Last checked and updated on April 15, 2026What Is New in Elasticsearch 7.9
Elasticsearch 7.9 delivers critical security enhancements, significant performance upgrades for analytics, and new data management capabilities. This release focuses on making the platform more robust for production environments and easier to manage at scale.
| Category | Key Updates |
|---|---|
| New Features | Searchable Snapshots (GA), New EQL Syntax, Kibana Alerting Integration |
| Enhancements | Faster Frozen Tier, ARM64 Support, SQL & EQL Improvements |
| Security | FIPS 140-2 Compliance, SAML Authentication Improvements |
| Deprecations | Deprecation of the `_field_stats` API |
How does searchable snapshots change cold storage?
Searchable snapshots move the cold data tier from archive-only to searchable archive. This feature, now generally available, allows you to mount a snapshot as a searchable index directly from a repository like S3, minimizing local storage needs.
In practice, this means you can keep massive amounts of historical data readily queryable without the cost of keeping it all on hot storage. The trade-off is latency--searches will be slower than on local SSDs, but it's a game-changer for compliance and long-term analytics workloads.
What performance gains can I expect from the frozen tier?
The frozen tier sees massive speed improvements for queries. The process of searching a mounted snapshot is now up to three times faster thanks to optimizations in the caching and data retrieval layers.
This matters because it makes using the frozen tier for occasional queries against cold data a much more viable option. You're less likely to need to restore entire snapshots to run a historical investigation, saving both time and cluster resources.
Is Elasticsearch 7.9 compliant with FIPS 140-2?
Yes, Elasticsearch 7.9 introduces a FIPS 140-2 compliant mode for environments with strict federal security requirements. When running on a FIPS-enabled JVM, the node will operate in a mode that uses only approved cryptographic algorithms.
This is a big deal for government contractors and regulated industries. It means the entire stack, from TLS communication to password hashing for users, will adhere to the required standards without custom configuration.
How is EQL evolving for security analytics?
Event Query Language (EQL) gets new syntax for parsing and matching sequences of events, making it more powerful for threat hunting. You can now use wildcards and pipes within sequence queries to model complex attack patterns more effectively.
For security teams, this translates to writing more precise queries to detect multi-stage attacks. The new syntax feels more intuitive for analysts coming from other query languages, lowering the barrier to entry.
What's new for ARM64 architecture?
Elasticsearch 7.9 adds official support for ARM64 architectures. This means you can now run Elasticsearch nodes natively on AWS Graviton2 processors or other ARM-based hardware.
The main benefit here is cost savings. Graviton2 instances often provide better price-to-performance ratios than comparable x86 instances, allowing you to reduce your cloud infrastructure bill for the same workload.
FAQ
Is the Searchable Snapshots feature production-ready?
Yes, searchable snapshots have graduated from beta to general availability in 7.9. They are now considered stable and supported for production use, primarily for your colder data tiers.
Do I need to change my code to use the new EQL syntax?
Existing EQL queries will continue to work. The new syntax, like using wildcards in sequences, is additive and provides new capabilities without breaking backward compatibility for your current queries.
How do I enable FIPS 140-2 mode?
You must run Elasticsearch on a JVM that is configured for FIPS 140-2 compliance. When the JVM is in FIPS mode, Elasticsearch will automatically detect this and restrict itself to using only FIPS-approved algorithms.
What is the main use case for the frozen tier performance improvements?
The improvements are targeted at analytical queries over large, historical datasets. If you need to periodically run reports or investigations on old data stored in snapshots, you'll see significantly faster response times.
Is the deprecated `_field_stats` API removed?
No, the `_field_stats` API is only deprecated in 7.9, not removed. It will continue to function, but you should begin transitioning to the `_field_caps` API, which provides similar and extended functionality.