Workflows

A workflow is a defined sequence of steps designed to achieve a specific outcome through automation. It's a reusable, versionable "recipe" that transforms inputs into actions.

If you've been using the Keep HQ workflow docs, it's time to make the switch. Keep HQ's workflow docs are no longer maintained, and the Elastic workflow docs are now the source of truth for all up-to-date workflow documentation.

Insight into your data isn't enough. The ultimate value lies in action and outcomes. Workflows complete the journey from data to insights to automated outcomes. Your critical operational data already lives in the Elastic cluster: security events, infrastructure metrics, application logs, and business context. Workflows let you automate end-to-end processes to achieve outcomes directly where that data lives, without needing external automation tools.

Workflows address common operational challenges, such as:

• Alert fatigue: Automate responses to reduce manual triage.
• Understaffing: Enable teams to do more with fewer resources.
• Manual, repetitive work: Automate routine tasks consistently.
• Tool fragmentation: Eliminate the need to add on external automation tools.

Workflows can handle a wide range of tasks, from simple, repeatable steps to complex processes. They're for you if you want to cut down on manual effort, speed up response times, and make sure recurring situations are handled consistently.

Some key concepts to understand while working with workflows:

• Triggers: The events or conditions that initiate a workflow. Refer to Triggers to learn more.
• Steps: The individual units of logic or action that make up a workflow. Refer to Steps to learn more.
• Data: How data flows through your workflow, including inputs, constants, context variables, step outputs, and Liquid templating for dynamic values. Refer to Pass data and handle errors to learn more.

Workflows are defined in YAML. In the YAML editor, describe what the workflow should do, and the platform handles execution. The example below uses the stack 9.5+ and serverless structure, where inputs is defined under the manual trigger. On stack 9.4 and earlier, inputs sits at the workflow root.

For the full reference on every top-level field and the execution lifecycle (including both inputs placements), refer to Anatomy of a workflow.

# ═══════════════════════════════════════════════════════════════
# METADATA - Identifies and describes the workflow
# ═══════════════════════════════════════════════════════════════
name: My Workflow
description: What this workflow does
enabled: true
tags: ["demo", "production"]

# ═══════════════════════════════════════════════════════════════
# CONSTANTS - Reusable values defined once, used throughout
# ═══════════════════════════════════════════════════════════════
consts:
  indexName: "my-index"
  environment: "production"
  alertThreshold: 100
  endpoints:
    api: "https://api.example.com"
    backup: "https://backup.example.com"

# ═══════════════════════════════════════════════════════════════
# TRIGGERS - How/when the workflow starts; inputs nest under manual
# ═══════════════════════════════════════════════════════════════
triggers:
  - type: manual
    inputs:
      - name: environment
        type: string
        required: true
        default: "staging"
        description: "Target environment"
      - name: dryRun
        type: boolean
        default: true
  # - type: scheduled
  #   with:
  #     every: 1d
  # - type: alert

# ═══════════════════════════════════════════════════════════════
# STEPS - The actual workflow logic (executed in order)
# ═══════════════════════════════════════════════════════════════
steps:
  - name: step_one
    type: elasticsearch.search
    with:
      index: "{{consts.indexName}}"
      query:
        match_all: {}

  - name: step_two
    type: console
    with:
      message: |
        Environment: {{inputs.environment}}
        Found: {{steps.step_one.output.hits.total.value}}
		

1. Required: Unique identifier
2. Optional: Shown in UI
3. Optional: Enable or disable execution
4. Optional: For organizing workflows
5. Can be objects/arrays
6. User clicks Run button
7. Parameters passed when triggered
8. Runs on a schedule
9. Triggered by an alert
10. Reference constants
11. Reference inputs
12. Reference step output

Start here:

• Set up Workflows: Turn on the feature and configure role-based access.
• Build your first workflow: A hands-on tutorial using sample data.

Explore what you can automate:

• Use cases: Browse security, observability, and AI-augmented patterns you can build with workflows today.

Concepts, reference, and authoring:

• Workflow concepts: Triggers, steps, templating, and quick-reference pages.
• Workflow authoring techniques: How to use the YAML editor, the anatomy of a workflow, workflow settings, choosing the right step, passing data between steps, handling errors, and more.
• Workflow templates: Pre-built workflows you can adapt.