Last checked and updated on 05 Jun 2026
What Is New in Elasticsearch 7.11
This release packs a solid set of enhancements focused on search, security, and data management. Here's a quick summary of the key changes.
| Category | Key Updates |
|---|---|
| New Features | Searchable Snapshot GA, Frozen Tier GA, EQL Sequences |
| Enhancements | Data Streams improvements, Geoshape query performance |
| Security | FIPS 140-2 readiness, Service Account tokens |
| Deprecations | Deprecation of node-level cache clear API |
How does searchable snapshot change cold storage?
Searchable Snapshots graduate to general availability, fundamentally changing how we handle cold data. This feature allows you to mount a snapshot as a searchable index directly from a repository like S3, eliminating the need to restore data to hot storage first.
In practice, this means your coldest data can remain on cheap object storage yet still be queried on-demand. The trade-off is latency, as queries fetch necessary data from the remote store, but the cost savings for archival data are massive. This is a cornerstone feature for implementing cost-effective hot-warm-cold architectures.
What's the deal with the new frozen tier?
The frozen tier is now generally available, designed to work hand-in-hand with searchable snapshots. It's a dedicated tier for hosting these mounted, searchable indices, helping you manage resource allocation for this specific use case.
Nodes can be assigned the frozen role, and the allocator automatically places searchable snapshot indices there. This matters because it isolates the potentially higher latency queries on cold data from your hot tier's performance-sensitive workloads. You can scale this tier independently with cheaper hardware.
Can I do more complex event correlation now?
Yes, Event Query Language (EQL) gets a major boost with sequence queries. EQL sequences allow you to find a series of related events within your data that occur in a specific order over time.
This is huge for security and operational analytics use cases. Instead of just finding single events, you can now craft queries to detect multi-step patterns, like a user logging in followed by a specific command execution. It adds a powerful new dimension for hunting sophisticated threats or analyzing process flows.
Are there any performance wins for geo queries?
Geo-shape queries see significant performance improvements, especially for complex shapes with many points. The underlying Lucene upgrade introduces a new data structure that speeds up spatial relationships checks.
You'll likely notice the biggest gains when using geoshapes in filters or running queries on large indices. This makes using complex geofences or spatial filters in applications much more efficient without requiring any changes to your queries.
How is security hardening addressed?
This release enhances FIPS 140-2 compliance, making it easier to run Elasticsearch in strictly regulated federal environments. The keystore now uses a FIPS-validated cryptographic module, and several internal communications are hardened.
Service account tokens are also introduced, providing a more secure and manageable way for Kibana features and other applications to authenticate with Elasticsearch. These tokens are not tied to a user's password and can be invalidated independently, improving security hygiene for automated processes.
What's improved for managing data streams?
Data streams, the modern way to manage time-series data, get several refinements. The rollover process is now more robust, and there's better handling of hidden indices within a stream to prevent accidental mishaps.
For developers, the _data_stream API provides a clearer way to manage streams. These tweaks solidify data streams as the recommended pattern for logs, metrics, and other append-only data, making lifecycle management smoother and less error-prone.
FAQ
Is the searchable snapshot feature production-ready?
Yes, with its graduation to General Availability in 7.11, searchable snapshots are considered production-ready. However, understand the latency trade-off versus local storage and plan your frozen tier capacity accordingly.
Do I need to use the frozen tier to use searchable snapshots?
Technically, no. You can mount a searchable snapshot on any node. But using the dedicated frozen tier is strongly recommended as it helps isolate performance impact and manage resources specifically for this type of workload.
What is the main use case for EQL sequences?
EQL sequences are primarily for advanced security analytics and threat hunting. They allow you to detect complex multi-event patterns, like a specific sequence of process executions that indicate malicious activity, which wasn't possible with simple event queries.
Are there any breaking changes in this release?
No major breaking changes are highlighted for 7.11.0. The main action is deprecating the node-level cache clear APIs (_cache/clear). Start using the index-level API instead, as the node-level version will be removed in a future release.
How do service account tokens improve security?
They provide a better alternative to using user passwords for application authentication. These tokens are not linked to a password, can be scoped to specific privileges, and can be invalidated without affecting a user's ability to log in, reducing the blast radius if a token is compromised.