Choose the right step
Workflows ship with many step types. This page is keyed by intent: find the row that matches what you're trying to do; the right column gives you the step you need and links to its reference.
For an alphabetical catalog of every step type, refer to the Step type index.
| Intent | Step |
|---|---|
| Run a Query DSL search | elasticsearch.search |
| Run an ES|QL query | elasticsearch.esql.query |
| Index one document | elasticsearch.index |
| Index many documents efficiently | elasticsearch.bulk |
| Update a document | elasticsearch.update |
| Create, delete, or check an index | elasticsearch.indices.create, elasticsearch.indices.delete, elasticsearch.indices.exists |
| Call an Elasticsearch API not listed above | elasticsearch.request |
| Intent | Step |
|---|---|
| Create a case | cases.createCase |
| Look up a case | cases.getCase, cases.findCases, cases.getCasesByAlertId |
| Change status, severity, or tags | cases.updateCase or the field-specific set* steps |
| Attach alerts or observables | cases.addAlerts, cases.addObservables |
| Add a comment | cases.addComment |
| Close the case | cases.closeCase |
| Assign or unassign | cases.assignCase, cases.unassignCase |
The kibana.* case steps (kibana.createCase, kibana.getCase, kibana.updateCase, kibana.addCaseComment) are deprecated. Use the cases.* replacements. Refer to Migrate workflows from 9.3 to 9.4.
| Intent | Step |
|---|---|
Change alert status (open, closed, acknowledged, in-progress) |
kibana.SetAlertsStatus (PascalCase) |
| Add or remove tags on alerts | kibana.SetAlertTags (PascalCase) |
| Intent | Step |
|---|---|
| There's a dedicated Kibana connector (Slack, Jira, PagerDuty, and so on) | The connector's named step, for example slack.postMessage. |
| No dedicated connector, credentials matter | http with a configured HTTP connector for secrets storage. |
| No dedicated connector, quick one-off | http without a connector-id. |
| Intent | Step |
|---|---|
| Conditional branch | if |
| Multi-way dispatch on a value | switch |
| Iterate over an array | foreach |
| Loop until a condition is false | while |
| Fan out to independent executions | workflow.executeAsync |
| Exit or skip a loop iteration | loop.break, loop.continue |
| Small conditional on a single step | Step-level if: field. Refer to the Steps overview. |
| Intent | Step |
|---|---|
| Fixed-duration pause | wait |
| Pause for human input | waitForInput. Refer to Human-in-the-loop. |
| Intent | Step |
|---|---|
| Set a named variable | data.set |
| Map each element of an array to a new shape | data.map |
| Keep only matching elements | data.filter |
| Find the first matching element | data.find |
| Group and aggregate | data.aggregate |
| Concatenate arrays | data.concat |
| Remove duplicates | data.dedupe |
| Parse or serialize JSON | data.parseJson, data.stringifyJson |
| Extract or replace through regex | data.regexExtract, data.regexReplace |
| A small inline transform | Liquid templating, no step needed |
| Intent | Step |
|---|---|
| General prompt, optionally with structured output | ai.prompt |
| Classify into a fixed category set | ai.classify |
| Summarize content | ai.summarize |
| Invoke an Elastic Agent Builder agent | ai.agent |
| Intent | Step |
|---|---|
| Synchronous: parent waits for the child's result | workflow.execute
|
| Fire-and-forget | workflow.executeAsync
|
| Emit outputs from a child workflow | workflow.output
|
| Explicitly terminate a workflow as failed | workflow.fail
|
| Intent | Step |
|---|---|
| Log a message to the execution view | console |
| Understand what a step produced mid-run | Inspect the step's output in the execution view. Refer to Monitor workflow execution. |
| Log only when running a test | console with a step-level if: "execution.isTestRun" |
Browse the Step type index for an A-to-Z list, or use the YAML editor's autocomplete in Kibana. The autocomplete surfaces every step type with its description as you type.
- Anatomy of a workflow: Every top-level field and the execution lifecycle.
- Steps overview: The step catalog organized by category.
- Step type index: Alphabetical lookup for every step type.
- Cheat sheet: One-page bookmark reference.