Skip to content

[Agent Builder] Provide tools docs #3441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
+149 −13
Open

[Agent Builder] Provide tools docs #3441

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b6770c3
[Agent Builder] Provide tools docs
jedrazb Oct 10, 2025
b341073
update index search docs
jedrazb Oct 10, 2025
e91cfae
try adding to toc
jedrazb Oct 10, 2025
8da1f4c
try again
jedrazb Oct 10, 2025
0a589f1
Update solutions/search/agent-builder/tools/esql-tools.md
jedrazb Oct 10, 2025
db47d7a
Update solutions/search/agent-builder/tools/index-search-tools.md
jedrazb Oct 10, 2025
d245756
Update solutions/search/agent-builder/tools/esql-tools.md
jedrazb Oct 10, 2025
c4695b1
Update solutions/search/agent-builder/tools/index-search-tools.md
jedrazb Oct 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions solutions/search/agent-builder/tools.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,9 @@ Tool namespacing helps organize and identify tools by their source. Built-in too

You can extend the built-in tool catalog with your own custom tool definitions. Custom tools offer flexibility in how they interact with your data:

- **Scoped tools**: Define tools that are scoped to a specific index or pattern, allowing the LLM to decide how to query those indices based on the user's request
- **Explicit query tools**: Define tools with explicit {{esql}} queries for precise, pre-defined data retrieval operations
- **[Index search tools](tools/index-search-tools.md)**: Define tools that are scoped to a specific index or pattern, allowing the LLM to decide how to query those indices based on the user's request
- **[ES|QL tools](tools/esql-tools.md)**: Define tools with explicit {{esql}} queries for precise, pre-defined data retrieval operations


This flexibility allows you to create tools that match your specific use cases and data access patterns.

Expand Down Expand Up @@ -110,7 +111,7 @@ You can create custom tools to help agents interact with your data in specific w
4. Fill in the required fields:
- **Name**: Enter a descriptive name for your tool
- **Description**: Write a clear explanation of what the tool does and when it should be used
- **Tool type**: Choose either **{{esql}}** query or **Index search**
- **Tool type**: Choose either **[{{esql}}](tools/esql-tools.md)** or **[Index search](tools/index-search-tools.md)**
- **Parameters**: For tools with {{esql}} queries, define any parameters your query needs
- **Tags**: (Optional) Add labels to categorize and organize your tools
5. Choose how to save your tool:
Expand Down Expand Up @@ -211,4 +212,4 @@ The **Tools** UI provides a **Copy your MCP server URL** button for easy access.
:width: 250px
:::

For detailed MCP server configuration, refer to [MCP server](mcp-server.md).
For detailed MCP server configuration, refer to [MCP server](mcp-server.md).
64 changes: 64 additions & 0 deletions solutions/search/agent-builder/tools/esql-tools.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
---
navigation_title: "ES|QL tools"
applies_to:
stack: preview 9.2
serverless:
elasticsearch: preview
---

:::{warning}
These pages are currently hidden from the docs TOC and have `noindexed` meta headers.

**Go to the docs [landing page](/solutions/search/elastic-agent-builder.md).**
:::

# {{esql}} tools

{{esql}} query tools enable you to create parameterized queries that execute directly against your {{es}} data. These custom tools provide precise control over data retrieval through templated [{{esql}}](elasticsearch://reference/query-languages/esql.md) statements.

## When to use {{esql}} tools

Use custom **{{esql}} tools** when:

* You need precise control over the query logic
* Your use case involves repeatable analytical patterns
* You want to expose specific, parameterized queries to agents
* Results should be in a predictable tabular format
* You have well-defined data retrieval requirements

## Key characteristics

* Execute pre-defined {{esql}} queries with dynamic parameters
* Support typed parameters
* Return results in tabular format for structured data analysis
* Ideal for repeatable analytical queries with variable inputs

## Parameter types

{{esql}} tools support the following parameter types:

* **String types**: `text`, `keyword`
* **Numeric types**: `long`, `integer`, `double`, `float`
* **Other types**: `boolean`, `date`, `object`, `nested`

## Parameter options

Parameters can be configured as:

* **Required**: Must be provided by the agent when calling the tool
* **Optional**: Can be omitted; uses `null` if no default is specified

## Query syntax

In your {{esql}} query, reference parameters using the `?parameter_name` syntax. The agent will automatically interpolate parameter values when executing the query.


## Best practices

- **Include LIMIT clauses**: Prevent returning excessive results by setting reasonable limits
- **Use meaningful parameter names**: Choose names that clearly indicate what the parameter represents (e.g., `start_date` instead of `date1`)
- **Provide clear descriptions**: Help agents understand when and how to use each parameter

## {{esql}} documentation

To learn more about the language, refer to the [{{esql}} docs](elasticsearch://reference/query-languages/esql.md).
69 changes: 69 additions & 0 deletions solutions/search/agent-builder/tools/index-search-tools.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
---
navigation_title: "Index search tools"
applies_to:
stack: preview 9.2
serverless:
elasticsearch: preview
---

:::{warning}
These pages are currently hidden from the docs TOC and have `noindexed` meta headers.

**Go to the docs [landing page](/solutions/search/elastic-agent-builder.md).**
:::

# Index search tools

Index search tools provide intelligent, natural language-driven search over specified {{es}} resources. Instead of defining explicit queries, you specify a pattern of [indices](/manage-data/data-store/index-basics.md), [aliases](/manage-data/data-store/aliases), or [data streams](/manage-data/data-store/data-streams.md), and the tool uses a combination of built-in capabilities to intelligently interpret and execute search requests.

Check failure on line 17 in solutions/search/agent-builder/tools/index-search-tools.md

View workflow job for this annotation

GitHub Actions / preview / build 

`/manage-data/data-store/aliases` does not exist. If it was recently removed add a redirect. resolved to `/github/workspace/manage-data/data-store/aliases

## When to use index search tools

Use custom **Index search tools** when:

* You want agents to handle diverse, exploratory queries
* The search intent varies significantly across requests
* Users need flexible, ad-hoc search functionality
* You want to scope general search capabilities to specific indices

## Key characteristics

* Accept natural language queries from the agent
* Automatically determine optimal search strategy (full-text, semantic)
* Leverage built-in tools like index exploration, query generation, and semantic search
* Ideal for flexible, user-driven exploratory searches
* No need to pre-define query logic

## Configuration

Index search tools require only a single configuration parameter:

* **`pattern`**: An index pattern string (e.g., `logs-*`, `my-index`, `.alerts-*`) specifying which indices, aliases, or data streams to search

## How it works

When an agent calls an index search tool:

1. The agent provides a natural language query (e.g., "find recent errors related to authentication")
2. The tool analyzes the query intent and available indices
3. It automatically orchestrates built-in tools to:
- Explore the index structure and mappings
- Generate appropriate queries ({{esql}} or query DSL)
- Execute semantic search if relevant
- Rank and format results
4. Returns results in a format the agent can interpret and present


## Best practices

- **Use specific patterns**: Scope tools to relevant index patterns rather than broad wildcards (e.g., `logs-myapp-*` instead of `logs-*`)
- **Write descriptive tool names**: Help agents select the right tool for the query (e.g., "Search Security Alerts" vs. "Search Tool")
- **Provide context in descriptions**: Explain what data the indices contain and what types of questions the tool can answer
- **Create domain-specific tools**: Build separate tools for different data domains (logs, metrics, alerts) rather than one general-purpose tool


## Common patterns

* **Wildcard patterns**: `logs-*`, `metrics-*`, `events-*`
* **Specific indices**: `products`, `users`, `orders`
* **System indices**: `.alerts-security-*`, `.ml-anomalies-*`
* **All resources**: `*`
20 changes: 11 additions & 9 deletions solutions/toc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
project: 'Solutions and use cases'
project: "Solutions and use cases"
toc:
- file: index.md
- file: search.md
Expand Down Expand Up @@ -50,6 +50,8 @@ toc:
- hidden: search/agent-builder/chat.md
- hidden: search/agent-builder/agent-builder-agents.md
- hidden: search/agent-builder/tools.md
- hidden: search/agent-builder/tools/esql-tools.md
- hidden: search/agent-builder/tools/index-search-tools.md
- hidden: search/agent-builder/programmatic-access.md
- hidden: search/agent-builder/kibana-api.md
- hidden: search/agent-builder/mcp-server.md
Expand Down Expand Up @@ -458,13 +460,13 @@ toc:
- file: observability/logs/logs-index-template-defaults.md
- file: observability/streams/streams.md
children:
- file: observability/streams/management/extract.md
children:
- file: observability/streams/management/extract/date.md
- file: observability/streams/management/extract/dissect.md
- file: observability/streams/management/extract/grok.md
- file: observability/streams/management/retention.md
- file: observability/streams/management/advanced.md
- file: observability/streams/management/extract.md
children:
- file: observability/streams/management/extract/date.md
- file: observability/streams/management/extract/dissect.md
- file: observability/streams/management/extract/grok.md
- file: observability/streams/management/retention.md
- file: observability/streams/management/advanced.md
Comment on lines +463 to +469
Copy link
Contributor

@leemthompo leemthompo Oct 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't going to mess up anything is it 😄 I know how finicky yaml can be

Copy link
Member Author

@jedrazb jedrazb Oct 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm that was prettier should be safe and consistent with the rest

- file: observability/incident-management.md
children:
- file: observability/incident-management/alerting.md
Expand Down Expand Up @@ -745,4 +747,4 @@ toc:
- file: security/advanced-entity-analytics/privileged-user-monitoring-setup.md
- file: security/advanced-entity-analytics/monitor-privileged-user-activitites.md
- file: security/asset-management.md
- file: security/apis.md
- file: security/apis.md
Loading