athal7/elasticsearch
skills/elasticsearch/SKILL.md
Query Elasticsearch logs, APM traces, and errors — index patterns, field names, auth setup, and time-range syntax
$ install --global
skillsauthnpx skillsauth add athal7/dotfiles elasticsearchInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 26, 2026, 2:03 AM68.6s1 file scanned
SKILL.md
- name:
- elasticsearch
- description:
- Query Elasticsearch logs, APM traces, and errors — index patterns, field names, auth setup, and time-range syntax
- license:
- MIT
Query application logs, APM traces, and errors using the Elasticsearch REST API directly.
Endpoint: $ES_URL — base URL varies per environment.
Time range syntax
Pass time_range as a string like 15m, 1h, 24h, 7d. Translates to now-{value}{unit} in ES range filters.
Query logs
Search application logs. Index: logs-*. Sorted by @timestamp desc.
POST logs-*/_search
{"query":{"bool":{"must":[{"query_string":{"query":"YOUR LUCENE QUERY HERE"}},{"range":{"@timestamp":{"gte":"now-1h"}}}]}},"_source":["@timestamp","message","log.level","service.name","trace.id"],"sort":[{"@timestamp":"desc"}],"size":100}
Response fields: .hits.hits[]._source — extract @timestamp, log.level, service.name, message.
Add a service filter by inserting a term clause into the must array:
{"term": {"service.name": "my-service"}}
Query APM traces
Find slow transactions. Index: traces-apm*. Sorted by duration desc.
POST traces-apm*/_search
{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-1h"}}},{"range":{"transaction.duration.us":{"gte":500000}}}]}},"_source":["@timestamp","service.name","transaction.name","transaction.duration.us","transaction.result","trace.id"],"sort":[{"transaction.duration.us":"desc"}],"size":50}
Response fields: .hits.hits[]._source — extract @timestamp, service.name, transaction.name, transaction.duration.us (microseconds), transaction.result.
Query APM errors
Find exceptions and error groups. Index: logs-apm.error-*. Sorted by @timestamp desc.
POST logs-apm.error-*/_search
{"query":{"bool":{"must":[{"exists":{"field":"error.exception"}},{"range":{"@timestamp":{"gte":"now-1h"}}}]}},"_source":["@timestamp","error.exception.type","error.exception.message","error.grouping_key","service.name","transaction.name"],"sort":[{"@timestamp":"desc"}],"size":50}
Response fields: .hits.hits[]._source — extract @timestamp, error.exception.type, error.exception.message, service.name.
Tips
query_stringuses Lucene syntax:error AND timeout,level:ERROR,message:"connection refused"- To count by service: append
,"aggs":{"by_svc":{"terms":{"field":"service.name","size":10}}}to the query JSON and read.aggregations.by_svc.buckets trace.idlinks logs ↔ traces ↔ errors across indices
Kibana Dashboard API Gotchas
PUT /api/saved_objects/dashboard/:idreplaces ALL attributes. Read the full object first, modify onlypanelsJSON, and write everything back includingcontrolGroupInput,optionsJSON, etc. Omitting any attribute silently breaks panels.PUT /api/saved_objects/index-pattern/:idwipes thefieldsattribute if you only settitle/timeFieldName. To recreate safely, delete and usePOST /api/data_views/data_viewwhich auto-discovers fields.- Inline Lens panels referencing an
index-patternsaved object render blank if that object is corrupted. The resilient pattern isadHocDataViews+internalReferencesinsideembeddableConfig.attributes.state— self-contained, no external saved-object dependency. - ES transform
_updatecannot changepivot. Must stop, delete, recreate. If the dest index has historical data from rolled-over source indices, check_snapshotfirst.
Related Skills
athal7/zoom
development
VerifiedTrustedCommunity
Zoom meeting captions — file locations and format
6SKILL.mdUpdated May 24, 2026
athal7/dictation
tools
VerifiedTrustedCommunity
macOS dictation custom vocabulary — sync knowledge base names and terms to the system spelling dictionary
6SKILL.mdUpdated May 24, 2026
athal7/knowledge-base
testing
VerifiedTrustedCommunity
Look up people, projects, products, and decisions locally first: contact info (email, Slack ID, GitHub handle), titles and teams, project/product status, who works on what, and past decisions. Check before searching Slack, email, calendar, or GitHub — this is the first stop for any contact detail, project context, or decision-history question.
6SKILL.mdUpdated May 21, 2026
athal7/communication
testing
VerifiedTrustedCommunity
Communication style, audience awareness, and AI-authorship markers for human-facing prose — load when composing chat messages, review comments, merge request descriptions, emails, doc bodies, or ticket descriptions
6SKILL.mdUpdated May 21, 2026