sec-serverless}} | During technical preview, there are no separate {{cps}} charges.

When {{cps-init}} becomes generally available, origin projects will incur an additional monthly charge for each GB of data retained in each project linked from the origin. Each retained GB in a linked project will be billed to the origin project on a monthly basis. | + + +When {{cps-init}} becomes generally available, all project types will also incur a charge for data moved between projects. Exact rates and billing mechanics will be provided closer to GA. \ No newline at end of file diff --git a/deploy-manage/_snippets/cps-definition.md b/deploy-manage/_snippets/cps-definition.md new file mode 100644 index 0000000000..bbad86f791 --- /dev/null +++ b/deploy-manage/_snippets/cps-definition.md @@ -0,0 +1 @@ +With {{cps}} ({{cps-init}}), users in your organization can search across multiple {{serverless-full}} projects at once, instead of searching each project individually. When your data is split across projects to organize ownership, use cases, or environments, {{cps}} lets you query all the data from a single place. \ No newline at end of file diff --git a/deploy-manage/_snippets/cps-limitations-core.md b/deploy-manage/_snippets/cps-limitations-core.md new file mode 100644 index 0000000000..ed65997939 --- /dev/null +++ b/deploy-manage/_snippets/cps-limitations-core.md @@ -0,0 +1,6 @@ +- **Maximum of 20 linked projects:** Each origin project can have up to 20 linked projects. A linked project can be associated with any number of origin projects. +- **System indices:** Indices such as `.security` and `.fleet-*` are excluded from {{cps}} results by design. +- **New projects only:** During technical preview, only newly created projects can function as origin projects. +- **{{anomaly-detect-cap}} and transforms:** During technical preview, ML {{anomaly-jobs}} and transforms are not supported with {{cps-init}}. They continue to run on origin project data only. +- **{{dfanalytics-jobs-cap}}:** {{dfanalytics-jobs}} are not supported with {{cps-init}}. They continue to run on origin project data only. +- For {{esql}} limitations specific to {{cps-init}}, refer to [ES|QL with {{cps}}](elasticsearch://reference/query-languages/esql/esql-cross-serverless-projects.md#limitations). \ No newline at end of file diff --git a/deploy-manage/_snippets/cps-origin-linked-definitions.md b/deploy-manage/_snippets/cps-origin-linked-definitions.md new file mode 100644 index 0000000000..e0269a5d7a --- /dev/null +++ b/deploy-manage/_snippets/cps-origin-linked-definitions.md @@ -0,0 +1,4 @@ +{{cps-cap}} runs across _origin_ and _linked_ projects within your {{ecloud}} organization: + +- **Origin project:** The base project where you link projects and run cross-project searches. +- **Linked projects:** The projects you connect to the origin project. Data in the linked projects becomes searchable from the origin project. diff --git a/deploy-manage/api-keys/elastic-cloud-api-keys.md b/deploy-manage/api-keys/elastic-cloud-api-keys.md index 18051c836a..c484a39779 100644 --- a/deploy-manage/api-keys/elastic-cloud-api-keys.md +++ b/deploy-manage/api-keys/elastic-cloud-api-keys.md @@ -126,6 +126,11 @@ When you grant **Organization owner** access, or **Cloud resource** access for o Using {{ecloud}} keys for project-level API access, rather than [granting keys from within each {{serverless-short}} project](serverless-project-api-keys.md), allows you to create keys that can interact with multiple projects, and manage API access centrally from the {{ecloud}} console. +:::{important} +:applies_to: serverless: preview +The [cross-project search feature](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#manage-user-and-api-key-access) requires {{ecloud}} API keys for programmatic access. +::: + When granting Cloud resource access, you can apply a [predefined role](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles-table) or [custom role](/deploy-manage/users-roles/serverless-custom-roles.md) to granularly control access to the specified resources. The selected role controls access to resources in all relevant APIs. #### Considerations diff --git a/deploy-manage/api-keys/serverless-project-api-keys.md b/deploy-manage/api-keys/serverless-project-api-keys.md index f0ddb6fade..7282d4bdd4 100644 --- a/deploy-manage/api-keys/serverless-project-api-keys.md +++ b/deploy-manage/api-keys/serverless-project-api-keys.md @@ -15,7 +15,9 @@ In {{serverless-short}} projects, the following types of API keys exist: - **Managed** API keys, created and managed by {{kib}} to correctly run background tasks. :::{admonition} Manage {{serverless-short}} project API access using {{ecloud}} API keys -As an alternative to using {{serverless-short}} project API keys, which are tied to a single project, you can create [{{ecloud}} API keys](/deploy-manage/api-keys/elastic-cloud-api-keys.md) that include access to projects' {{es}} and {{kib}} APIs. This allows you to create keys that can interact with multiple projects, and manage API access centrally from the {{ecloud}} console. +As an alternative to using {{serverless-short}} project API keys, which are tied to a single project, you can create [{{ecloud}} API keys](/deploy-manage/api-keys/elastic-cloud-api-keys.md) that include access to projects' {{es}} and {{kib}} APIs. This allows you to create keys that can interact with multiple projects, and manage API access centrally from the {{ecloud}} console. + +The [cross-project search feature](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#manage-user-and-api-key-access) requires {{ecloud}} API keys for programmatic access. ::: To manage API keys in {{kib}}, go to the **API keys** management page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). diff --git a/deploy-manage/cloud-organization/billing/_snippets/cps-billing-obs-sec.md b/deploy-manage/cloud-organization/billing/_snippets/cps-billing-obs-sec.md new file mode 100644 index 0000000000..26f72f768a --- /dev/null +++ b/deploy-manage/cloud-organization/billing/_snippets/cps-billing-obs-sec.md @@ -0,0 +1,3 @@ +[{{cps-cap}}](/deploy-manage/cross-project-search-config.md) is available on the {{offering}} Complete tier. During the technical preview for this feature, there are no separate {{cps}} charges. + +When {{cps-init}} becomes generally available, it will be priced on usage. In addition to a [charge for data moved between projects](/deploy-manage/cloud-organization/billing/serverless-project-billing-dimensions.md#general-serverless-billing-cps) that applies to all project types, origin projects will incur an additional monthly charge for each GB of data retained in each project linked from the origin. Each retained GB in a linked project will be billed to the origin project on a monthly basis. Exact rates and billing mechanics will be provided closer to GA. \ No newline at end of file diff --git a/deploy-manage/cloud-organization/billing/elastic-observability-billing-dimensions.md b/deploy-manage/cloud-organization/billing/elastic-observability-billing-dimensions.md index 8211003488..a18527ae11 100644 --- a/deploy-manage/cloud-organization/billing/elastic-observability-billing-dimensions.md +++ b/deploy-manage/cloud-organization/billing/elastic-observability-billing-dimensions.md @@ -3,9 +3,12 @@ navigation_title: Observability projects mapped_pages: - https://www.elastic.co/guide/en/serverless/current/observability-billing.html applies_to: - serverless: all + serverless: + observability: ga products: - id: cloud-serverless +sub: + offering: Observability --- # {{obs-serverless}} billing dimensions [observability-billing] @@ -32,3 +35,11 @@ Refer to [Serverless billing dimensions](serverless-project-billing-dimensions.m ## Elastic Managed LLMs [Elastic Managed LLMs](kibana://reference/connectors-kibana/elastic-managed-llm.md) enable you to leverage AI-powered search as a service without deploying a model in your serverless project. The models are configured by default to use with the Security AI Assistant, Attack Discovery, and other applicable AI features as a part of the "Observability Complete" feature tier. Using Elastic Managed LLMs will use tokens and incur related token-based add-on billing for your serverless project. + +## {{cps-cap}} [observability-billing-cps] +```{applies_to} +serverless: preview +``` + +:::{include} _snippets/cps-billing-obs-sec.md +::: diff --git a/deploy-manage/cloud-organization/billing/security-billing-dimensions.md b/deploy-manage/cloud-organization/billing/security-billing-dimensions.md index 4ec661a989..d4c0887762 100644 --- a/deploy-manage/cloud-organization/billing/security-billing-dimensions.md +++ b/deploy-manage/cloud-organization/billing/security-billing-dimensions.md @@ -3,12 +3,15 @@ navigation_title: Security projects mapped_pages: - https://www.elastic.co/guide/en/serverless/current/security-billing.html applies_to: - serverless: all + serverless: + security: ga products: - id: cloud-serverless +sub: + offering: Security Analytics --- -# {{elastic-sec}} billing dimensions [security-billing] +# {{elastic-sec}} Serverless billing dimensions [security-billing] {{elastic-sec}} serverless projects provide you with all the capabilities of {{elastic-sec}} to perform SIEM, security analytics, endpoint security, and cloud security workflows. Projects are provided using a Software as a Service (SaaS) model, and pricing is entirely consumption based. Security Analytics/SIEM is available in two tiers of carefully selected features to enable common security operations: @@ -75,3 +78,10 @@ For more details about {{elastic-sec}} serverless project rates and billable ass ## Elastic Managed LLMs [Elastic Managed LLMs](kibana://reference/connectors-kibana/elastic-managed-llm.md) enable you to leverage AI-powered search as a service without deploying a model in your serverless project. The models are configured by default to use with the Security AI Assistant, Attack Discovery, and other applicable AI features as a part of the "Security Analytics Complete" feature tier. Using Elastic Managed LLMs will use tokens and incur related token-based add-on billing for your serverless project. + +## {{cps-cap}} [security-billing-cps] +```{applies_to} +serverless: preview +``` +:::{include} _snippets/cps-billing-obs-sec.md +::: diff --git a/deploy-manage/cloud-organization/billing/serverless-project-billing-dimensions.md b/deploy-manage/cloud-organization/billing/serverless-project-billing-dimensions.md index 501493b9b8..5b987ff4de 100644 --- a/deploy-manage/cloud-organization/billing/serverless-project-billing-dimensions.md +++ b/deploy-manage/cloud-organization/billing/serverless-project-billing-dimensions.md @@ -38,3 +38,14 @@ To learn about billing dimensions for specific offerings, refer to: If your subscription level is Standard, there is no separate charge for Support reflected on your bill. If your subscription level is Gold, Platinum, or Enterprise, a charge is made for Support as a percentage (%) of the ECUs. To find out more about our support levels, go to [https://www.elastic.co/support](https://www.elastic.co/support). + +### {{cps-cap}} [general-serverless-billing-cps] +```{applies_to} +serverless: preview +``` + +[{{cps-cap}}](/deploy-manage/cross-project-search-config.md) enables you to search across multiple {{serverless-short}} projects from a single origin project. + +::::{include} /deploy-manage/_snippets/cps-billing.md +:::: + diff --git a/deploy-manage/cross-project-search-config.md b/deploy-manage/cross-project-search-config.md new file mode 100644 index 0000000000..fcb527bc2d --- /dev/null +++ b/deploy-manage/cross-project-search-config.md @@ -0,0 +1,150 @@ +--- +applies_to: + stack: unavailable + serverless: preview +products: + - id: cloud-serverless +navigation_title: "Cross-project search" +--- + +# Configure {{cps}} [configure-cross-project-search] + +::::{include} /deploy-manage/_snippets/cps-definition.md +:::: + +{{cps-cap}} is the {{serverless-short}} equivalent of [{{ccs}}](/explore-analyze/cross-cluster-search.md), with a few differences and enhancements: + +* Setting up {{cps}} doesn't require an understanding of your deployment architecture or complex security configurations. +* Permissions stay consistent across projects, and you can always adjust scope and access as needed. +* Searches are performed across projects by default, reducing the need to refactor your queries as you link additional projects. + +This section explains how to set up and manage {{cps}} for your organization, including linking projects, managing user access, and refining scope. For information on using {{cps}}, including syntax and examples, refer to [](/explore-analyze/cross-project-search.md). + +:::{note} +{{cps-cap}} is available for {{serverless-full}} projects only. For other deployment types, refer to [{{ccs}}](/explore-analyze/cross-cluster-search.md). +::: + +## Key concepts + +::::{include} /deploy-manage/_snippets/cps-origin-linked-definitions.md +:::: + +### Projects and search scope + +::::{include} /explore-analyze/cross-project-search/_snippets/cps-default-search-behavior.md +:::: + +Administrators can also adjust the search scope by [configuring the {{cps-init}} scope for each space](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-default-search-scope). For best results, set this space-level default before you link projects. + +For details about project IDs and aliases used in search expressions, refer to [Project IDs and aliases](/explore-analyze/cross-project-search.md#project-ids-and-aliases). + +## Before you begin [cps-prerequisites] + +Before you configure {{cps}}, review these prerequisites and best practices: + +- You must be an organization owner or project administrator: + - **Organization owners** can link any projects within the organization. + - **Project administrators** must have admin access on both the origin project and each linked project. +- Your origin and linked projects must meet certain [requirements](#cps-compatibility). +- Consider the [architecture patterns](#cps-arch) and choose the right linking topology for your organization. + +### Projects available for linking [cps-compatibility] + +::::{important} - Origin project limitations + +* During technical preview, only newly created projects can be origin projects for {{cps}}. Existing projects can be linked from an origin project, but they can't serve as origin projects themselves. To get started, create a new {{serverless-short}} project and link it to your existing projects. +* At this time, you should not use an {{elastic-sec}} project as an origin project for {{cps}} in production. Some {{elastic-sec}} features are not fully functional when {{cps-init}} is enabled on an {{elastic-sec}} origin project. You can still link {{elastic-sec}} projects _to_ an origin project of another type. +:::: + +To be available for linking, projects must meet the following requirements: + +- The origin project and all linked projects must be in the same {{ecloud}} organization. +- You can link any combination of {{product.elasticsearch}}, {{product.observability}}, and {{product.security}} projects in the same organization. +- {{sec-serverless}} and {{obs-serverless}} projects require the **Complete** feature tier. Projects on the **Essentials** tier are not compatible with {{cps}}. + +Only compatible projects appear in the [{{cps}} linking wizard](/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md#cps-link-projects). If a project you expected to link to is missing from the list, it might not meet the requirements, or you might not have the necessary [permissions](#cps-compatibility) on the project. + + +## Plan your {{cps-init}} architecture [cps-arch] + +When configuring {{cps}}, consider how the {{cps-init}} architecture (or linking pattern) will affect searches, dashboards, and alerting across your organization. {{cps-cap}} supports three patterns, each with a different level of operational risk. + +### Recommended: Overview project [cps-arch-overview] + +For most deployments, we recommend creating a dedicated **overview project** that can act as an origin project. You can also think of this as a hub-and-spoke model. + +In this architecture, you create a new, empty project and link existing projects to it. You run all cross-project searches from the new overview project, while your actual active projects continue to operate independently. The linked ("spoke") projects are not linked to each other. + +![Overview project architecture for cross-project search](images/serverless-cross-project-search-arch.svg) + +The overview project becomes a central point for broad searches, dashboards, and investigations, without affecting your existing setup. + +### Other supported patterns + +The overview project model is strongly recommended and appropriate for most {{cps-init}} configurations. These additional patterns are valid, but they involve additional risk and require careful configuration: + +- **Shared data project (N-to-1):** A single project stores data from a shared service (for example, logs). Multiple origin projects link to this central data project. + + The N-to-1 pattern is often used when several teams need to query shared data independently. The main risk is that linking to a shared data project affects searches, dashboards, and alerts in each origin project. If the shared project is a large, active project, the expanded dataset might cause unexpected behavior. If you're using this pattern, make sure to [manage user access](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#manage-user-and-api-key-access) and consider [CPS scope](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-search-scope). + +- **Data mesh (N-to-N):** Multiple active projects link directly to each other. + + The N-to-N pattern is the most complex and involves the highest risk. After you link projects, all searches, dashboards, and alerting rules in each origin project will query data from every linked project by default, which might make workflows unpredictable. Make sure you check alerting rules, which might be applied to data that the rule was never intended to evaluate. + +## Configure {{cps-init}} + +After reviewing the architecture patterns, you can configure {{cps-init}} scope and manage linked projects. For best results, complete these tasks in order: + +1. [Set space scope defaults](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#about-cps-init-scope): Configure the default {{cps}} scope for each space that will be used with {{cps}}. +1. [Manage user access and programmatic access](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md): Confirm user roles in both the origin and linked projects, as well as roles granted to [{{ecloud}} API keys](/deploy-manage/api-keys/elastic-cloud-api-keys.md#roles) that will be used with {{cps}}. +1. [Link and manage projects](/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md): Link projects in the {{ecloud}} UI, manage linked projects, and unlink projects. + +Make sure to also review the [feature impacts](#cps-feature-impacts) and [limitations](#cps-limitations) of {{cps-init}}. + +## Billing [cps-billing] + +::::{include} /deploy-manage/_snippets/cps-billing.md +:::: + +## Feature impacts [cps-feature-impacts] + +When you link projects for {{cps}}, the expanded dataset can affect existing features in the origin project. + +- **Alerts:** By default, rules in the origin project run against the **combined dataset** of the origin and all linked projects. Rules tuned for a single project's data might produce false positives when they evaluate a larger dataset. This is one reason we recommend using a dedicated [overview project](/deploy-manage/cross-project-search-config.md#cps-arch-overview), so that existing rules on data projects are not affected. Make sure to also consider the [default {{cps}} scope](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-default-search-scope) for each space, or save explicit project routing on individual rules. + +- **Dashboards and visualizations:** Existing dashboards and visualizations in the origin project will query all linked projects by default. To control this, set the [default {{cps}} scope](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-default-search-scope) for each space, or save explicit project routing on individual dashboard panels. + +- **User permissions:** {{cps-cap}} results are filtered by each user's role assignments across projects. Users with different roles will see different results from the same query. Refer to [Manage user access](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#manage-user-and-api-key-access). + +- **{{product.painless}} scripting:** The [{{product.painless}} execute API](/explore-analyze/cross-project-search.md#cps-painless-scripting) does not search across linked projects. It resolves index names against the origin project only. You can target a linked project by prefixing the index with the project alias (for example, `projectAlias:myindex`). + +## Limitations [cps-limitations] + +{{cps-cap}} has the following limitations: + +::::{include} /deploy-manage/_snippets/cps-limitations-core.md +:::: +* Additional limitations apply to Elastic {{observability}} and {{elastic-sec}} projects. + +### {{elastic-sec}} apps + +::::{warning} +:::{include} /explore-analyze/cross-project-search/_snippets/cps-security-recommendation.md +::: +:::: + +:::{include} /explore-analyze/cross-project-search/_snippets/cps-availability-security-apps.md +::: + +### Elastic {{observability}} apps + +{{observability}} apps have limited {{cps-init}} support. The scope selector is not available in {{observability}} apps, and most apps remain scoped to the origin project. + +For specific app details, refer to [{{cps-cap}} in {{observability}}](/solutions/observability/cross-project-search.md). + +## Using {{cps-init}} + +After you configure {{cps}} and link projects, users can start searching across linked projects from the origin project. For search syntax, scope controls, and examples, refer to the following pages: + +- [{{cps-cap}} overview](/explore-analyze/cross-project-search.md): Learn how to build queries in a {{cps-init}} context, including how to restrict search scope. +- [](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md): Learn how {{cps-init}} works with compatible {{kib}} apps, including how to adjust search scope. diff --git a/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md b/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md new file mode 100644 index 0000000000..eb93c35621 --- /dev/null +++ b/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md @@ -0,0 +1,97 @@ +--- +applies_to: + stack: unavailable + serverless: preview +products: + - id: cloud-serverless +navigation_title: "Access and scope" +--- + +# Manage access and scope for {{cps}} [cps-access-and-scope] + +This page explains how user permissions and scope affect [{{cps}}](/deploy-manage/cross-project-search-config.md) ({{cps-init}}) behavior, and how to set a default scope at the space level. + +For details about how {{cps-init}} scope works in {{kib}}, refer to [](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md). + +## Manage user and API key access + +:::{include} /explore-analyze/cross-project-search/_snippets/cps-security.md +::: + +### How access is evaluated + +:::{include} /explore-analyze/cross-project-search/_snippets/cps-access-evaluation.md +::: + +## Administrator tasks + +- Make sure that users who need to search across linked projects have a [role assigned](/deploy-manage/users-roles.md) on each linked project they need to access, and are granted **Cloud Console, {{es}}, and {{kib}}** access to those projects. Authorization is evaluated on the linked project, without regard to the origin project. +- If a user reports missing data from a linked project, check their role assignment on that specific linked project first. +- For programmatic access, make sure the {{ecloud}} API key has the appropriate [roles](/deploy-manage/api-keys/elastic-cloud-api-keys.md#roles) on each project the key needs to access, and is granted **Cloud, {{es}}, and {{kib}} API access** to those projects. + +## Manage {{cps}} scope [cps-search-scope] + +### About {{cps-init}} scope + +The {{cps-init}} _scope_ is the set of searchable resources included in a {{cps}}. The scope can be: + +- Origin project + all linked projects (default) +- Origin project + a set of linked projects, as defined by project routing +- Origin project only + +The scope is further restricted by the user's or key's permissions. + +Users can also set the scope at the query level, using [qualified search expressions](/explore-analyze/cross-project-search/cross-project-search-search.md#search-expressions) or [project routing](/explore-analyze/cross-project-search/cross-project-search-project-routing.md). + +By default, an unqualified search from an origin project targets the searchable resources in **all** linked projects, plus the searchable resources in the origin project. This default scope is intentionally broad, to provide the best user experience for searching across linked projects. + +:::{important} +The system-level default {{cps-init}} scope can cause unexpected behavior, especially for alerts and dashboards that operate on the new combined dataset of the origin and all linked projects. To limit this behavior, set the [default {{cps-init}} scope for each space](#cps-default-search-scope), _before_ you link projects. +::: + +The following actions change the scope of {{cps}}es: + +- **Administrator actions:** + - Setting the [default {{cps}} scope for a space](#cps-default-search-scope) + - Adjusting [user permissions](#manage-user-and-api-key-access) using roles or API keys (for example, creating {{ecloud}} API keys that span multiple projects) +- **User actions:** + - Using the [{{cps-init}} scope selector](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-in-kibana) in the project header + - Using [qualified search expressions](/explore-analyze/cross-project-search/cross-project-search-search.md#search-expressions) + - Using [project routing](/explore-analyze/cross-project-search/cross-project-search-project-routing.md) + +The scope controls which projects receive the search request, while [querying and filtering](/explore-analyze/query-filter.md) determine which results are returned by the search. + +### Set the default {{cps-init}} scope for a space [cps-default-search-scope] + +You can adjust the {{cps-init}} system-level default scope by setting a narrower {{cps}} scope for each space. This setting determines the default search scope for the space. Users can override both the system-level default and the space-level default by setting their preferred scope when searching, filtering, or running queries. + +:::{tip} +For best results, set the default {{cps-init}} scope for each space **before** you link projects. +::: + +Space settings are managed in {{kib}}. + +1. To open space settings, click **Manage spaces** at the top of the **{{cps-cap}}** page. Select the space you want to configure. + +% ::::{important} +% If you don't adjust the default search scope, all searches, dashboards +% visualizations, and alerting rules in the origin project will query data from +% **every** linked project. +% :::: + +2. In the general space settings, find the **{{cps-cap}}** panel and set the default scope for the space: + - **All projects:** (default) Searches run across the origin project and all linked projects. + - **This project:** Searches run only against the origin project's data. + +3. Click **Apply changes** to save the scope setting. + +% (not yet) - **Specific projects:** Select individual linked projects to include in the default scope. + +::::{note} +The default {{cps}} scope is a space setting, not an access control. Users can still set the scope at the query level. You can also [manage user access](#manage-user-and-api-key-access). +:::: + +## Next steps + +- Review [](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md) for more information about how {{cps-init}} works with compatible {{kib}} apps, including how users can adjust search scope. +- Review [](/explore-analyze/cross-project-search/cross-project-search-search.md) for more information about how to build queries in a {{cps-init}} context, including how to restrict search scope using qualified search expressions and project routing. \ No newline at end of file diff --git a/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md b/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md new file mode 100644 index 0000000000..229fb11e99 --- /dev/null +++ b/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md @@ -0,0 +1,76 @@ +--- +applies_to: + stack: unavailable + serverless: preview +products: + - id: cloud-serverless +navigation_title: "Link and manage projects" +--- + +# Link and manage projects for {{cps}} [cps-link-and-manage] + +This page explains how to link {{serverless-full}} projects for {{cps}} ({{cps-init}}), manage your linked projects, and unlink projects you no longer need to search across. + +For more details about {{cps-init}} configuration, refer to [](/deploy-manage/cross-project-search-config.md). For information about using {{cps-init}}, refer to [](/explore-analyze/cross-project-search.md). + +## Before you begin + +Before you link projects for {{cps}}, review these prerequisites and key concepts: + +- Review the [architecture patterns](/deploy-manage/cross-project-search-config.md#cps-arch) to choose the right linking topology for your organization. +- Review the [default {{cps}} scope](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-default-search-scope) for each space and make any necessary adjustments. If you don't set default {{cps-init}} scopes at the space level, all searches from the origin project will query data from **every** linked project by default, right after you link projects. +- Review [user access and programmatic access](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md) for each linked project. Users and API keys need to have the appropriate permissions to access the linked projects. + +### How linking works + +In {{cps}} configurations, project links are unidirectional and independent: + +- Searches that run from a linked project do **not** run against the origin project. If you need bidirectional search, link the projects twice, in both directions. +- Linking projects is not transitive. If Project A links to Project B, and Project B links to Project C, Project A cannot automatically search Project C. Each link is independent. + +## Link projects [cps-link-projects] + +To link projects, use the {{cps}} linking wizard in the {{ecloud}} UI: + +1. Make sure you've completed the tasks in the [Before you begin](#before-you-begin) section. + +1. On the home screen, find the project you want to use as the origin project and click **Manage**. + + ::::{warning} + :::{include} /explore-analyze/cross-project-search/_snippets/cps-security-recommendation.md + ::: + :::: + +1. Use the sidebar to navigate to the **{{cps-cap}}** page. + +1. Click **Link projects**. Browse or search for projects to link to the origin project. Only compatible projects appear in the project list. You can filter by type, cloud provider, region, and tags. + +1. Select the checkbox for each project you want to link. You can link up to 20 projects to each origin project. + + If a project you expected to link to is missing from the list, it might not meet the [requirements](/deploy-manage/cross-project-search-config.md#cps-compatibility), or you might not have the necessary [permissions](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#manage-user-and-api-key-access) on the linked project. + +1. Complete the remaining steps in the wizard to review and save your selections. In the last step, you can click **View API request** to see the equivalent API request for linking to the selected projects. + + +## Manage linked projects [cps-manage-linked-projects] + +On the origin project's **{{cps-cap}}** page, you can reconfigure {{cps}} as needed: + +- **Link additional projects:** Click **Link projects** to add more linked projects, up to the 20-project maximum for the origin project. +- **Unlink projects:** Remove connections by [unlinking projects](#cps-unlink-projects). +- **Open space settings in {{kib}}:** Click **Manage spaces** to set or adjust the default [{{cps-init}} scope](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-default-search-scope) for the space. + +## Unlink projects [cps-unlink-projects] + +To remove a linked project from the current {{cps-init}} configuration, navigate to the **{{cps-cap}}** page. Select the checkbox next to the projects you want to disconnect, then click **Unlink**. + +After you confirm, searches from the origin project will no longer include data from the unlinked projects. + +::::{note} +You can't delete a project that's linked to an origin project. To delete a linked project, first unlink it from every origin project it's connected to, then delete it. +:::: + +## Link and unlink projects using APIs [cps-link-api] + +You can also link and unlink projects programmatically using the {{ecloud}} API. In the linking wizard, click **View API request** in the review step to see the equivalent API call for your current selection. + diff --git a/deploy-manage/deploy/elastic-cloud/project-settings.md b/deploy-manage/deploy/elastic-cloud/project-settings.md index f134858443..8f8cfaf124 100644 --- a/deploy-manage/deploy/elastic-cloud/project-settings.md +++ b/deploy-manage/deploy/elastic-cloud/project-settings.md @@ -125,7 +125,7 @@ For a full feature comparison, upgrading instructions, and more, refer to [{{obs ## Project tags -Project tags are metadata key-value pairs that help you to categorize and organize your projects. +Project tags are custom metadata key-value pairs that allow you to categorize and organize your projects. If you're using {{cps}} in {{serverless-full}}, tags also enable [routing searches to specific projects](/explore-analyze/cross-project-search/cross-project-search-tags.md). * **Predefined tags** are attributes that Elastic assigns automatically to each project, such as project type, cloud service provider, and region. * **Custom tags** are key-value pairs that you define in the {{ecloud}} console or using the API to further categorize and organize your projects. diff --git a/deploy-manage/images/serverless-cross-project-search-arch.svg b/deploy-manage/images/serverless-cross-project-search-arch.svg new file mode 100644 index 0000000000..16ccc69fb4 --- /dev/null +++ b/deploy-manage/images/serverless-cross-project-search-arch.svg @@ -0,0 +1,62 @@ + + + + + + + + Overview project + Origin (empty hub) + + + + + + + + + Security project + Linked (data) + + + + + Observability project + Linked (data) + + + + + Elasticsearch project + Linked (data) + + +Searches run from the overview project across all linked projects. +Linked projects operate independently and are not linked to each other. +You can link any combination of compatible projects. + diff --git a/deploy-manage/index.md b/deploy-manage/index.md index b828316eca..6aed57bcdf 100644 --- a/deploy-manage/index.md +++ b/deploy-manage/index.md @@ -60,6 +60,7 @@ Learn how to secure your Elastic environment to restrict access to only authoriz * [](/deploy-manage/api-keys.md): Authenticate and authorize programmatic access to your deployments and {{es}} resources. * [](/deploy-manage/manage-connectors.md): Manage connection information between Elastic and third-party systems. * [](/deploy-manage/remote-clusters.md): Enable communication between {{es}} clusters to support [cross-cluster replication](/deploy-manage/tools/cross-cluster-replication.md) and [cross-cluster search](/explore-analyze/cross-cluster-search.md). +* [Cross-project search](/deploy-manage/cross-project-search-config.md): Link multiple {{serverless-full}} projects to broaden the dataset users can query and visualize. {applies_to}`serverless: preview` ## Administer and maintain diff --git a/deploy-manage/manage-spaces.md b/deploy-manage/manage-spaces.md index 9a0e4438fe..58dcc000e4 100644 --- a/deploy-manage/manage-spaces.md +++ b/deploy-manage/manage-spaces.md @@ -27,15 +27,7 @@ products: You can find the **Spaces** management page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -For more info on working with spaces, check out: -- [Create a space](#spaces-managing) -- [Define access to a space](#spaces-control-user-access) -- [Move saved objects between spaces](#spaces-moving-objects) -- [Configure a space-level landing page](#spaces-default-route) -- [Make API calls to a space](#spaces-api-requests) -- [Delete a space](#_delete_a_space) - -Check out [Using Spaces with Fleet](/deploy-manage/manage-spaces-fleet.md) for info on using spaces with {{fleet}} in a space-aware data model. +The rest of this page explains how to manage spaces and their settings. For information on using spaces with {{fleet}} in a space-aware data model, refer to [](/deploy-manage/manage-spaces-fleet.md). ## Required permissions [_required_privileges_3] @@ -111,12 +103,10 @@ If you're managing an {{stack}} deployment, then you can also assign roles and d When a role is assigned to *All Spaces*, you can’t remove its access from the space settings. You must instead edit the role to give it more granular access to individual spaces. - ## Move saved objects between spaces [spaces-moving-objects] To move saved objects between spaces, you can [copy objects](/explore-analyze/find-and-organize/saved-objects.md#managing-saved-objects-copy-to-space), or [export and import objects](/explore-analyze/find-and-organize/saved-objects.md#managing-saved-objects-export-objects). - ## Customize {{kib}}'s home page [spaces-default-route] ```{applies_to} stack: ga @@ -139,6 +129,15 @@ You can access the **Advanced Settings** management page in the navigation menu :screenshot: ::: +## Set a scope for {{cps}} [cps-default-search-scope] +```{applies_to} +serverless: preview +``` + +If your organization uses [{{cps}}](/explore-analyze/cross-project-search.md) ({{cps-init}}) in {{serverless-full}}, you can set the {{cps-init}} scope for each space. This setting determines the default scope for cross-project searches: origin only, or origin + all linked projects. + +For best results, set the default {{cps-init}} scope for each space **before** you link projects. Refer to [Set the default {{cps-init}} scope for a space](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-default-search-scope). + ## Make API calls to a space [spaces-api-requests] When you access resources in {{kib}} using the [{{kib}} APIs](https://www.elastic.co/docs/api/doc/kibana/), unless you specify otherwise the API request is directed at the default space. To direct a request at a specific space, indicate that space by adding a `/` element to the request path, directly after the {{kib}} URL. diff --git a/deploy-manage/remote-clusters.md b/deploy-manage/remote-clusters.md index 6a916cdcbd..fc6057e0d5 100644 --- a/deploy-manage/remote-clusters.md +++ b/deploy-manage/remote-clusters.md @@ -28,6 +28,13 @@ Remote clusters are especially useful in two cases: :::{include} ./remote-clusters/_snippets/terminology.md ::: +::::{admonition} Alternatives for {{serverless-short}} +Remote clusters are not available in {{serverless-full}}. + +* The equivalent of {{ccs}} in {{serverless-full}} is [{{cps}}](/deploy-manage/cross-project-search-config.md). {{cps-init}} does not require remote cluster configuration. +* A feature equivalent to cross-cluster replication is anticipated in a future release. +:::: + ## Security models and connection modes When configuring remote clusters, you can choose between two security models and two connection modes. Both security models are compatible with either connection mode. diff --git a/deploy-manage/security/_snippets/complete-security.md b/deploy-manage/security/_snippets/complete-security.md index 441b304719..d40f9046fa 100644 --- a/deploy-manage/security/_snippets/complete-security.md +++ b/deploy-manage/security/_snippets/complete-security.md @@ -1,8 +1,8 @@ ::::{note} As part of your overall security strategy, you can also do the following: -* Prevent unauthorized access with [password protection and role-based access control](/deploy-manage/users-roles.md). -* Control access to dashboards and other saved objects in your UI using [Spaces](/deploy-manage/manage-spaces.md). -* Connect a local cluster to a [remote cluster](/deploy-manage/remote-clusters.md) to enable [cross-cluster replication](/deploy-manage/tools/cross-cluster-replication.md) and [cross-cluster search](/explore-analyze/cross-cluster-search.md). -* Manage [API keys](/deploy-manage/api-keys.md) used for programmatic access to Elastic. +* Prevent unauthorized access with [password protection and role-based access control](/deploy-manage/users-roles.md). +* Control access to dashboards and other saved objects in your UI using [Spaces](/deploy-manage/manage-spaces.md). If applicable, you can also set a [default CPS scope](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-default-search-scope) for each space. +* Connect a local cluster to a [remote cluster](/deploy-manage/remote-clusters.md) to enable [cross-cluster replication](/deploy-manage/tools/cross-cluster-replication.md) and [cross-cluster search](/explore-analyze/cross-cluster-search.md). +* Manage [API keys](/deploy-manage/api-keys.md) used for programmatic access to Elastic. :::: \ No newline at end of file diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml index 42aaadc988..3175c99ed7 100644 --- a/deploy-manage/toc.yml +++ b/deploy-manage/toc.yml @@ -675,6 +675,10 @@ toc: - file: remote-clusters/eck-remote-clusters.md - file: remote-clusters/eck-remote-clusters-to-other-eck.md - file: remote-clusters/eck-remote-clusters-to-external.md + - file: cross-project-search-config.md + children: + - file: cross-project-search-config/cps-config-link-and-manage.md + - file: cross-project-search-config/cps-config-access-and-scope.md - file: monitor.md children: - file: monitor/autoops.md diff --git a/deploy-manage/uninstall/delete-a-cloud-deployment.md b/deploy-manage/uninstall/delete-a-cloud-deployment.md index 093cde745d..f8012917d6 100644 --- a/deploy-manage/uninstall/delete-a-cloud-deployment.md +++ b/deploy-manage/uninstall/delete-a-cloud-deployment.md @@ -41,7 +41,12 @@ If you want to keep the snapshot for future purposes even after the deployment d ## Serverless -To delete a {{serverless-full}} project: +:::{note} +:applies_to: serverless: preview +You can't delete a project that's linked to a {{cps}} ({{cps-init}}) origin project. To delete a linked project, first [unlink](/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md#cps-unlink-projects) it from every origin project it's connected to, then delete it. +::: + +To delete an {{serverless-full}} project: 1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body). 2. Find your project on the home page in the **Serverless Projects** card and select **Manage** to access it directly. Or, select **Serverless Projects** to go to the projects page to view all of your projects. diff --git a/deploy-manage/users-roles/cloud-organization/user-roles.md b/deploy-manage/users-roles/cloud-organization/user-roles.md index a0835746f0..f96c9ec58e 100644 --- a/deploy-manage/users-roles/cloud-organization/user-roles.md +++ b/deploy-manage/users-roles/cloud-organization/user-roles.md @@ -147,6 +147,8 @@ When **Cloud Console, {{es}}, and {{kib}}** access is not granted, roles that ar * Several predefined roles that are intended for project users, such as the Security **Tier 1 analyst** role, can view the relevant projects on the {{ecloud}} Console home page, but can't open the project to view their dashboards and visualizations. * [Custom roles](/deploy-manage/users-roles/serverless-custom-roles.md) always require **Cloud Console, {{es}}, and {{kib}}** access. Without it, users have only **Viewer** access in the {{ecloud}} Console, and can't log in to the project. +{applies_to}`serverless: preview` If your organization uses [{{cps}}](/deploy-manage/cross-project-search-config.md), the roles assigned to a user determine what data they can access across linked projects. Users can only see data from a linked project if their role on that project grants the necessary privileges. Refer to [Manage user access](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#manage-user-and-api-key-access). + For details on the permissions granted for each role, refer to the [predefined roles table](#general-assign-user-roles-table). :::{tip} diff --git a/deploy-manage/users-roles/serverless-custom-roles.md b/deploy-manage/users-roles/serverless-custom-roles.md index dd571b8c6e..9bc755b9f3 100644 --- a/deploy-manage/users-roles/serverless-custom-roles.md +++ b/deploy-manage/users-roles/serverless-custom-roles.md @@ -20,7 +20,8 @@ Roles are a collection of privileges that enable users to access project feature On this page, you'll learn about how to [manage custom roles in your project](#manage-custom-roles), the types of privileges you can assign, and how to [assign the roles](#assign-custom-roles) that you create. ::::{note} -You cannot assign [run as privileges](elasticsearch://reference/elasticsearch/security-privileges.md#_run_as_privilege) in {{serverless-full}} custom roles. +- You cannot assign [run as privileges](elasticsearch://reference/elasticsearch/security-privileges.md#_run_as_privilege) in {{serverless-full}} custom roles. +- If your organization uses [cross-project search](/explore-analyze/cross-project-search.md) in {{serverless-short}}, assigned roles continue to apply. Users can work with data from [linked projects](/deploy-manage/cross-project-search-config.md#key-concepts) only if their assigned privileges already allow access to those projects. {applies_to}`serverless: preview` :::: :::{{admonition}} Custom roles in {{stack}} @@ -108,5 +109,5 @@ As new features are added to {{serverless-full}}, roles that use the custom opti After your roles are set up, the next step to securing access is to assign roles to your users. Click the **Assign roles** link to go to the **Members** tab of the **Organization** page. Learn more in [](/deploy-manage/users-roles/cloud-organization/user-roles.md). :::{warning} -When you assign custom roles, you must always select **Cloud Console, {{es}}, and {{kib}}** access for the role to take full effect. If you don't grant this access, the user only has the equivalent of **Viewer** access to the project in the {{ecloud}} console, and can't log in to the project. [Learn more](/deploy-manage/users-roles/cloud-organization/user-roles.md#access). +When you assign custom roles, you must always select **Cloud Console, {{es}}, and {{kib}}** access for the role to take full effect. If you don't grant this access, the user only has the equivalent of **Viewer** access to the project in the {{ecloud}} console, and can't log in to the project or access project data through {{cps}}. [Learn more](/deploy-manage/users-roles/cloud-organization/user-roles.md#access). ::: diff --git a/explore-analyze/_snippets/inspect-request.md b/explore-analyze/_snippets/inspect-request.md index c3308c0858..e55437bcf6 100644 --- a/explore-analyze/_snippets/inspect-request.md +++ b/explore-analyze/_snippets/inspect-request.md @@ -11,10 +11,10 @@ The request **Inspector** is available in **Discover** and for all **Dashboards* Some visualizations rely on several requests. From the dropdown, select the request you want to inspect. ::: * **Statistics**: Provides general information and statistics about the request. For example, you can check if the number of hits and query time match your expectations. If not, this can indicate an issue with the request used to build the visualization. - * **Clusters and shards**: Lists the {{es}} clusters and shards per cluster queried to fetch the data and shows the status of the request on each of them. With the information in this tab, you can check if the request is properly executed, especially in case of cross-cluster search. + * **Clusters and shards**: Lists the {{es}} clusters and shards queried to fetch the data, including for [{{ccs}}](/explore-analyze/cross-cluster-search.md) and [{{cps}}](/explore-analyze/cross-project-search.md) queries. Use this tab to verify that the request ran correctly. :::{note} - This tab is not available for {{esql}} queries and Vega visualizations. + This tab is not available for Vega visualizations. ::: * **Request**: Provides a full view of the visualization's request, which you can copy or **Open in Console** to refine, if needed. diff --git a/explore-analyze/alerting/alerts/alerting-setup.md b/explore-analyze/alerting/alerts/alerting-setup.md index c0a3e00a99..284d4c9c00 100644 --- a/explore-analyze/alerting/alerts/alerting-setup.md +++ b/explore-analyze/alerting/alerts/alerting-setup.md @@ -118,4 +118,27 @@ Rules and connectors are isolated to the {{kib}} space in which they were create ## {{ccs-cap}} [alerting-ccs-setup] +```{applies_to} +serverless: unavailable +stack: ga +``` + If you want to use alerting rules with {{ccs}}, you must configure privileges for {{ccs-init}} and {{kib}}. Refer to [Remote clusters](../../../deploy-manage/remote-clusters.md). + + +## {{cps-cap}} [kibana-alerting-cps] + +```{applies_to} +serverless: preview +stack: unavailable +``` + +When [{{cps}}](/explore-analyze/cross-project-search.md) is enabled and you have [linked projects](/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md), alerting rules query data across linked projects based on the **space-level {{cps}} scope**. You cannot set a {{cps}} scope on individual rules. + +When you open a rule to create or edit it, the [{{cps-init}} scope selector](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-in-kibana) in the header shows the current {{cps}} scope but is read-only. To change which projects rules query, update the [{{cps}} scope configured for the space](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-default-search-scope). + +For {{esql}} rules, you can use [`SET project_routing`](/explore-analyze/cross-project-search/cross-project-search-project-routing.md) in the rule query to target specific linked projects, overriding the space-level scope. For non-{{esql}} rules that use index patterns, you can use [qualified index expressions](/explore-analyze/cross-project-search/cross-project-search-search.md#search-expressions) to scope the rule to specific projects. + +:::{note} +{{ml-cap}} rules don't support {{cps}}. {{ml-cap}} rules search data in the origin project only. +::: diff --git a/explore-analyze/alerting/alerts/create-manage-rules.md b/explore-analyze/alerting/alerts/create-manage-rules.md index 9459447161..4dbf5c249b 100644 --- a/explore-analyze/alerting/alerts/create-manage-rules.md +++ b/explore-analyze/alerting/alerts/create-manage-rules.md @@ -41,6 +41,22 @@ For more information on alerting concepts and the types of rules and connectors Access to rules is granted based on your {{alert-features}} privileges. For more information, go to [Security](alerting-setup.md#alerting-security). +## {{cps-cap}} scope for rules [cps-scope-for-rules] +```{applies_to} +serverless: preview +stack: unavailable +``` + +When [{{cps}}](/explore-analyze/cross-project-search.md) is enabled and you have [linked projects](/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md), alerting rules query data across linked projects based on the **space-level {{cps}} scope**. You cannot set a {{cps}} scope on individual rules. + +When you open a rule to create or edit it, the [{{cps-init}} scope selector](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-in-kibana) in the header shows the current {{cps}} scope but is read-only. To change which projects rules query, update the [{{cps}} scope configured for the space](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-default-search-scope). + +For {{esql}} rules, you can use [`SET project_routing`](/explore-analyze/cross-project-search/cross-project-search-project-routing.md) in the rule query to target specific linked projects, overriding the space-level scope. For non-{{esql}} rules that use index patterns, you can use [qualified index expressions](/explore-analyze/cross-project-search/cross-project-search-search.md#search-expressions) to scope the rule to specific projects. + +:::{note} +{{ml-cap}} rules don't support {{cps}}; they search data in the origin project only. Other features also have limited or no {{cps}} support. For details, refer to [{{cps-cap}} availability by app](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-availability). +::: + ## Create and edit rules [create-edit-rules] Some rules must be created within the context of a {{kib}} app like [Metrics](/solutions/observability/infra-and-hosts.md), [**APM**](/solutions/observability/apm/index.md), or [Uptime](/solutions/observability/uptime/index.md), but others are generic. Generic rule types can be created in **{{rules-ui}}** by clicking the **Create rule** button. This will launch a flyout that guides you through selecting a rule type and configuring its conditions and actions. diff --git a/explore-analyze/cross-project-search.md b/explore-analyze/cross-project-search.md index 3236749900..6986be91f9 100644 --- a/explore-analyze/cross-project-search.md +++ b/explore-analyze/cross-project-search.md @@ -9,42 +9,43 @@ description: Learn how cross-project search (CPS) enables you to search across m # {{cps-cap}} [cross-project-search] -**{{cps-cap}}** ({{cps-init}}) enables you to run a single search request across multiple {{serverless-short}} projects. -When your data is split across projects to organize ownership, use cases, or environments, {{cps}} lets you query all that data from a single place, without having to search each project individually. +::::{include} /deploy-manage/_snippets/cps-definition.md +:::: + +From the origin project, you can run queries, build dashboards, and configure alerting rules that include data from all linked projects. Results are filtered by each user's permissions across projects. {{cps-cap}} relies on linking projects within your {{ecloud}} organization. After you link projects together, searches from the origin project automatically run across all linked projects. This overview explains how {{cps}} works, including project linking and security. +For prerequisites, compatibility requirements, architecture planning, and scope defaults, refer to [](/deploy-manage/cross-project-search-config.md). + For details on how search, tags, and project routing work in {{cps-init}}, refer to the following pages: -* [Link projects for {{cps}}](/explore-analyze/cross-project-search/cross-project-search-link-projects.md): step-by-step instructions for linking projects in the {{ecloud}} UI. -* [Search in {{cps-init}}](/explore-analyze/cross-project-search/cross-project-search-search.md): learn how search expressions, search options, and index resolution work. -* [Tags in {{cps-init}}](/explore-analyze/cross-project-search/cross-project-search-tags.md): learn about predefined and custom project tags and how to use them in queries. -* [Project routing in {{cps-init}}](/explore-analyze/cross-project-search/cross-project-search-project-routing.md): learn how to route searches to specific projects based on tag values. +* [Search in {{cps-init}}](/explore-analyze/cross-project-search/cross-project-search-search.md): Learn how search expressions, search options, and index resolution work. +* [Tags in {{cps-init}}](/explore-analyze/cross-project-search/cross-project-search-tags.md): Learn about predefined and custom project tags and how to use them in queries. +* [Project routing in {{cps-init}}](/explore-analyze/cross-project-search/cross-project-search-project-routing.md): Learn how to route searches to specific projects based on tag values. +* [Manage {{cps-init}} scope in your project apps](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md): Control which projects are searched as you work in Discover, Dashboards, and other {{kib}} apps. ## {{cps-cap}} as the default behavior for linked projects -Projects are intended to act as logical namespaces for data, not hard boundaries for querying it. You can split data into projects to organize ownership, use cases, or environments, while still expecting to search and analyze that data from a single place. - -Because of this, after you link additional projects to your current (_origin_) project, all searches from the origin project query every linked project by default. -Searches are designed to run across projects automatically, providing the same experience for querying, analysis, and insights across projects as within a single project. -Restricting search scope is always possible, but it requires explicitly scoping the search request using [qualified expressions](/explore-analyze/cross-project-search/cross-project-search-search.md#search-expressions) or [routing parameters](/explore-analyze/cross-project-search/cross-project-search-project-routing.md). +::::{include} /explore-analyze/cross-project-search/_snippets/cps-default-search-behavior.md +:::: ## Project linking -In {{serverless-short}}, projects can be linked together. The project from which links are created is called the origin project, and the connected projects are referred to as linked projects. +In {{serverless-short}}, projects can be linked together. -The **origin project** is the project you are currently working in and from which you run cross-project searches. -**Linked projects** are other projects that are connected to the origin project and whose data can be searched from it. +::::{include} /deploy-manage/_snippets/cps-origin-linked-definitions.md +:::: -After you link projects, searches that you run from the origin project are no longer local to the origin project by default. +After you link projects, searches that you run from the origin project are no longer scoped to the origin project by default. **Any search initiated on the origin project automatically runs across the origin project and all its linked projects ({{cps}}).** When you search from an origin project, the query runs against its linked projects automatically unless you explicitly change the query scope by using [project routing expressions](/explore-analyze/cross-project-search/cross-project-search-project-routing.md) or [qualified index expressions](/explore-analyze/cross-project-search/cross-project-search-search.md#search-expressions). -Project linking is not bidirectional. Searches initiated from a linked project do not run against the origin project. +Project linking is not bidirectional. Searches initiated from a linked project do **not** run against the origin project. If you need bidirectional search, link the projects twice, in both directions. -You can link projects by using the {{ecloud}} UI. For step-by-step instructions, refer to [Link projects for {{cps}}](/explore-analyze/cross-project-search/cross-project-search-link-projects.md). +You can link projects by using the {{ecloud}} UI. For step-by-step instructions, refer to [Link projects for {{cps}}](/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md). ### Project IDs and aliases @@ -65,7 +66,7 @@ You can use `_origin` in search expressions to explicitly target the origin proj ## Excluding indices and projects You can exclude specific indices or projects from a {{cps}} by prefixing a pattern with a dash (`-`). -This enables you start with a broad search scope and narrow it down by removing specific indices or projects from the results. +This enables you to start with a broad search scope and narrow it down by removing specific indices or projects from the results. ### How exclusion works @@ -105,27 +106,21 @@ The following examples assume an origin project with two linked projects: `linke This section gives you a high-level overview of how security works in {{cps}}. -In {{cps-init}}, access to a project's data is determined by the [roles](/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md) assigned to you in that project. Your access does not change based on how you perform a search: whether you query directly within a project or access it through {{cps}}, the same permissions apply. - -::::{note} -{{cps-cap}} is not available when performing programmatic searches using {{es}} API keys, since they're project-scoped and they return results from the local project only. -:::: - -Access control operates in two stages: - -* Authentication verifies the identity associated with a request (for example, a Cloud user or API key) and retrieves that identity's role assignments in each project. -* Authorization evaluates those roles to determine which actions and resources the request can access within each project. +:::{include} /explore-analyze/cross-project-search/_snippets/cps-security.md +::: -For example, if you have a viewer role in project 1, an admin role in project 2, and a custom role in project 3, you can access all three projects through {{cps}}. Each project enforces the permissions associated with the role you have in that project. +### How access is evaluated -When a {{cps}} query targets a linked project that you have access to, authorization checks are performed locally in that project to determine whether you have the required privileges to access the requested resources. +:::{include} /explore-analyze/cross-project-search/_snippets/cps-access-evaluation.md +::: **Example** + You have read access to the `logs` index in project 1, but no access to the `logs` index in project 2. If you run `GET logs/_search`: * documents from the `logs` index in project 1 are returned -* the `logs` index in project 2 is not accessible and is excluded from the results +* the `logs` index in project 2 is not accessible and is excluded from the results. No error is returned. The query succeeds, but results only include data from projects where your role grants access. ## Supported APIs [cps-supported-apis] @@ -147,6 +142,20 @@ The following APIs support {{cps}}: * Search scroll [clear](https://www.elastic.co/docs/api/doc/elasticsearch/v9/operation/operation-clear-scroll), [run](https://www.elastic.co/docs/api/doc/elasticsearch/v9/operation/operation-scroll) * [Search template](/solutions/search/search-templates.md) +### {{product.painless}} scripting [cps-painless-scripting] + +The [{{product.painless}} execute API](elasticsearch://reference/scripting-languages/painless/painless-api-examples.md) (`POST _scripts/painless/_execute`) does not search across linked projects. Unlike the search APIs listed above, the execute API resolves index names against the **origin project only**. + +When testing scripts with the execute API in a {{cps}} environment: + +* To target a specific linked project, prefix the index with the project alias: `projectAlias:myindex`. +* To explicitly target the origin project, use `_origin:myindex`. + * An unqualified index name like `logs` is equivalent to `_origin:logs` — it targets the origin project only. +* Only a single index is accepted. Wildcards and [project routing](/explore-analyze/cross-project-search/cross-project-search-project-routing.md) are not supported. +* Requests to linked projects are subject to the same [security model](/explore-analyze/cross-project-search.md#security) as other {{cps}} requests. + +For additional information, refer to the [{{product.painless}} execute API reference](elasticsearch://reference/scripting-languages/painless/painless-api-examples.md). + ### {{cps-cap}} specific APIs **Project routing**: `_project_routing` @@ -159,16 +168,42 @@ The following APIs support {{cps}}: * [Get tags](https://www.elastic.co/docs/api/doc/elasticsearch-serverless/operation/operation-project-tags) -## Limitations +## Identifying the location of a document [cps-identify-documents] + +To determine whether a document comes from the origin project or a linked project, examine the `_index` field. + +Documents from linked projects include the linked project's alias as a prefix, separated by a colon: -### Maximum of 20 linked projects per origin project +``` +my-linked-project-abc123:.ds-logs-generic.otel-default-2026.03.02-000001 +``` + +Origin documents have no prefix: + +``` +.ds-logs-generic.otel-default-2026.03.02-000001 +``` -Currently, each origin project can have up to 20 linked projects. -A linked project can be associated with any number of origin projects. +In {{esql}}, the `_index` field is not returned by default. To include it, use the `METADATA` keyword: + +```esql +FROM logs-* METADATA _index +| WHERE @timestamp > "2026-03-16T15:15:00Z" +| KEEP @timestamp, _index, message +``` + +## Limitations [cps-limitations] + +::::{include} /deploy-manage/_snippets/cps-limitations-core.md +:::: + +For a [complete list of limitations](/deploy-manage/cross-project-search-config.md#cps-limitations), including restrictions for Elastic Observability and {{elastic-sec}} projects, as well as administrator-focused details including compatibility, architecture patterns, and feature impacts, refer to [](/deploy-manage/cross-project-search-config.md). + +To check whether {{cps}} is available in a specific {{kib}} app, refer to the [availability table](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-availability). ## {{cps-cap}} examples [cps-examples] -The following examples demonstrate how search requests behave in different {{cps-init}} scenarios. +The following examples show how {{cps}} resolves index names and routes queries when you use unqualified expressions, qualified expressions, and project routing. ### Unqualified search expressions @@ -260,7 +295,7 @@ The request will return a response similar to this: } ``` -In this example, both the origin project and a linked project contain an index named` my-index`: +In this example, both the origin project and a linked project contain an index named `my-index`: ```console POST /_query @@ -580,7 +615,7 @@ GET /_query { "project_routing": "@origin-only", "query": "FROM *", - "nclude_execution_metadata": true, + "include_execution_metadata": true } ``` ::: diff --git a/explore-analyze/cross-project-search/_snippets/cps-access-evaluation.md b/explore-analyze/cross-project-search/_snippets/cps-access-evaluation.md new file mode 100644 index 0000000000..79228a6e1a --- /dev/null +++ b/explore-analyze/cross-project-search/_snippets/cps-access-evaluation.md @@ -0,0 +1,8 @@ +Access control operates in two stages: + +* Authentication verifies the identity associated with a request (for example, a Cloud user or API key) and retrieves that identity's role assignments in each project. +* Authorization evaluates those roles to determine which actions and resources the request can access within each project. + +For example, if you have a viewer role in project 1, an admin role in project 2, and a custom role in project 3, you can access all three projects through {{cps}}. Each project enforces the permissions associated with the role you have in that project. + +When a {{cps}} query targets a linked project that you have access to, authorization checks are performed locally in that project to determine whether you have the required privileges to access the requested resources. \ No newline at end of file diff --git a/explore-analyze/cross-project-search/_snippets/cps-availability-security-apps.md b/explore-analyze/cross-project-search/_snippets/cps-availability-security-apps.md new file mode 100644 index 0000000000..811f195f61 --- /dev/null +++ b/explore-analyze/cross-project-search/_snippets/cps-availability-security-apps.md @@ -0,0 +1,5 @@ +{{elastic-sec}} apps have limited {{cps-init}} support: + +- **Timeline:** Only the **{{esql}}** tab supports `SET project_routing`. All other Timeline tabs search the origin project only. +- **Other Security features:** The **Explore** page, threat-hunting workflows, the alert details flyout, and entity store remain scoped to the origin project. +- **Alerting:** During technical preview, rules that query data across linked projects can generate alerts, and you can view those alerts in the UI. However, the alert response workflow, which includes actions after an alert is raised, such as triage, investigation, and case management across linked projects, is not yet fully supported with {{cps-init}}. diff --git a/explore-analyze/cross-project-search/_snippets/cps-default-search-behavior.md b/explore-analyze/cross-project-search/_snippets/cps-default-search-behavior.md new file mode 100644 index 0000000000..dfda570fca --- /dev/null +++ b/explore-analyze/cross-project-search/_snippets/cps-default-search-behavior.md @@ -0,0 +1,5 @@ +Projects are intended to act as logical namespaces for data, not hard boundaries for querying it. You can split data into projects to organize ownership, use cases, or environments, while still expecting to search and analyze that data from a single place. + +After you link projects, searches from the origin project run across the origin and all linked projects by default. +This default behavior provides a consistent experience for querying, analysis, and insights across linked projects. +Restricting search scope is always possible, by explicitly scoping the search request using [qualified expressions](/explore-analyze/cross-project-search/cross-project-search-search.md#search-expressions) or [project routing parameters](/explore-analyze/cross-project-search/cross-project-search-project-routing.md). diff --git a/explore-analyze/cross-project-search/_snippets/cps-security-recommendation.md b/explore-analyze/cross-project-search/_snippets/cps-security-recommendation.md new file mode 100644 index 0000000000..495271fead --- /dev/null +++ b/explore-analyze/cross-project-search/_snippets/cps-security-recommendation.md @@ -0,0 +1 @@ +At this time, you should not use an {{elastic-sec}} project as an origin project for {{cps}} in production. Some {{elastic-sec}} features are not fully functional when {{cps-init}} is enabled on an {{elastic-sec}} origin project. You can still link {{elastic-sec}} projects _to_ an origin project of another type. diff --git a/explore-analyze/cross-project-search/_snippets/cps-security.md b/explore-analyze/cross-project-search/_snippets/cps-security.md new file mode 100644 index 0000000000..62c9eb0f75 --- /dev/null +++ b/explore-analyze/cross-project-search/_snippets/cps-security.md @@ -0,0 +1,13 @@ +* **From within {{kib}}:** Searches you run from the origin project use your [{{ecloud}} user role assignments](/deploy-manage/users-roles/cloud-organization/user-roles.md) on each project that participates in the search. Each role assignment must include [Cloud Console, {{es}}, and {{kib}} access](/deploy-manage/users-roles/cloud-organization/user-roles.md#access) to those projects to return project data. + +* **Programmatically:** Requests authenticated with an [{{ecloud}} API key](/deploy-manage/api-keys/elastic-cloud-api-keys.md) use that key’s role assignments on each project. Each role assignment must include [Cloud, {{es}}, and {{kib}} API access](/deploy-manage/api-keys/elastic-cloud-api-keys.md#project-access) to those projects to return project data. + +Alternatively, a user or key can be granted organization-level roles that grant access to all projects in the organization. + +Permissions are always evaluated per project. It does not matter whether you query that project from its own endpoint or from an origin project linked through {{cps-init}}: the same role assignments apply. + +::::{admonition} Use {{ecloud}} API keys for {{cps-init}} +For {{cps}}, you must use [{{ecloud}} API keys](/deploy-manage/api-keys/elastic-cloud-api-keys.md), which can authenticate across project boundaries. + +{{cps-cap}} is not available when performing programmatic searches using [{{es}} API keys](/deploy-manage/api-keys/serverless-project-api-keys.md), because they're scoped to a single project. These keys return results from the origin project only. +:::: \ No newline at end of file diff --git a/explore-analyze/cross-project-search/cross-project-search-link-projects.md b/explore-analyze/cross-project-search/cross-project-search-link-projects.md deleted file mode 100644 index 6700297959..0000000000 --- a/explore-analyze/cross-project-search/cross-project-search-link-projects.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -applies_to: - stack: unavailable - serverless: preview -products: - - id: elasticsearch - - id: cloud-serverless -description: Link projects in the Cloud UI to enable cross-project search across multiple Serverless projects. -navigation_title: "Linking projects" ---- - -# Link projects for {{cps}} [link-projects-for-cps] - -Before you can search across multiple projects, you must link them together. {{cps-cap}} only works between projects that are explicitly linked within your {{ecloud}} organization. - -This guide explains how to link projects in the {{ecloud}} UI so you can run cross-project searches from an origin project. For an overview of {{cps}} concepts such as origin projects, linked projects, and search expressions, refer to [{{cps-cap}}](/explore-analyze/cross-project-search.md). - -## Prerequisites - -* {{cps-cap}} requires linked projects. - - - - -## Link projects using the Cloud UI - -You can link projects by using the Cloud UI. - - - -1. On the home screen, select the project you want to use as the origin project and click **Manage**. -2. Click **Configure** on the **{{cps-cap}}** tile. Or click **{{cps-cap}}** in the left-hand navigation. -3. Click **Link projects**. -4. Select the projects you want to link from the project list. - - - -5. Click **Review and save**. -6. Review the selected projects. If you are satisfied, click **Save**. - - - -When your configuration is saved, a page with the list of linked projects opens. diff --git a/explore-analyze/cross-project-search/cross-project-search-manage-scope.md b/explore-analyze/cross-project-search/cross-project-search-manage-scope.md new file mode 100644 index 0000000000..acfb191f03 --- /dev/null +++ b/explore-analyze/cross-project-search/cross-project-search-manage-scope.md @@ -0,0 +1,98 @@ +--- +applies_to: + stack: unavailable + serverless: preview +type: overview +products: + - id: cloud-serverless + - id: kibana +navigation_title: "CPS scope in project apps" +description: Learn how to manage cross-project search scope from your project apps using the scope selector, query-level overrides, and space defaults. +--- + +# Managing {{cps}} scope in your project apps [cps-manage-scope] + +When [{{cps}} ({{cps-init}})](/explore-analyze/cross-project-search.md) is enabled and projects are linked, searches initiated from your project's apps run across all linked projects by default. {{kib}} provides several ways to narrow or change this scope: + +* **Space default**: Admins [configure a default scope for each space](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-default-search-scope), which applies when you start a new session. +* **Session scope**: Use the [{{cps-init}} scope selector](#cps-in-kibana) in the project's header to change which projects are searched during your session. +* **Query-level override**: Use project routing or qualified index expressions in individual queries to target specific projects. + +## {{cps-cap}} scope selector [cps-in-kibana] + +The **{{cps-cap}} ({{cps-init}}) scope** selector ({icon}`cross_project_search`) in your project's header lets you control which linked projects your searches include. + +With the {{cps-init}} scope selector, you can select: + +* **This project**: Searches only the origin project. +* **All projects**: Searches the origin project and all linked projects. + +:::{tip} +The scope selector also lists the aliases of all [linked projects](/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md), which is useful when you need to reference them in queries or index patterns. +::: + +The scope selector is not editable in every app. Some apps display it as **read-only**, meaning the app uses the space default scope but you cannot change it. Other apps show it as **unavailable**, meaning the app searches only the current project. Refer to [{{cps-cap}} availability by app](#cps-availability) for details. + +When you change the scope during a session, your selection is preserved as you navigate between apps. Admins can configure a [default {{cps}} scope for each space](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-default-search-scope), which is used when you start a new session. + +## Override {{cps}} scope at the query level [cps-query-overrides] + +In apps where you write queries, you can define a different {{cps}} scope than the one set in the header's scope selector or the [space-level default](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md#cps-default-search-scope). This is useful when you want a specific query or dashboard panel to search a different set of projects. + +There are two main mechanisms: + +* **[Project routing](/explore-analyze/cross-project-search/cross-project-search-project-routing.md)**: Use a `project_routing` parameter to limit which projects a query runs against. In {{esql}}, use [`SET project_routing`](/explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-cps) at the beginning of your query. Project routing is evaluated before query execution, so excluded projects are never queried. +* **[Qualified index expressions](/explore-analyze/cross-project-search/cross-project-search-search.md#search-expressions)**: Prefix an index name with a project alias to target a specific project, for example `my_project:logs-*`. Qualified expressions work in index patterns and query source commands. + +For example, to search only a specific linked project from Discover, start your {{esql}} query with: + +```esql +SET project_routing="_alias:my-project"; +FROM logs-* +| LIMIT 100 +``` + +## {{cps-cap}} availability by app [cps-availability] + +Not all apps support {{cps}}. The following table shows which apps support the {{cps-init}} scope selector and query-level overrides. Any app with an ES\|QL editor supports [`SET project_routing`](/explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-cps) and [qualified index expressions](/explore-analyze/cross-project-search/cross-project-search-search.md#search-expressions) in `FROM` commands. + +| App | {{cps-init}} scope selector | Query-level overrides | +| --- | --- | --- | +| **Agent Builder** | Not available | ES\|QL | +| **Dashboards** | Editable | Per-panel overrides using ES\|QL visualizations or Maps layer routing. Dashboards can also [store a {{cps}} scope](/explore-analyze/dashboards/using.md#dashboard-cps-scope). | +| **Dev Tools / Console** | Not available | Full {{cps-init}} through raw API requests, including ES\|QL. The [{{product.painless}} execute API](/explore-analyze/cross-project-search.md#cps-painless-scripting) resolves index names differently. | +| **Discover** | Editable | ES\|QL | +| **Lens visualizations** | Editable | ES\|QL visualizations[^cps-badge] | +| **Maps** | Editable | Layer-level [project routing](/explore-analyze/cross-project-search/cross-project-search-project-routing.md) for vector layers and joins | +| **{{ml-app}} AIOps Labs** | Editable | Not available | +| **{{ml-app}} {{data-viz}}** | Editable | ES\|QL | +| **{{rules-ui}} and alerts** | Read-only | ES\|QL rules support `SET project_routing`. For non-{{esql}} rules that use index patterns, you can use [qualified index expressions](/explore-analyze/cross-project-search/cross-project-search-search.md#search-expressions) to scope the rule to specific projects.| +| **Streams** | Not available | ES\|QL | +| **Vega** | Editable | Project routing in Vega specs | + +The header's {{cps-init}} scope selector is not available in other apps, including Transforms, Canvas, and object listing pages. + +[^cps-badge]: When a visualization panel uses a query-level override, it displays a **Custom CPS scope** badge on dashboards to indicate that it uses a different scope than the {{cps-init}} scope selector. + +### {{cps-cap}} availability in Elastic {{observability}} apps [cps-availability-observability] + +{{observability}} apps have limited {{cps-init}} support. The scope selector is not available in {{observability}} apps, and most apps remain scoped to the origin project. The following table shows how each {{observability}} app behaves with {{cps-init}}: + +::::{include} /solutions/_snippets/cps-obs-compatibility.md +:::: + +For specific app details, refer to [{{cps-cap}} in {{observability}}](/solutions/observability/cross-project-search.md). + +### {{cps-cap}} availability in {{elastic-sec}} apps [cps-availability-security] + +:::{include} /explore-analyze/cross-project-search/_snippets/cps-availability-security-apps.md +::: + +## Related pages + +* [{{cps-cap}} overview](/explore-analyze/cross-project-search.md) +* [Project routing](/explore-analyze/cross-project-search/cross-project-search-project-routing.md) +* [How search works in {{cps-init}}](/explore-analyze/cross-project-search/cross-project-search-search.md) +* [Configure {{cps}} access and scope](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md) +* [ES\|QL in {{kib}}](/explore-analyze/query-filter/languages/esql-kibana.md) +* [Query across Serverless projects with ES\|QL](elasticsearch://reference/query-languages/esql/esql-cross-serverless-projects.md) diff --git a/explore-analyze/cross-project-search/cross-project-search-project-routing.md b/explore-analyze/cross-project-search/cross-project-search-project-routing.md index 3c81fcb585..b594120e35 100644 --- a/explore-analyze/cross-project-search/cross-project-search-project-routing.md +++ b/explore-analyze/cross-project-search/cross-project-search-project-routing.md @@ -8,12 +8,12 @@ description: Learn how to use project routing to limit cross-project search (CPS navigation_title: "Project routing" --- -# Using project routing to limit search scope [cps-project-routing] +# Using project routing to limit {{cps}} scope [cps-project-routing] Project routing enables you to limit a search to a subset of projects, including the origin project and linked projects, based on tag values. When you use project routing, the routing decision is made before the search request is performed. -Based on the specified tags, {{cps-init}} determines which projects the query is sent to, and the search is performed only on those projects. +Based on the specified tags, {{cps}} determines which projects the query is sent to, and the search is performed only on those projects. For an overview of {{cps}} concepts, refer to [{{cps-cap}}](/explore-analyze/cross-project-search.md). For details on available tags, refer to [Tags in {{cps-init}}](/explore-analyze/cross-project-search/cross-project-search-tags.md). @@ -44,11 +44,7 @@ GET logs/_search ``` --> -Refer to [the examples section](/explore-analyze/cross-project-search.md#cps-examples) for more. - - +Refer to [the examples section](/explore-analyze/cross-project-search.md#cps-examples) for more. You can also refer to [Query across Serverless projects with ES|QL](elasticsearch://reference/query-languages/esql/esql-cross-serverless-projects.md) for more ES|QL examples. ## Using named project routing expressions [named-routing-expressions] diff --git a/explore-analyze/cross-project-search/cross-project-search-search.md b/explore-analyze/cross-project-search/cross-project-search-search.md index 1a838fe56d..9e88ab58f3 100644 --- a/explore-analyze/cross-project-search/cross-project-search-search.md +++ b/explore-analyze/cross-project-search/cross-project-search-search.md @@ -57,7 +57,7 @@ You can use qualified search expressions and project routing expressions togethe ### `ignore_unavailable` and `allow_no_indices` The distinction between qualified and unqualified search expressions affects how the `ignore_unavailable` and `allow_no_indices` search options are applied in {{cps}}. -When you use an **unqualified** expression, index resolution is performed against the merged project view. In this case, search options are evaluated based on whether the target resources exist in any of the searched projects, not only in the origin project. +When you use an **unqualified** expression, index resolution is performed against all searchable resources across the searched projects. Search options are evaluated based on whether the target resources exist in any of those projects, not only in the origin project. Project routing expressions do not affect the behavior of the `ignore_unavailable` or `allow_no_indices` settings. diff --git a/explore-analyze/cross-project-search/cross-project-search-tags.md b/explore-analyze/cross-project-search/cross-project-search-tags.md index 61102a9a86..38bb4c0dec 100644 --- a/explore-analyze/cross-project-search/cross-project-search-tags.md +++ b/explore-analyze/cross-project-search/cross-project-search-tags.md @@ -8,7 +8,7 @@ description: Learn about project tags in cross-project search (CPS), including p navigation_title: "Tags" --- -# Using tags to control search [cps-tags] +# Using tags to control {{cps}} [cps-tags] You can assign [tags](/deploy-manage/deploy/elastic-cloud/project-settings.md#project-tags) to projects and use them to control {{cps}} behavior. @@ -102,6 +102,5 @@ For example, the following ES|QL query counts documents per project alias: ```console FROM logs* METADATA _project._alias | STATS COUNT(*) by _project._alias ``` - + +You can also refer to [Query across Serverless projects with ES|QL](elasticsearch://reference/query-languages/esql/esql-cross-serverless-projects.md) for more ES|QL examples. diff --git a/explore-analyze/dashboards/create-dashboard.md b/explore-analyze/dashboards/create-dashboard.md index df215dfc7c..c72cd61078 100644 --- a/explore-analyze/dashboards/create-dashboard.md +++ b/explore-analyze/dashboards/create-dashboard.md @@ -50,24 +50,30 @@ Before creating a dashboard, ensure you have: * **Sync color palettes across panels** — Applies the same color palette to all panels on the dashboard. * **Sync cursor across panels** — When you hover your cursor over a time series chart or a heatmap, the cursor on all other related dashboard charts automatically appears. * **Sync tooltips across panels** — When you hover your cursor over a **Lens** chart, the tooltips on all other related dashboard charts automatically appear. + * {applies_to}`serverless: preview` {applies_to}`stack: unavailable` **Store CPS scope with dashboard** — Saves the current [{{cps}} scope](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-in-kibana) with the dashboard so it restores automatically when anyone opens it. 3. Click **Apply**. -6. Save the dashboard. +6. Save the dashboard. When saving, you can configure the following options: - {applies_to}`serverless:` {applies_to}`stack: ga 9.3+` When you save the dashboard for the first time, you can manage dashboard permissions. + - **Title** and **Description**: Give the dashboard a meaningful name and description so you and others can find it later. + - **Tags**: Add [tags](../find-and-organize/tags.md) to organize and categorize the dashboard. + - **Store time with dashboard**: Saves the current time filter with the dashboard. + - {applies_to}`serverless: preview` {applies_to}`stack: unavailable` **Store CPS scope with dashboard**: Saves the current [{{cps}} scope](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-in-kibana) with the dashboard so it restores automatically when opened. When this option is not active, the dashboard opens with the {{cps-init}} scope currently active for the session. + - {applies_to}`serverless:` {applies_to}`stack: ga 9.3+` **Permissions**: Control who can access the dashboard. You can share with one of the following permissions: + - **Can edit**: Everybody in the space can edit, delete, and fully manage the dashboard. + - **Can view**: Everybody in the space can view the dashboard, but cannot edit or delete it. + + :::{include} ../_snippets/dashboard-ownership.md + ::: :::{image} /explore-analyze/images/save-as-new-dashboard.png :screenshot: :width: 400px ::: - When you create a dashboard, you become its owner and control who can access it. You can share your dashboard with one of the following permissions: - - **Can edit**: Everybody in the space can edit, delete, and fully manage the dashboard. - - **Can view**: Everybody in the space can view the dashboard, but cannot edit or delete it. They can duplicate it. This read-only setting can be changed at any time by the dashboard owner or a {{kib}} administrator. - :::{include} ../_snippets/dashboard-ownership.md - ::: + diff --git a/explore-analyze/dashboards/using.md b/explore-analyze/dashboards/using.md index 33735c0379..86aa913439 100644 --- a/explore-analyze/dashboards/using.md +++ b/explore-analyze/dashboards/using.md @@ -242,6 +242,19 @@ When viewing a dashboard with read-only permissions, certain visualization panel 3. Select **Cancel** to exit the **Configuration** flyout. +### View data from multiple projects [dashboard-cps-scope] +```{applies_to} +serverless: preview +stack: unavailable +``` + +A dashboard can display data from multiple {{serverless-short}} projects when [{{cps}}](/explore-analyze/cross-project-search.md) is enabled. To check and control which projects are queried, use the [{{cps-init}} scope selector](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-in-kibana) in the header. You can change this scope at any time during your session, and all panels update accordingly. + +Sometimes, the scope behaves differently: + +* **The dashboard restores a saved scope on open.** Some dashboards are configured to [store a {{cps}} scope](/explore-analyze/dashboards/create-dashboard.md). When you open them, the {{cps-init}} scope selector is set to the stored scope. You can still change it during your session. +* **A panel has a Custom CPS scope badge.** This means the panel uses [project routing](/explore-analyze/cross-project-search/cross-project-search-project-routing.md) to query a fixed set of projects. It is not affected when you change the dashboard's scope. Select the badge to view which projects the panel queries. + ## Full screen mode and maximized panel views [_full_screen_mode_and_maximized_panel_views] diff --git a/explore-analyze/find-and-organize/data-views.md b/explore-analyze/find-and-organize/data-views.md index d9164a66be..2ee098a29d 100644 --- a/explore-analyze/find-and-organize/data-views.md +++ b/explore-analyze/find-and-organize/data-views.md @@ -149,7 +149,21 @@ cluster_*:logstash-*,-cluster_one:* Once you configure a {{data-source}} to use the {{ccs}} syntax, all searches and aggregations using that {{data-source}} in {{kib}} take advantage of {{ccs}}. -For more information, refer to [Excluding clusters or indicies from cross-cluster search](../../explore-analyze/cross-cluster-search.md#exclude-problematic-clusters). +For more information, refer to [Excluding clusters or indices from cross-cluster search](../../explore-analyze/cross-cluster-search.md#exclude-problematic-clusters). + + +### Use {{data-sources}} with {{cps}} [management-cross-project-search] +```{applies_to} +serverless: preview +stack: unavailable +``` + +When [{{cps}}](/explore-analyze/cross-project-search.md) is enabled and you have [linked projects](/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md), the {{data-source}} creation form previews matching indices from linked projects based on the current [{{cps}} scope](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-in-kibana). The {{data-source}} itself does not store the scope. When you query the {{data-source}}, results come from whichever linked projects the active {{cps}} scope includes at that time. + +To restrict a {{data-source}} to specific projects regardless of the active scope, you can: + +* **Use [qualified expressions](/explore-analyze/cross-project-search/cross-project-search-search.md#search-expressions)** in the index pattern to target specific projects, for example `project_alpha:logs-*,project_beta:logs-*`. To search only the origin project, use `_origin:logs-*`. +* **Use [project routing](/explore-analyze/cross-project-search/cross-project-search-project-routing.md)** in your queries to narrow scope at query time. ## Delete a {{data-source}} [delete-data-view] diff --git a/explore-analyze/images/save-as-new-dashboard.png b/explore-analyze/images/save-as-new-dashboard.png index 552b784cc9..23b8655682 100644 Binary files a/explore-analyze/images/save-as-new-dashboard.png and b/explore-analyze/images/save-as-new-dashboard.png differ diff --git a/explore-analyze/query-filter/languages/esql-kibana.md b/explore-analyze/query-filter/languages/esql-kibana.md index 2ab012d44f..54f97bc76a 100644 --- a/explore-analyze/query-filter/languages/esql-kibana.md +++ b/explore-analyze/query-filter/languages/esql-kibana.md @@ -255,6 +255,29 @@ From the **Recent** tab, you can star any queries you want. In the **Starred** tab, find all the queries you have previously starred. +## Search across projects with `SET project_routing` [esql-kibana-cps] +```{applies_to} +serverless: preview +stack: unavailable +``` + +When [{{cps}}](/explore-analyze/cross-project-search.md) is enabled and you have [linked projects](/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md), you can add [`SET project_routing`](elasticsearch://reference/query-languages/esql/commands/set.md) at the beginning of your {{esql}} query to [override the {{cps}} scope](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-in-kibana) and target specific projects: + +```esql +SET project_routing = "_alias:my_other_project"; +FROM logs-* +| WHERE log.level == "error" +| STATS count = COUNT(*) BY service.name +``` + +The editor autocompletes two built-in values when you type `SET project_routing`: + +- `_alias:_origin` — Search only the current (origin) project. +- `_alias:*` — Search all linked projects. + +You can use any valid [project routing expression](/explore-analyze/cross-project-search/cross-project-search-project-routing.md), including tag-based and named expressions. For more details on query-level overrides, refer to [Managing {{cps}} scope](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-query-overrides). + + ## Related pages - [{{esql}} reference](elasticsearch://reference/query-languages/esql/esql-syntax-reference.md): Complete list of commands, functions, and operators. diff --git a/explore-analyze/toc.yml b/explore-analyze/toc.yml index 31c9626fac..62b24c2c95 100644 --- a/explore-analyze/toc.yml +++ b/explore-analyze/toc.yml @@ -183,12 +183,14 @@ toc: - file: cross-cluster-search.md children: - file: cross-cluster-search/using-resolve-cluster-endpoint-before-cross-cluster-search.md - - hidden: cross-project-search.md + - file: cross-project-search.md children: - - hidden: cross-project-search/cross-project-search-link-projects.md - - hidden: cross-project-search/cross-project-search-search.md - - hidden: cross-project-search/cross-project-search-tags.md - - hidden: cross-project-search/cross-project-search-project-routing.md + - file: cross-project-search/cross-project-search-search.md + - file: cross-project-search/cross-project-search-tags.md + - file: cross-project-search/cross-project-search-project-routing.md + - file: cross-project-search/cross-project-search-manage-scope.md + - title: "CPS in ES|QL" + crosslink: elasticsearch://reference/query-languages/esql/esql-cross-serverless-projects.md - file: ai-features.md children: - file: ai-features/elastic-agent-builder.md diff --git a/explore-analyze/visualize/esorql.md b/explore-analyze/visualize/esorql.md index af3874c1d4..62b2a55e3b 100644 --- a/explore-analyze/visualize/esorql.md +++ b/explore-analyze/visualize/esorql.md @@ -76,6 +76,16 @@ The chart configuration resets or follows automatic suggestions when: - {applies_to}`stack: ga 9.2+` You create a new chart and haven't edited the visualization's options yet. - The query changes significantly and no longer returns compatible columns. +### Query data from multiple projects [esql-viz-cps] +```{applies_to} +serverless: preview +stack: unavailable +``` + +When [{{cps}}](/explore-analyze/cross-project-search.md) is enabled and you have [linked projects](/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md), your {{esql}} visualization queries data based on the current [{{cps}} scope](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-in-kibana). + +To target specific projects from within the query, add [`SET project_routing`](elasticsearch://reference/query-languages/esql/commands/set.md) at the beginning of your {{esql}} query. When you do this, the visualization panel displays a **Custom CPS scope** badge on the dashboard, indicating that it uses a different scope than the {{cps-init}} scope selector. Refer to [View data from multiple projects](/explore-analyze/dashboards/using.md#dashboard-cps-scope) for details. + ## Create an alert from your {{esql}} visualization ```{applies_to} stack: ga 9.1 diff --git a/explore-analyze/visualize/maps.md b/explore-analyze/visualize/maps.md index 0790bb0c7a..69fcfb96e5 100644 --- a/explore-analyze/visualize/maps.md +++ b/explore-analyze/visualize/maps.md @@ -74,3 +74,13 @@ Customize each layer to highlight meaningful dimensions in your data. For exampl Search across the layers in your map to focus on just the data you want. Combine free text search with field-based search using the [{{kib}} Query Language](../../explore-analyze/query-filter/languages/kql.md). Set the time filter to restrict layers by time. Draw a polygon on the map or use the shape from features to create spatial filters. Filter individual layers to compares facets. Check out [Search geographic data](../../explore-analyze/visualize/maps/maps-search.md). + +### Search across linked projects [maps-cps] +```{applies_to} +serverless: preview +stack: unavailable +``` + +When [{{cps}}](/explore-analyze/cross-project-search.md) is enabled and you have [linked projects](/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md), use the [{{cps-init}} scope selector](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-in-kibana) to control which projects your map queries. All {{es}}-backed layers, including [vector layers](/explore-analyze/visualize/maps/vector-layer.md), joins, and [heat map layers](/explore-analyze/visualize/maps/heatmap-layer.md), pull data from linked projects based on the current {{cps}} scope. When you change the scope, these layers update to reflect the new set of projects. + +ES|QL layers additionally support query-level overrides using [`SET project_routing`](/explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-cps). When you embed a map in a dashboard and a layer uses a [project routing](/explore-analyze/cross-project-search/cross-project-search-project-routing.md) override, the map panel displays a **Custom CPS scope** badge. Refer to [View data from multiple projects](/explore-analyze/dashboards/using.md#dashboard-cps-scope) for details. diff --git a/redirects.yml b/redirects.yml index a19f5c5277..616d52651e 100644 --- a/redirects.yml +++ b/redirects.yml @@ -843,6 +843,9 @@ redirects: # Renamed for SEO - URL now matches page title 'solutions/security/detect-and-alert/requirements-privileges.md': 'solutions/security/detect-and-alert/turn-on-detections.md' +# Related to https://github.com/elastic/docs-content/pull/5245 + 'explore-analyze/cross-project-search/cross-project-search-link-projects.md': 'deploy-manage/cross-project-search-config/cps-config-link-and-manage.md' + # No more elasticsearch solution add-ons 'solutions/elasticsearch-solution-project/es-serverless-add-ons.md': 'solutions/elasticsearch-solution-project.md' diff --git a/reference/glossary/index.md b/reference/glossary/index.md index 3397d564e4..c501f6161e 100644 --- a/reference/glossary/index.md +++ b/reference/glossary/index.md @@ -162,6 +162,9 @@ $$$glossary-ccr$$$ {{ccr}} (CCR) $$$glossary-ccs$$$ {{ccs}} (CCS) : Searches [data streams](/reference/glossary/index.md#glossary-data-stream) and [indices](/reference/glossary/index.md#glossary-index) on [remote clusters](/reference/glossary/index.md#glossary-remote-cluster) from a [local cluster](/reference/glossary/index.md#glossary-local-cluster). See [Search across clusters](/explore-analyze/cross-cluster-search.md). +$$$glossary-cps$$$ {{cps}} ({{cps-init}}) {applies_to}`serverless: preview` +: Searches across multiple {{serverless-full}} [linked projects](/reference/glossary/index.md#glossary-linked-project) from a single [origin project](/reference/glossary/index.md#glossary-origin-project). See [{{cps-cap}}](/explore-analyze/cross-project-search.md). + $$$CRD$$$CRD : [Custom resource definition](https://kubernetes.io/docs/reference/glossary/?fundamental=true#term-CustomResourceDefinition). {{eck}} extends the Kubernetes API with CRDs to allow users to deploy and manage Elasticsearch, Kibana, APM Server, Enterprise Search, Beats, Elastic Agent, Elastic Maps Server, and Logstash resources just as they would do with built-in Kubernetes resources. @@ -494,7 +497,10 @@ $$$glossary-leader-index$$$ leader index : Source [index](/reference/glossary/index.md#glossary-index) for [{{ccr}}](/reference/glossary/index.md#glossary-ccr). A leader index exists on a [remote cluster](/reference/glossary/index.md#glossary-remote-cluster) and is replicated to [follower indices](/reference/glossary/index.md#glossary-follower-index). See [{{ccr-cap}}](/deploy-manage/tools/cross-cluster-replication.md). $$$glossary-lens$$$ Lens -: Enables you to build visualizations by dragging and dropping data fields. Lens makes makes smart visualization suggestions for your data, allowing you to switch between visualization types. See [Lens](/explore-analyze/dashboards.md). +: Enables you to build visualizations by dragging and dropping data fields. Lens makes smart visualization suggestions for your data, allowing you to switch between visualization types. See [Lens](/explore-analyze/dashboards.md). + +$$$glossary-linked-project$$$ linked project +: An {{serverless-full}} project that is linked to an [origin project](/reference/glossary/index.md#glossary-origin-project). Data in the linked project becomes searchable from the origin project. See [{{cps-cap}}](/explore-analyze/cross-project-search.md). $$$glossary-local-cluster$$$ local cluster : [Cluster](/reference/glossary/index.md#glossary-cluster) that pulls data from a [remote cluster](/reference/glossary/index.md#glossary-remote-cluster) in [{{ccs}}](/reference/glossary/index.md#glossary-ccs) or [{{ccr}}](/reference/glossary/index.md#glossary-ccr). See [Remote clusters](/deploy-manage/remote-clusters/remote-clusters-self-managed.md). @@ -568,6 +574,9 @@ $$$OpenShift$$$OpenShift $$$Operator$$$operator : A design pattern in Kubernetes for [managing custom resources](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/). {{eck}} implements the operator pattern to manage Elasticsearch, Kibana and APM Server resources on Kubernetes. +$$$glossary-origin-project$$$ origin project +: In a {{cps}}, the base {{serverless-full}} project where you link projects and run searches. See [{{cps-cap}}](/explore-analyze/cross-project-search.md). + $$$glossary-output-plugin$$$ output plugin : A {{ls}} [plugin](/reference/glossary/index.md#glossary-plugin) that writes [event](/reference/glossary/index.md#glossary-event) data to a specific destination. Outputs are the final stage in the event [pipeline](/reference/glossary/index.md#glossary-pipeline). Popular output plugins include elasticsearch, file, graphite, and statsd. @@ -598,6 +607,9 @@ $$$glossary-plugin$$$ plugin $$$glossary-primary-shard$$$ primary shard : Lucene instance containing some or all data for an [index](/reference/glossary/index.md#glossary-index). When you index a [document](/reference/glossary/index.md#glossary-document), {{es}} adds the document to primary shards before [replica shards](/reference/glossary/index.md#glossary-replica-shard). See [Clusters, nodes, and shards](/deploy-manage/production-guidance/elasticsearch-in-production-environments.md). +$$$glossary-project-tag$$$ project tag +: A key-value pair that you use as metadata for an {{serverless-full}} project. You can use project tags to categorize and organize projects, and to filter lists of projects. If [{{cps}}](/reference/glossary/index.md#glossary-cps) is enabled, you can also use project tags to [route searches to specific projects](/explore-analyze/cross-project-search/cross-project-search-tags.md). See [Project tags](/deploy-manage/deploy/elastic-cloud/project-settings.md#project-tags). _For tags on {{kib}} saved objects, see [tag](/reference/glossary/index.md#glossary-tag)._ + $$$glossary-proxy$$$ proxy : A highly available, TLS-enabled proxy layer that routes user requests, mapping cluster IDs that are passed in request URLs for the container to the cluster nodes handling the user requests. @@ -748,7 +760,7 @@ $$$glossary-system-index$$$ system index ## T [t-glos] $$$glossary-tag$$$ tag -: A keyword or label that you assign to {{kib}} saved objects, such as dashboards and visualizations, so you can classify them in a way that is meaningful to you. Tags makes it easier for you to manage your content. See [Tags](/explore-analyze/find-and-organize/tags.md). +: A keyword or label that you assign to {{kib}} saved objects, such as dashboards and visualizations, so you can classify them in a way that is meaningful to you. Tags makes it easier for you to manage your content. See [Tags](/explore-analyze/find-and-organize/tags.md). _For metadata on {{ecloud}} projects, see [project tag](/reference/glossary/index.md#glossary-project-tag)._ $$$glossary-term-join$$$ term join : A shared key that combines vector features with the results of an {{es}} terms aggregation. Term joins augment vector features with properties for data-driven styling and rich tooltip content in maps. diff --git a/solutions/_snippets/cps-obs-compatibility.md b/solutions/_snippets/cps-obs-compatibility.md new file mode 100644 index 0000000000..89ffc9e76b --- /dev/null +++ b/solutions/_snippets/cps-obs-compatibility.md @@ -0,0 +1,10 @@ +| {{observability}} app | {{cps-init}} availability | +| --- | --- | +| **APM** (Service Inventory, Traces, Dependencies) | Available (scope selector available) | +| **Infrastructure** (Inventory, Hosts) | Available (scope selector available) | +| **Observability Overview** (Hosts, Log Events, Service Inventory) | Not available | +| **Observability AI Assistant** | Not available | +| **SLOs** | Not available | +| **Rules** (Custom Threshold, SLO Burn Rate) | Read-only | +| **Synthetics** (monitors, TLS Certificates) | Not available | +| **Streams** | Not available | \ No newline at end of file diff --git a/solutions/_snippets/cps-sec-obs-rules.md b/solutions/_snippets/cps-sec-obs-rules.md new file mode 100644 index 0000000000..1f58c7cb6d --- /dev/null +++ b/solutions/_snippets/cps-sec-obs-rules.md @@ -0,0 +1,10 @@ + +When [{{cps}}](/explore-analyze/cross-project-search.md) is enabled and you have [linked projects](/deploy-manage/cross-project-search-config/cps-config-link-and-manage.md), rules query data across linked projects based on the **space-level {{cps}} scope**. + +For how {{cps}} applies when you create or edit rules (space-level scope, the read-only scope selector, and query-level overrides) refer to [{{cps-cap}} availability by app](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-availability). + +For prerequisites such as linking projects and configuring default scope, refer to [{{cps-cap}}](/explore-analyze/cross-project-search.md) and [Configure {{cps}} access and scope](/deploy-manage/cross-project-search-config/cps-config-access-and-scope.md). + +:::{note} +{{ml-cap}} rules don't support {{cps}}; they search data in the origin project only. Other features also have limited or no {{cps}} support. For details, refer to [{{cps-cap}} availability by app](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md#cps-availability). +::: diff --git a/solutions/observability/cross-project-search.md b/solutions/observability/cross-project-search.md new file mode 100644 index 0000000000..1ad0e2996f --- /dev/null +++ b/solutions/observability/cross-project-search.md @@ -0,0 +1,83 @@ +--- +applies_to: + stack: unavailable + serverless: preview +products: + - id: observability +navigation_title: "Cross-project search" +description: Learn how cross-project search (CPS) works in Elastic Observability, including app compatibility, scope selector behavior, and known limitations. +--- + +# {{cps-cap}} in {{observability}} [obs-cross-project-search] + +[{{cps-cap}} ({{cps-init}})](/explore-analyze/cross-project-search.md) lets you run a single search request across multiple {{serverless-short}} projects. When your observability data is split across projects to organize ownership, use cases, or environments, {{cps}} lets you query all that data from a single origin project without searching each project individually. + +When projects are linked, platform apps like Discover and Dashboards automatically include data from all linked projects. {{observability}} apps have varying levels of {{cps-init}} support. Some apps show cross-project data automatically; others remain scoped to the origin project. {{cps-cap}} is unavailable for Logs Essentials projects. + +For full details on {{cps-init}} concepts, configuration, and search syntax, refer to: + +* [{{cps-cap}} overview](/explore-analyze/cross-project-search.md) +* [Configure {{cps}}](/deploy-manage/cross-project-search-config.md) +* [Manage {{cps}} scope in your project apps](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md) + +## {{observability}} app compatibility [obs-cps-compatibility] + +The following table shows how each {{observability}} app behaves with {{cps-init}} at technical preview. + +::::{include} /solutions/_snippets/cps-obs-compatibility.md +:::: + + +## {{cps-cap}} scope selector in {{observability}} apps [obs-cps-scope-selector] + +The **{{cps-init}} scope** selector ({icon}`cross_project_search`) in the project header lets you search **This project** or **All projects**. It is available in platform apps like Discover, Dashboards, and Lens, as well as in APM and Infrastructure apps. + +For other {{observability}}-specific apps, the scope selector is not available. This means: + +* Those apps operate in their default scope, which varies by app (refer to [{{observability}} app compatibility](#obs-cps-compatibility)). +* The scope you select in platform apps like Discover does not carry over to {{observability}} apps that don't support it. +* Data volumes might change when switching between Discover (which shows cross-project data by default) and an {{observability}} app (which is scoped to the origin project) for the same index pattern. + +For apps where the scope selector is available, refer to [Managing {{cps}} scope in your project apps](/explore-analyze/cross-project-search/cross-project-search-manage-scope.md). + +## Navigating between Discover and {{observability}} apps [obs-cps-discover-navigation] + +When {{cps-init}} is enabled, Discover shows documents from all linked projects by default, unless the space-level default scope has been changed. {{observability}} apps may not have the same scope, which can lead to differences when navigating between them. + +### Discover to Streams + +Streams remains scoped to the origin project only and does not support {{cps-init}}. If you open a stream from Discover and the document is from a linked project, {{observability}} shows a warning that the stream is remote. The Streams UI then shows origin project data only, so counts can differ from Discover. + +## Identifying the location of a document [obs-cps-identify-documents] + +To determine whether a document comes from the origin project or a linked project, refer to [Identifying the location of a document](/explore-analyze/cross-project-search.md#cps-identify-documents). + +## Known issues and limitations [obs-cps-known-issues] + +The following known issues and limitations apply to {{cps-init}} in {{observability}} apps. For an overview of {{observability}} app compatibility, refer to [{{observability}} app compatibility](#obs-cps-compatibility). + +### Rules data scope inconsistency [obs-cps-rules-scope] + +SLO burn rate rules query only origin project data, even when the underlying data view (for example, `logs-*`) returns cross-project data in Discover. This means Discover and rules may show different results for the same data view. + +{{ml-cap}} rules are not available in {{cps-init}}. + +### SLO visibility [obs-cps-slo-remote] + +Only origin SLOs are visible, even when connected to a linked project. + +Tracking: [kibana#252955](https://github.com/elastic/kibana/issues/252955) + +### No default data views in origin projects [obs-cps-no-data-views] + +In a {{cps-init}} origin project, Discover may show no data even when linked projects contain data due to missing data views in the origin project. + +Tracking: [kibana#260930](https://github.com/elastic/kibana/issues/260930) + +### Alerts are origin only [obs-cps-overview-alerts] + +**Alerts** are from the origin project only, even when rules are configured to act on cross-project data. + +### Synthetics is not available in {{cps-init}} [obs-cps-synthetics] + +Synthetics monitors and TLS certificates are bound to saved objects and remain scoped to the origin project. Monitors from linked projects do not appear in the Synthetics UI of the origin project. \ No newline at end of file diff --git a/solutions/observability/incident-management/create-manage-rules.md b/solutions/observability/incident-management/create-manage-rules.md index d104908164..8a29fed681 100644 --- a/solutions/observability/incident-management/create-manage-rules.md +++ b/solutions/observability/incident-management/create-manage-rules.md @@ -132,4 +132,14 @@ You can modify the criteria for changing an alert's status to [flapping state](v {applies_to}`stack: ga 9.3+` You can modify the flapping settings for a specific rule while creating or editing it. You can also modify the flapping settings for all rules in your {{kib}} space or {{serverless-short}} project. To do this, go to the **Rules** page (find the **Rules** management page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md)), click **Settings**, then go to the **Alert flapping detection** settings. -{applies_to}`stack: ga 9.0-9.2` You can only modify global flapping settings for your entire {{kib}} space or {{serverless-short}} project. \ No newline at end of file +{applies_to}`stack: ga 9.0-9.2` You can only modify global flapping settings for your entire {{kib}} space or {{serverless-short}} project. + +## {{cps-cap}} scope for rules [observability-cps-scope-for-rules] + +```{applies_to} +serverless: preview +stack: unavailable +``` + +:::{include} /solutions/_snippets/cps-sec-obs-rules.md +::: \ No newline at end of file diff --git a/solutions/security/detect-and-alert/advanced-data-source-configuration.md b/solutions/security/detect-and-alert/advanced-data-source-configuration.md index 08a0ed2f72..3e96f2ccf3 100644 --- a/solutions/security/detect-and-alert/advanced-data-source-configuration.md +++ b/solutions/security/detect-and-alert/advanced-data-source-configuration.md @@ -18,5 +18,8 @@ Most users don't need these pages during initial setup. Review them if any of th **[{{ccs-cap}} and detection rules](/solutions/security/detect-and-alert/cross-cluster-search-detection-rules.md)** : Relevant if your data is spread across multiple {{es}} clusters and you need detection rules on one cluster to query indices on another. Covers establishing trust between clusters, remote cluster connections, and how to reference remote indices in rule index patterns. {{stack}} only. +**[{{cps-cap}} and detection rules](/solutions/security/detect-and-alert/cross-project-search-detection-rules.md)** +: Relevant if you use {{cps}} to query data across linked {{serverless-short}} projects. Explains how detection rules use the space-level {{cps}} scope and how to use project routing to target specific projects. {{serverless-short}} only. + **[Using logsdb index mode with {{elastic-sec}}](/solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md)** : Relevant if your indices use logsdb index mode (enabled by default in {{serverless-short}}). Explains how synthetic `_source` reconstruction can affect field formatting in alerts and rule queries, and what to watch for when writing rules against logsdb-backed indices. diff --git a/solutions/security/detect-and-alert/cross-project-search-detection-rules.md b/solutions/security/detect-and-alert/cross-project-search-detection-rules.md new file mode 100644 index 0000000000..014e768383 --- /dev/null +++ b/solutions/security/detect-and-alert/cross-project-search-detection-rules.md @@ -0,0 +1,13 @@ +--- +applies_to: + serverless: preview + stack: unavailable +products: + - id: security +description: Learn how detection rules work with cross-project search to query data across linked projects. +--- + +# {{cps-cap}} and detection rules [sec-rules-cross-project-search] + +:::{include} /solutions/_snippets/cps-sec-obs-rules.md +::: \ No newline at end of file diff --git a/solutions/toc.yml b/solutions/toc.yml index 0d039527bd..77ba896b66 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -527,6 +527,7 @@ toc: - file: observability/ai/observability-ai-assistant.md - file: observability/ai/agent-builder-observability.md - file: observability/ai/llm-performance-matrix.md + - file: observability/cross-project-search.md - file: observability/observability-serverless-feature-tiers.md - file: observability/apis.md - file: security.md @@ -586,6 +587,7 @@ toc: - file: security/detect-and-alert/advanced-data-source-configuration.md children: - file: security/detect-and-alert/cross-cluster-search-detection-rules.md + - file: security/detect-and-alert/cross-project-search-detection-rules.md - file: security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md - file: security/detect-and-alert/mitre-attack-coverage.md - file: security/detect-and-alert/prebuilt-rules.md