Loading

Glossary

Every term and acronym used elsewhere in the Workflows documentation. Each entry links to the canonical reference page where one exists.

In alerting, an operation a rule takes when it fires. Workflows runs as an action through the Run workflow rule action. Refer to Alert triggers.

A Kibana feature for building conversational AI agents. Workflows integrates as a tool provider (workflows can be called by agents) and as a step type (ai.agent calls agents from a workflow). Refer to Elastic Agent Builder.

A document produced by an alerting rule when it fires. See also Detection alert.

One of new, ongoing, or recovered. Workflows can trigger on any combination of these states. Refer to Alert triggers.

A Kibana construct that watches data and fires when a condition is met. Triggers alert-type workflows. Refer to Alert triggers.

The top-level structure of a workflow YAML file. Refer to Anatomy of a workflow.

C

A Kibana Cases document for tracking an investigation. Workflows provides 25+ cases.* step types. Refer to Cases action steps.

Invoking one workflow from another. The parent calls a child through workflow.execute (synchronous) or workflow.executeAsync (fire-and-forget). Refer to Composition steps and Compose workflows.

How deep a nested workflow.execute chain goes. Capped by the engine to prevent infinite recursion. Refer to Composition steps.

Controls for what happens when overlapping executions would otherwise run at the same time. Configured under settings.concurrency. Refer to Workflow settings.

A configured integration with an external system (Slack, Jira, PagerDuty, OpenAI, and so on). Referenced from workflow steps by connector-id. Refer to Kibana connectors.

The shared data environment a workflow execution builds up as steps run. Accessed in YAML through Liquid templating. Refer to Pass data and handle errors.

A named item in the workflow context: inputs.*, consts.*, steps.*, event.*, foreach.*, execution.*, and so on. Refer to Context variables.

A step type in the data.* namespace for transformations: data.filter, data.map, data.aggregate, and others. Refer to Data action steps.

An alert produced by a Elastic Security detection rule. Always in state new when delivered to a workflow. Refer to Alert triggers.

Elasticsearch Query Language. Elasticsearch's SQL-like query language. Used in elasticsearch.esql.query steps. Refer to Elasticsearch action steps and ES|QL reference.

The trigger payload. For alert triggers, the alert data; for scheduled triggers, empty. Accessed as event.* in Liquid templates. Refer to Context variables.

A trigger that fires on a platform event rather than on a schedule or manual invocation. Includes workflows.failed and the cases.* event triggers. Refer to Event-driven triggers.

One run of a workflow. Has an ID, a start time, a trigger, a terminal state, and an execution view. Refer to Monitor workflow execution.

An on-failure strategy that runs alternative steps when the primary step fails and all retries are exhausted. Refer to Pass data and handle errors.

Starting multiple concurrent pieces of work from one workflow. Implement with workflow.executeAsync for independent child executions, or foreach for per-item iteration within one execution.

Both a step type and a step-level field. The step type is a loop; the field is a per-step iteration modifier. Refer to foreach and the Steps overview.

Generative AI. A model class that produces text, code, or structured data from a prompt. Workflows integrates through connectors (OpenAI, Bedrock, Gemini, Generic GenAI) and the ai.* step types. Refer to AI steps.

Human-in-the-loop. A workflow that pauses for human input, typically through waitForInput. Refer to Human-in-the-loop.

A runtime parameter of a workflow. Declared under the manual trigger on 9.5+ and serverless, or at the workflow root on 9.4. Refer to Anatomy: inputs.

Kibana Query Language. Used for if conditions and data.filter predicates in workflows. Refer to the KQL reference.

L

The template language used to reference context variables inside workflow YAML. The engine evaluates expressions like {{ inputs.name }} and ${{ steps.fetch.output }} at runtime. Refer to Templating engine.

In Cases, an indicator of compromise (IP, hash, domain, URL). Added with cases.addObservables. Refer to cases.addObservables.

Per-step error-handling configuration. Strategies: retry, continue, fallback, abort. Refer to Pass data and handle errors.

Either the data a step produces (accessed through steps.<name>.output), or a top-level declaration of what a workflow returns (required for workflows invoked through composition). Refer to Anatomy: outputs.

Role-based access control. Kibana's privilege system. Workflows defines seven sub-feature privileges (create, read, update, delete, execute, readExecution, cancelExecution). Refer to Set up Workflows.

Continuing a paused workflow after a waitForInput step. Done through the UI or the REST API. Refer to Human-in-the-loop.

An on-failure strategy that re-runs a step. Supports exponential backoff, jitter, and per-error conditions. Refer to Pass data and handle errors.

Recurrence Rule. The iCalendar recurrence specification. Scheduled triggers accept rrules for calendar-style recurrence. Refer to Scheduled triggers.

S

A trigger that runs a workflow on a time-based schedule. Refer to Scheduled triggers.

The declared shape of a workflow's outputs. Required for workflows invoked through workflow.execute. The engine validates child outputs against this schema before returning them to the parent. Refer to Anatomy: outputs.

A Kibana tenancy construct. Workflows belong to spaces; triggers and connectors scope to the space.

One unit of work in a workflow. Has a name, a type, and step-specific parameters. Refer to the Steps overview.

The identifier of a particular kind of step (elasticsearch.search, cases.createCase, and so on). Refer to the Step type index.

A Kibana Observability feature. Workflow steps in the kibana.streams.* namespace operate on Observability streams. Refer to Streams action steps.

T

A stability level. Features are usable and documented, but the schema or behavior can change in future releases. Marked with applies_to: <product>: preview in this docset; the badge appears at the top of each affected page and beside the navigation entry.

An execution's final state. One of completed, failed, cancelled, timed_out, or skipped. Refer to Anatomy: execution lifecycle.

What starts a workflow. Supported types: manual, scheduled, alert, workflows.failed, and the cases.* event-driven triggers. Refer to Triggers.

Named values set by data.set steps. Global within an execution. Accessed as variables.<name>. Refer to data.set.

The human-in-the-loop primitive. Pauses a workflow for human input. Refer to Human-in-the-loop and waitForInput.

A declarative YAML automation. The primary unit of work in Elastic Workflows. Refer to Anatomy of a workflow.

An event-driven trigger that fires when another workflow's execution reaches the failed terminal state. Used to build handler workflows that react to failures.

Y

YAML Ain't Markup Language. The format in which workflows are authored. Whitespace-sensitive.

  • Cheat sheet: One-page bookmark reference for the YAML shape, common patterns, and top gotchas.
  • Step type index: Alphabetical catalog of every step type.
  • Context variables: Every variable you can reference in a Liquid expression.
  • Liquid filters: Filters available in workflow expressions.