Overview
The Elasticsearch MCP server enables Azure SRE Agent to interact with your Elasticsearch clusters using natural language. Query your logs, analyze metrics, check cluster health, and troubleshoot issues conversationally.
This integration uses Elastic's Agent Builder MCP endpoint, the recommended approach for Elastic 9.2.0+ and Elasticsearch Serverless projects.
Key capabilities
| Capability | Description |
|---|---|
| Search | Execute search queries using Elasticsearch Query DSL |
| ES|QL | Run ES|QL queries for data exploration |
| Mappings | Get field mappings for indices |
| Cluster health | Check shard information and cluster status |
| Index management | List available indices |
Prerequisites
- Azure SRE Agent resource at sre.azure.com
- Elasticsearch cluster (Elastic Cloud or self-hosted, version 9.2.0 or higher)
- Kibana with Agent Builder enabled (Elastic 9.2.0+ or Serverless)
- API key with appropriate permissions
Step 1: Get your Elasticsearch credentials
- Log in to Elastic Cloud or your self-hosted Kibana at
https://{your-kibana-url} - Navigate to Management > API Keys
- Click Create API key
- Provide a name (e.g.,
azure-sre-agent-mcp) - Set appropriate permissions (at minimum, read access to indices you want to query)
- Click Create API key and copy the encoded API key
- Note your Kibana URL (e.g.,
https://my-deployment.kb.us-east-1.aws.elastic.cloud)
Step 2: Add the MCP connector
- Navigate to your Azure SRE Agent at sre.azure.com
- Select your agent from the list
- In the left navigation, expand Builder > Connectors
- Select Add connector
- In "Choose a connector", select MCP server (User provided connector)
- Click Next and configure:
| Field | Value |
|---|---|
| Name | elasticsearch-mcp |
| Connection type | Streamable-HTTP |
| URL | https://{KIBANA_URL}/api/agent_builder/mcp |
| Authentication method | Custom headers |
| Header name | Authorization |
| Header value | ApiKey {your-api-key} |
7. Click Next to review, then Add to save
Equivalent mcp.json configuration
For reference, the equivalent mcp.json configuration:
{
"mcpServers": {
"elasticsearch-mcp": {
"url": "https://{KIBANA_URL}/api/agent_builder/mcp",
"transport": "streamable-http",
"headers": {
"Authorization": "ApiKey {your-api-key}"
}
}
}
}Step 3: Create a subagent and add tools
- In the left navigation, select Builder > Subagent builder
- Click + Create
- Switch to the YAML tab and paste this configuration:
api_version: api_version: azuresre.ai/v1
kind: AgentConfiguration
spec:
name: Elasticsearch
system_prompt: >
Goal: Provide a single, reliable interface for Azure SREs to query and retrieve observability
data (logs, metrics, traces) from a remote Elasticsearch deployment using ES|QL to diagnose
incidents and answer operational questions.
Role: Elasticsearch Observability Query Agent (for Azure SRE Operations).
Handoff guidance (for other agents): Delegate to this agent when you need Elasticsearch
observability data (logs/metrics/traces) retrieved or analyzed via ES|QL (including figuring out
the right indices/data streams, fields, or writing/refining safe time-bounded queries). Do not
delegate for remediation/changes outside querying/analysis.
Capabilities:
- Discoverability: list supported operations (connectivity/test, list indices/data streams,
mappings/field discovery, sample documents).
- Data access: identify relevant indices/data streams from incident context; request permission
to enumerate when needed.
- Query authoring: write ES|QL for time-bounded log/metric/trace retrieval, filtering,
aggregation, grouping, sorting, limits.
- Query iteration: refine queries based on results/errors; explain changes.
Operating guidelines:
- Ask only for the minimum required context when missing: time range (UTC), environment/cluster,
service/app name, and any identifiers (host, pod, trace.id, correlation id). If unknown, propose
sensible defaults and clearly label them as assumptions.
- Prefer safe, bounded queries: always include explicit time filters and LIMIT; avoid unbounded
scans.
- If index/data stream is unknown, first propose likely patterns and/or request permission to
enumerate indices/data streams.
- If ES|QL is unsupported in the target, propose an equivalent query approach supported by the
deployment and state the assumption.
- Do not fabricate index names, field names, mappings, or results. If you must assume, label it
and ask the user to confirm.
Constraints:
- No destructive actions: never modify, delete, or reindex data.
- Treat endpoints/credentials as sensitive: request only if necessary; never echo secrets.
Output format (default): 1) Intent (1–2 lines) 2) ES|QL query (fenced code block) 3) What to
look for in results 4) Optional next-step query
Interaction rule:
- When you ask the user a question to proceed, stop and end your turn immediately after the
question.
- Do not repeat the same question in later turns; instead, acknowledge what was answered and ask
only what remains.
Self-reflect: Before responding, confirm: (a) the goal is incident/ops diagnosis via
Elasticsearch observability data, (b) the query is time-bounded and safe (explicit time filter +
LIMIT), (c) unknowns are asked at most once, and if a question is asked this turn ends
immediately after it.
tools:
- Elasticsearch_platform_core_execute_esql
- Elasticsearch_platform_core_generate_esql
- Elasticsearch_platform_core_get_document_by_id
- Elasticsearch_platform_core_get_index_mapping
- Elasticsearch_platform_core_index_explorer
- Elasticsearch_platform_core_list_indices
- Elasticsearch_platform_core_search
handoff_description: >-
Delegate to this agent when you need Elasticsearch observability data (logs/metrics/traces)
retrieved or analyzed via ES|QL (including figuring out the right indices/data streams, fields,
or writing/refining safe time-bounded queries). Do not delegate for remediation/changes outside
querying/analysis.
agent_type: Autonomous
enable_skills: false
4. Click Create to save the subagent
CRITICAL: You must add tools to the subagent! Without adding tools, the subagent has no access to the MCP server's capabilities and will not function.
- After creating the subagent, select it from the list to open the editor
- Navigate to the Tools tab
- Click + Add tools
- In the tool picker, find the
elasticsearch-mcpconnector tools:list_indicesget_mappingssearchesqlget_shards
- Select all the tools you want the subagent to use
- Click Add to attach the tools to the subagent
- Click Save to finalize the subagent configuration
Step 4: Test the integration
- Open a new chat session with your Azure SRE Agent
- Try these example prompts:
| Prompt | What it tests |
|---|---|
| "List all indices in my Elasticsearch cluster" | list_indices tool |
| "What are the mappings for the logs-* index?" | get_mappings tool |
| "Search for errors in the last hour across all logs indices" | search tool |
| "Run an ES|QL query to find the top 10 error types" | esql tool |
| "Show me shard information for my cluster" | get_shards tool |
Available tools
| Tool | Description |
|---|---|
list_indices | List all available Elasticsearch indices |
get_mappings | Get field mappings for a specific Elasticsearch index |
search | Perform an Elasticsearch search with the provided Query DSL |
esql | Perform an ES|QL query |
get_shards | Get shard information for all or specific indices |
Troubleshooting
| Issue | Solution |
|---|---|
| Subagent doesn't have Elasticsearch tools | You MUST add tools to the subagent after creating it! Go to subagent > Tools tab > Add tools > select elasticsearch-mcp tools |
| Connection refused | Verify Kibana URL is correct and accessible from Azure |
| 401 Unauthorized | Check API key is valid and has proper permissions |
| 403 Forbidden | Ensure Agent Builder is enabled in your Elastic deployment |
| Tools not appearing | Wait a few seconds after adding connector, then refresh |
| SSL/TLS errors | Ensure your Kibana URL uses HTTPS |
Related content
Updated Feb 18, 2026
Version 1.0
dbandaru
Microsoft
Microsoft