Skip to main content

Overview

The Elasticsearch integration enables Steadwing to query your logs, metrics, and traces using natural language and ES|QL during incident analysis. Our AI leverages Kibana’s Agent Builder tools to intelligently search your data, identify patterns, and correlate findings with code changes for faster root cause analysis.

Why Use Elasticsearch with Steadwing?

Semantic Search

Query logs using natural language - no complex syntax needed

ES|QL Analysis

Run powerful analytical queries to aggregate and analyze data

Custom Tools

Leverage your pre-configured Agent Builder tools

Smart Correlation

Automatically link log patterns to code changes and deployments

Setup Instructions

Step 1: Get Your Kibana URL

Your Kibana URL format depends on your deployment type: Elastic Cloud: 
https://your-deployment-id.kb.region.cloud.es.io
Elastic Serverless: 
https://your-project.es.region.cloud.es.io
Example: 
https://abc123def.kb.us-east-1.aws.found.io

Step 2: Create an API Key

  1. Navigate to Kibana → Stack Management → API Keys
  2. Click Create API Key
  3. Configure the following privileges:
{
  "name": "steadwing-rca-integration",
  "role_descriptors": {
    "steadwing_role": {
      "cluster": ["monitor"],
      "indices": [
        {
          "names": ["logs-*", "metrics-*"],
          "privileges": ["read", "view_index_metadata"]
        }
      ],
      "applications": [
        {
          "application": "kibana-.kibana",
          "privileges": ["read_onechat", "space_read"],
          "resources": ["*"]
        }
      ]
    }
  }
}
Required Privileges:
  • read_onechat - Access to Agent Builder MCP
  • space_read - Access to Kibana spaces
  • read + view_index_metadata - Query your indices
  1. Click Create API Key
  2. Copy the API key - you’ll need it in Step 3
Save your API key immediately! It’s shown only once. If you lose it, you’ll need to create a new key.

Step 3: Connect Elasticsearch in Steadwing

  1. Navigate to Steadwing Settings
  2. Find the Elasticsearch integration card
  3. Click to expand the collapsible form
  4. Fill in the required fields:
    • Kibana URL: Your full Kibana instance URL (e.g., https://abc123def.kb.us-east-1.aws.found.io)
    • API Key: The API key you created
  5. Toggle the switch to Enable the integration

How It Works

When analyzing an incident, Steadwing automatically:
  1. Discovers Tools - Identifies available tools in your Kibana Agent Builder
  2. Extracts Context - Parses error messages for service names, timestamps, and error types
  3. Queries Strategically:
    • Semantic search for broad pattern matching
    • ES|QL for detailed aggregations and analysis
    • Custom tools if configured
  4. Correlates Findings - Combines Elasticsearch data with code changes, metrics, and deployments
  5. Generates Timeline - Builds chronological view of events leading to the incident
No manual log searching required!

Requirements

  • Elastic Cloud 9.2+ or Elastic Serverless deployment
  • Kibana instance with Agent Builder enabled
  • API Key with appropriate privileges

Use Cases

Error Investigation: 
Example: "Show me all errors in the payment service from the last hour"
Steadwing uses semantic search to find relevant error logs automatically
Performance Analysis: 
Example: "Find timeout errors related to the database"
ES|QL aggregates timeouts by service and identifies patterns
Deployment Correlation: 
Steadwing correlates error spikes with recent deployments
Timeline shows: Deploy → Error spike → Root cause identified

What Data Can Steadwing Access?

Read-Only Access:
  • Only indices specified in your API key (e.g., logs-*, metrics-*)
  • Time-bounded queries (typically 1-6 hours around incident)
  • Limited results (50-100 per query)
Security:
  • Cannot write, update, or delete data
  • Cannot modify Kibana dashboards or settings
  • API keys encrypted at rest
  • Queries executed in real-time - no data storage

Uninstall

To disconnect the integration:
  1. In Steadwing Settings, disable the Elasticsearch integration
  2. In Kibana, delete the API key:
    • Navigate to Stack Management → API Keys
    • Find “steadwing-rca-integration” (or your chosen name)
    • Click Delete
This immediately revokes access.

FAQs

No. The API key only has read permissions. Steadwing cannot write, update, or delete any data in your Elasticsearch cluster.
Elastic Cloud 9.2+ and Elastic Serverless. Older versions are not supported due to Agent Builder requirements.
No. Steadwing can use semantic search and ES|QL without custom tools. However, custom tools can improve results for organization-specific queries.
Verify your API key includes read_onechat and space_read privileges. These are required for Agent Builder access.
Only data within the incident timeframe (typically 1-6 hours). Queries are limited to 50-100 results to prevent overwhelming data transfer.
Agent Builder must be enabled in your Kibana instance. Contact Elastic support to enable it for your deployment.
Yes. In the API key privileges, specify only the indices you want Steadwing to access (e.g., logs-production-* instead of logs-*).
Currently, only Elastic Cloud 9.2+ and Elastic Serverless are supported. On-premises deployments require these versions with Agent Builder enabled.
Need additional help? Please reach out to us at hello@steadwing.com