Loading

Index search tools

Index search tools provide intelligent, natural language-driven search over specified Elasticsearch resources. Instead of defining explicit queries, you specify a pattern of indices, aliases, or data streams, and the tool uses a combination of built-in capabilities to intelligently interpret and execute search requests.

Use custom Index search tools when:

  • You want agents to handle diverse, exploratory queries
  • The search intent varies significantly across requests
  • Users need flexible, dynamic search functionality
  • You want to scope general search capabilities to specific indices
  • Accept natural language queries from the agent
  • Automatically determine optimal search strategy (full-text, semantic)
  • Leverage built-in tools like index exploration, query generation, and semantic search
  • Ideal for flexible, user-driven exploratory searches
  • No need to pre-define query logic

Index search tools require only a single configuration parameter:

  • pattern: An index pattern string (e.g., logs-myapp-*, my-index, .alerts-security-*) specifying which indices, aliases, or data streams to search

    Tip

    Avoid overly broad wildcard patterns like * or logs-* across large datasets.

When an agent calls an index search tool:

  1. The agent provides a natural language query (e.g., "find recent errors related to authentication")
  2. The tool analyzes the query intent and available indices
  3. It automatically orchestrates built-in tools to:
    • Explore the index structure and mappings
    • Generate appropriate queries (ES|QL or query DSL)
    • Execute semantic search if relevant
    • Rank and format results
  4. Returns results in a format the agent can interpret and present
  • Use specific patterns: Scope tools to relevant index patterns rather than broad wildcards (e.g., logs-myapp-* instead of logs-*)
  • Write descriptive tool names: Help agents select the right tool for the query (e.g., "Search Security Alerts" vs. "Search Tool")
  • Provide context in descriptions: Explain what data the indices contain and what types of questions the tool can answer
  • Create domain-specific tools: Build separate tools for different data domains (logs, metrics, alerts) rather than one general-purpose tool
  • Wildcard patterns: logs-*, metrics-*, events-*
  • Specific indices: products, users, orders
  • System indices: .alerts-security-*, .ml-anomalies-*

Warning

Avoid overly broad patterns like * or logs-* across large datasets. Broad wildcards can cause the agent to retrieve more data than the LLM can process, resulting in slow responses or errors. Refer to Context length exceeded for tips on diagnosing and resolving these issues.