Last checked and updated on 06 Jun 2026
What is new in Elasticsearch 9.3
Elasticsearch 9.3 brings several practical improvements that make working with logs, time series data, vectors, and storage more efficient. The release focuses on better ingest processing, enhanced analytics in ES|QL, native support for OpenTelemetry histograms, smarter vector storage options, and storage optimizations that reduce disk usage without sacrificing performance.
These changes help teams handle large volumes of data more effectively while keeping queries fast and resource usage under control.
Key Highlights in Elasticsearch 9.3
| Feature | Description | Benefit |
|---|---|---|
| CEF Ingest Processor | New processor that parses Common Event Format (CEF) messages into structured JSON fields. | Makes security and network logs easier to analyze and visualize in Elasticsearch and Kibana. |
| Sliding Window Time Series Aggregations in ES|QL | Calculate aggregations like average rate over a larger sliding time window instead of single buckets. | Reduces jitter in dashboards and provides smoother analytics on time series data. |
| exponential_histogram Field Type | Native support for OpenTelemetry exponential histograms with efficient bucket handling. | Enables high-compression storage of distributions (such as response times) while maintaining good percentile accuracy. |
| New dense_vector Options | Support for bfloat16 element type and on-disk rescoring during kNN searches. | Halves storage for vectors and improves search performance in memory-constrained environments. |
| Binary Doc Values Compression | Block-wise Zstd compression with variable number of values per block. | Better compression for fields with large or variable values, such as URLs in access logs. |
| Doc Values Skippers | Automatic sparse index on doc_values fields when index=false and the setting is enabled (default true for TSDB). | Reduces on-disk footprint for time series indexes while keeping filtering efficient. |
Improvements to Ingest Processing
The new cef ingest processor parses CEF-formatted messages according to the official specification. It extracts standard fields including device vendor, device product, device version, signature ID, name, severity, and all extension fields into a clean JSON structure.
This addition simplifies ingesting logs from security devices and network appliances. You can now process these logs directly in the ingest pipeline without custom scripting.
Enhanced Time Series Analytics in ES|QL
Time series aggregations in ES|QL now support an optional sliding window parameter. This lets you compute functions over a wider time range than the base bucket interval, which smooths out results and reduces visual jitter in dashboards.
Example usage:
TS metrics
| WHERE TRANGE(1h)
| STATS avg(rate(requests, 10m)) BY TBUCKET(1m), hostThe window value must be a multiple of the time bucket. If omitted, it defaults to the bucket size for backward compatibility.
New Field Type for Exponential Histograms
Elasticsearch 9.3 introduces the exponential_histogram field type. It provides native, efficient support for OpenTelemetry exponential histograms, which automatically adapt bucket boundaries based on observed values.
You only need to configure the maximum number of buckets. The field type works seamlessly with ES|QL aggregations including PERCENTILES, AVG, MIN, MAX, and SUM.
This change makes it easier to store and query high-cardinality distribution data such as latencies with excellent compression and accuracy.
Better Vector Search Storage and Performance
The dense_vector field type now offers two useful options:
- bfloat16 element type: Stores vectors using 2 bytes per dimension instead of 4. This reduces storage by half while still allowing original source vectors of higher precision (they are rounded automatically).
- On-disk rescoring: Set
on_disk_rescore: trueat index creation. This keeps raw vector data on disk during the rescoring phase of kNN searches instead of loading everything into memory first. It helps maintain good performance when vector data exceeds available RAM.
These options give you more control over the storage versus speed trade-off for vector workloads.
Storage Optimizations
Several changes improve how data is stored on disk:
- Binary doc values now use Zstd compression with variable-sized blocks. This works especially well for fields containing large or variable-length values, such as URLs or log messages.
- Doc values skippers are enabled by default for TSDB indexes on key fields like
@timestamp, dimensions, and_tsid. This reduces index size significantly while preserving fast filtering. - Numeric blocks in the TSDB codec are now larger (512 values instead of 128), which improves compression ratios for multi-value fields.
Together, these optimizations help lower storage costs and speed up operations on time series data.
Other Notable Enhancements
Elasticsearch 9.3 includes many smaller improvements across different areas:
- Better allocation metrics and simulation tools for shard balancing.
- Improved SAML authentication error handling and logging.
- Additional privileges for Kibana system roles to support security features.
- Performance tweaks in ILM and index management APIs.
- Enhanced health indicators and logging.
These changes make daily operations smoother and help clusters run more reliably at scale.
How These Changes Help in Real-World Use
Whether you run security monitoring, observability platforms, or AI-powered search, Elasticsearch 9.3 gives you tools to handle data more efficiently. The CEF processor simplifies log ingestion from enterprise tools. Sliding windows and exponential histograms improve analytics accuracy. Vector improvements lower costs for semantic search applications. Storage optimizations reduce infrastructure expenses without complex tuning.
Most features work with existing indexes or require only small mapping changes, making the upgrade straightforward for production environments.
FAQ
What is the main focus of Elasticsearch 9.3?
The release emphasizes efficiency improvements for ingest, analytics, vector workloads, and storage. It adds practical features that reduce resource usage and make common tasks easier.
Does Elasticsearch 9.3 introduce a new field type for histograms?
Yes. The exponential_histogram field type provides native support for OpenTelemetry exponential histograms with automatic bucket selection and good compression.
Can I reduce vector storage costs in Elasticsearch 9.3?
Yes. Use the new bfloat16 element type for dense_vector fields to halve storage requirements compared to float.
How does the sliding window feature work in ES|QL?
You can pass a window size as the second argument to time series aggregation functions. It computes results over multiple buckets, producing smoother outputs for dashboards.
Will binary doc values compression affect my existing indexes?
Compression is applied transparently when new data is written. Fields with large values, like URLs, will typically show better compression ratios.
Is on-disk rescoring useful for all vector search setups?
It helps most when vector data exceeds available RAM. In memory-rich environments the benefit may be smaller, but it never hurts performance.