elastic/agent-skills
33 skills34.3k installs16.6k starsGitHub
Install
npx skills add https://github.com/elastic/agent-skillsSkills in this repo
1Elasticsearch EsqlElasticsearch-esql is an agent skill for executing ES|QL queries against Elasticsearch and guiding migration from JSON Query DSL to the piped ES|QL language. Solo builders shipping search, logs, or analytics on Elastic use it when implementing or refactoring query paths in Node services. The bundled guide maps common DSL constructs—term and match queries, bool composition, range filters, aggregations, sorting, and pagination—to ES|QL equivalents, including LOOKUP JOIN and per-aggregation WHERE patterns. It suits intermediate developers who already run Elasticsearch 9.x style clients and need consistent, agent-assisted query rewrites rather than guessing syntax. Prerequisites include a reachable cluster, index knowledge, and comfort reading both DSL and piped query forms. Deliverables are runnable ES|QL and clearer migration notes where DSL features lack direct parity.1.5kinstalls2Kibana Dashboardskibana-dashboards is an agent skill for solo builders and tiny teams running the Elastic stack who need reproducible Kibana dashboards without clicking through the UI for every iteration. The skill materializes dashboard JSON: markdown intro panels, visualization panels referencing ES|QL queries against indices like kibana_sample_data_logs, metric aggregations, and xy bar charts broken out by fields such as response codes. Your coding agent can assemble a Basic Dashboard or a richer Log Analysis layout, set sensible default time windows, and align panel IDs and grid positions so exports stay diff-friendly in git. It matters when you have data in Elasticsearch and want shareable observability during growth experiments, launch traffic reviews, or post-ship health checks. Intermediate familiarity with Kibana panel types and ES|QL helps; the skill is a template and generator for API-oriented dashboard definitions rather than a hosted MCP. Pair it with your cluster credentials and Kibana URL in your own deploy scripts when promoting dashboards across environments.1.2kinstalls3Observability Logs SearchObservability Logs Search is an Elastic agent-skills reference that teaches solo builders and small teams how to search Observability log data streams without guessing field names. It standardizes index patterns such as logs-*-*, logs-*, and filebeat-* so queries hit the right data streams, and it insists on ECS field names because index templates alias OpenTelemetry shapes like body.text and severity_text into message and log.level. The skill documents trace and span identifiers, service and host metadata, and Kubernetes pod and namespace fields, plus ordered fallbacks when ECS and OTel aliases differ. Use it when an agent is drafting Elasticsearch or Kibana queries, explaining why a filter returns no hits, or building dashboards that must group by service.environment and deployment.environment consistently. It is reference material—not a deploy or ingest skill—so pair it with your stack’s logging setup and Elastic docs for full stack context.1.2kinstalls4Elasticsearch AuthnElasticsearch Authentication is a concise agent skill that catalogs Elasticsearch authentication realms—from native and file through LDAP, Active Directory, PKI, SAML, OpenID Connect, JWT, and Kerberos—and summarizes how internal versus external realms behave in a cluster. Solo builders and small teams shipping search or observability stacks on Elastic Cloud or self-managed clusters use it when they must pick an auth mechanism, wire SSO or API keys, or sanity-check that credentials resolve to the expected user and realm. The skill is reference-oriented rather than a full implementation walkthrough: it orients you toward the correct Elastic deploy-manage docs and the authenticate endpoint so your agent does not guess realm names or API paths. It matters because misconfigured auth blocks ingest pipelines, Kibana access, and automated clients; having realm categories and the verify call in one place speeds secure ship decisions without rereading entire Elastic security guides.1.1kinstalls5Elasticsearch File IngestElasticsearch File Ingest is an Elastic agent skill that walks solo builders and small teams through loading file batches into Elasticsearch using script-driven ingest patterns. It fits when you already have JSON or log dumps and need indexed documents with sensible mappings—not when you only need a one-line curl test. The skill surfaces concrete mapping JSON for common observability fields and shows how to wire optional transform modules that skip bad rows, annotate validation timestamps, or split one record into many (for example hashtag fan-out). That pattern keeps poisoned or test data out of production indices while staying reproducible in git. Use it during Operate when standing up log backfills, customer data imports, or reindex jobs against a managed or self-hosted cluster. You should know basic Elasticsearch indices and Node ESM export defaults for transforms. The skill is integration-focused: it complements Elastic’s stack rather than replacing Logstash or ingest pipelines for every scenario.1.1kinstalls6Kibana Agent BuilderKibana Agent Builder is an Elastic-maintained agent skill for solo and indie builders who ship AI assistants on Elasticsearch and Kibana. It walks you through creating, updating, deleting, inspecting, and chatting with agents, and through listing, testing, and managing custom tools such as ES|QL, index search, and workflows. You set Kibana URL and credentials first, then run scripted flows rather than clicking only in the UI. The skill fits builders wiring production agents on Elastic Cloud or self-managed stacks who want repeatable agent and tool changes from Claude Code, Cursor, or Codex. It is integration-focused agent tooling, not a generic brainstorming or planning methodology.1.1kinstalls7Elasticsearch AuthzElasticsearch Authorization is a reference-oriented agent skill from Elastic’s agent-skills repo that steers coding agents through the Elasticsearch Security API for users, roles, and role mappings. Solo builders and small teams running search, observability, or logging stacks install it when they must provision native users, attach roles, or adjust mappings without digging through scattered docs mid-incident. The embedded material focuses on create-or-update user endpoints, required manage_security privilege, and canonical JSON bodies for passwords, role arrays, full_name, email, enabled flags, and metadata. It is aimed at operators who already have a cluster and need correct HTTP verbs and field semantics rather than a greenfield tutorial. Use it while hardening production access, rehearsing disaster recovery credentials, or aligning staging role names with production. It complements ship-phase security reviews but does not replace Elastic’s full RBAC modeling guide, SAML/OIDC setup, or automated IaC modules—you still design least-privilege roles outside the snippet.1.1kinstalls8Elasticsearch AuditElasticsearch-audit is a Security-focused agent skill that packages Elastic’s audit logging API surface for builders running Elasticsearch in production. It documents how to enable auditing through cluster settings under xpack.security.audit, choose outputs such as logfile or index, and tune which security events are recorded via include and exclude lists. Solo operators use it when they need a precise, copy-paste-friendly reference instead of digging through full Elastic docs during an incident or compliance pass. The skill positions itself alongside Kibana audit configuration and points to official auditing settings documentation for deeper policy work. It assumes you already operate a cluster and need correct HTTP paths and setting names while adjusting retention, SIEM forwarding, or access reviews.1.1kinstalls9Kibana Alerting RulesThe kibana-alerting-rules skill gives indie operators and small teams a concise map of Kibana’s alerting REST surface when they need detect-and-notify automation instead of clicking through the UI. It frames every rule as conditions plus schedule plus actions, clarifies how fired alerts reach connectors, and lists the HTTP operations, auth headers, and privilege bundles required so API calls do not fail on CSRF or missing feature access. Space-aware URL patterns are included for multi-tenant Kibana deployments. The description also positions Terraform alongside the API for teams that want versioned rule definitions. It assumes you already run Elasticsearch and Kibana and need repeatable rule management during incident readiness or SRE workflows—not greenfield observability strategy from scratch.1.1kinstalls10Elasticsearch OnboardingThis Elastic agent skill (catalog e-commerce search guide) walks solo builders and small teams through implementing shopping-oriented Elasticsearch experiences: searchable titles and descriptions, facet counts by brand and price, typeahead suggestions, spelling corrections, and attribute-based boosting. It applies when the product is a catalog or marketplace and relevance must respect structured fields—not just full-text hits. The guide sequences index design, query patterns, and when to escalate to hybrid vector search for meaning-based recommendations. It explicitly redirects bare document search use cases to keyword or hybrid guides so you do not over-engineer mappings. For indie SaaS and storefront MVPs, it reduces integration guesswork so your agent proposes production-shaped mappings instead of generic search snippets.1.1kinstalls11Kibana StreamsKibana-streams is a concise API reference skill for Elastic agent users who need to read and manage Kibana Streams without spelunking scattered documentation. It fits solo builders and small teams running observability on Elastic Cloud or self-hosted Kibana who automate stream discovery, inspection, and lifecycle changes from coding agents. The skill encodes path conventions for default and non-default spaces, path parameter naming for {name} versus {streamName} on attachments routes, and the requirement to send kbn-xsrf on lifecycle operations—details that commonly cause 403 or wrong-space failures. Primary placement is Operate monitoring because streams are how you organize and query telemetry after ship; it also supports multi-phase use when you wire Build backend logging contracts or Ship launch checks against stream health. Skill pattern is integration reference rather than a full incident runbook. Intermediate complexity assumes you already have Kibana URL, credentials, and streams feature enabled. Deliverables are correct HTTP calls and understanding of in-scope v1 read operations listed in the skill tables.1.1kinstalls12Elasticsearch Security TroubleshootingElasticsearch Security Troubleshooting is an agent skill that gives solo builders and small ops teams a concise API reference for Elastic security diagnostics during incidents. It focuses on calls like Has Privileges so any authenticated user can verify cluster, index, and Kibana application permissions without needing full security admin rights. The readme positions it alongside elasticsearch-authn and elasticsearch-authz skills for a complete picture, which suits indie SaaS and internal tooling that already run on Elastic Cloud or self-managed stacks. Use it when logs or UI errors suggest missing read, monitor, or feature_discover rights rather than when you are greenfielding index mappings. The content is reference-shaped: request JSON, field tables, and links to Elastic docs—ideal for agents that need correct endpoints and payloads instead of hallucinated security APIs.1.1kinstalls13Kibana ConnectorsKibana Connectors is an agent skill that acts as a design reference for Elasticsearch Kibana alerting rules: how each action binds to a connector, which action group fires it, and how Mustache templates inject rule and alert context into messages. Solo and indie builders running the Elastic Stack in production use it when they automate Slack, email, ticketing, or custom webhooks from detection rules without guessing API shapes or deprecated notify_when fields at the rule root. The skill emphasizes per-action frequency (summary mode, notify_when, throttle) and points to rule_types discovery for valid groups per rule type. It fits operators who already have rules but need consistent, documented connector payloads and notification cadence. It is reference material for the Operate phase, not a full connector provisioning tutorial.1.1kinstalls14Kibana VegaKibana Vega is an Elastic agent skill for solo and indie builders who already run Elasticsearch-backed observability or product analytics and need charts Lens cannot produce. It walks you through environment configuration with API keys or basic auth, insists on a successful connection test before exploration, and focuses on Vega and Vega-Lite specifications fed exclusively by ES|QL queries on Serverless Kibana or 9.4 and newer snapshots. That version gate matters because legacy Kibana data source definitions will not behave reliably with this workflow. Use it when you are composing dashboard JSON, embedding panels in saved objects, or iterating on bespoke time-series, geo, or layered marks that standard Kibana chart types do not cover. The skill pairs procedural Kibana API knowledge with visualization grammar so your coding agent does not guess index patterns or datasource shapes. It is narrower than a general Elastic onboarding guide: it assumes you want programmable visualization, not a first-time cluster install.1.1kinstalls15Kibana AuditKibana Audit is a reference-oriented agent skill from Elastic that documents how to turn on and shape Kibana audit logging: enabling xpack.security.audit, choosing rolling-file or console appenders, tuning rotation policy, and applying ignore_filters to cut noise from high-volume actions like saved_object_find. Solo builders and small teams running the Elastic Stack in production use it when they must prove who accessed dashboards, changed saved objects, or triggered security-sensitive actions—especially alongside Elasticsearch cluster audit logs. The skill points to official Elastic documentation for the full event schema and event types rather than inventing fields. It assumes you already deploy Kibana with xpack security and can edit kibana.yml on the server. Complexity is intermediate because misconfiguration can leak paths, fill disks, or miss critical events.1kinstalls16Observability Llm ObsObservability LLM Obs is an Elastic-authored agent skill for solo builders and small teams running agentic or LLM-backed services who already ship telemetry into Elasticsearch. When users ask about GenAI observability, AI cost, or workflow quality, the skill constrains reasoning to ingested APM or OpenTelemetry trace data—searching `traces*` and related OTel indices—plus integration metrics and logs where present. It emphasizes discovery-first querying because deployments may mix Elastic APM agents, OTLP exporters, and third-party LLM instrumentations. Practitioners use ES|QL and HTTP APIs rather than clicking through Kibana, which suits headless agent sessions in Claude Code or Cursor. The skill bridges Operate monitoring with Grow analytics when you slice token burn and quality trends over time. Prerequisites include an Elastic stack receiving LLM spans; it does not replace installing collectors or EDOT. Outcomes are concrete, data-backed answers about latency, spend, and multi-step agent chains grounded in your cluster—not generic monitoring theory.1kinstalls17Observability Service HealthObservability-service-health is an agent skill for solo builders and small teams running workloads on Elasticsearch who need dependable health checks during incidents and daily ops. It compresses the Multi Search and Search API surface—POST `/_msearch`, index-scoped variants, and single `/_search`—into actionable guidance so agents batch correlated queries instead of firing sloppy one-off requests. The readme stresses NDJSON formatting rules, concurrent search limits, and optional DFS query modes that affect scoring when you compare canary versus production indices. It is phase-specific to Operate monitoring: you invoke it when services are deployed and you must triage latency, errors, or saturation using Elastic as the observability backbone. Pair with your existing index and data stream naming; the skill does not provision clusters but keeps API usage correct under agent automation.1kinstalls18Security Alert Triagesecurity-alert-triage is an Elastic agent skill that teaches coding agents how to investigate detection alerts the way a disciplined SOC analyst would—optimizing for evidence, not confirmation bias. Solo founders and tiny teams often run Elastic Defend or SIEM rules without a 24/7 IR desk; this skill encodes a full triage playbook: correlate other alerts on the same user or agent, measure rule noise across the estate, reconstruct parent-child process trees, inspect DNS and lateral movement, hunt persistence and defense evasion, verify code signing, and separate production from lab noise. The guide’s fundamental principle is blunt: when you cannot substantiate a story, classify as unknown instead of forcing malicious or benign calls that either burn incident hours or hide real intrusions. Prism files it under Operate monitoring because that is where recurring alert queues live, but the same checklist supports Ship security reviews of new detections and Grow-era hardening when customer data volumes increase. It is advanced territory—you should be comfortable with Elastic data model and endpoint telemetry. Outputs are classification decisions grounded in the checklist, suitable for ti1kinstalls19Security Detection Rule ManagementSecurity Detection Rule Management is a reference skill for solo builders and small teams operating Elastic Security who need accurate Kibana Detection Engine HTTP routes while wiring or extending rule_manager.py. It catalogs find, single-rule fetch, create, partial patch, full update, delete, bulk action, NDJSON export and import, preview, and tag listing endpoints so agents do not hallucinate paths or verbs. Use it when you are automating detection content, migrating rules between clusters, or building internal tooling that talks to Elastic’s detection API. The skill is API-documentation style rather than a full detection authoring methodology; you still need valid rule JSON and cluster credentials. It matters for indie operators who ship SaaS or internal platforms on Elastic Cloud or self-hosted stacks and want repeatable, auditable rule changes without clicking through Kibana for every edit.1kinstalls20Security Case Managementsecurity-case-management is an Elastic agent skill that teaches coding agents the Kibana Cases API surface so solo operators and small security teams can open, enrich, and close incidents without clicking through every UI step. When alerts fire in Elastic Security, you need durable records—title, description, tags, severity, synced alerts—and this skill standardizes POST /api/cases creation, GET /api/cases/_find filtering, comments, and alert attachment flows. It targets builders running Elastic Stack in production who already own detections but want agent-assisted case hygiene during Operate. The reference readme is API-first (JSON bodies, query params, status filters), making it an integration pattern rather than a generic ITSM adapter. You should still enforce RBAC, connector secrets, and human approval on destructive updates; the skill accelerates consistent case metadata and audit trails.998installs21Observability Manage SlosObservability Manage Slos is an agent skill for solo builders and small teams who run services on Elastic Observability and want SLOs as code-aligned rituals, not ad-hoc dashboard tweaks. It teaches how to authenticate to the Kibana Observability SLO API, respect space-scoped URLs, and choose among the three supported SLI shapes—custom KQL for log-based good/total ratios, custom metric equations for field aggregations, and timeslice metrics when you need per-interval thresholds. Use it when you are defining service-level indicators, setting targets that imply an error budget, or updating and retiring SLOs as your architecture changes. The skill is procedural API knowledge packaged for Claude Code, Cursor, Codex, and similar agents so you can draft curl-ready requests and consistent SLI naming without re-reading Elastic docs each sprint. It does not replace your SLI math or on-call policy; it standardizes how agents help you create and manage SLO objects in Kibana once telemetry is already flowing.989installs22Security Generate Security Sample DataSecurity Generate Security Sample Data is an Elastic agent skill that guides generation of realistic security telemetry for Elastic Security stacks. Solo and indie builders standing up SIEM demos, rule tuning, or training environments often lack representative log volume; this skill documents how sample-data.js produces package-scoped events across SSH auth, endpoint exec, Windows logon codes, CloudTrail API activity, and Okta session flows. Attack simulation scenarios add multi-step chains that mirror credential access and lateral movement patterns so prebuilt rules and Kibana views have believable activity to query. The emphasis on safe IP and DNS placeholders keeps local and staging installs from leaking into real incident workflows. Use it when you need repeatable, rule-aligned datasets rather than hand-crafted JSON or scraped production logs.985installs23Cloud Setupcloud-setup is Elastic’s foundation agent skill for wiring Elastic Cloud into your local agent environment. Solo builders shipping search, logs, or security on Elastic Cloud—or evaluating the serverless trial—run it before any sibling `cloud/*` skill touches projects or deployments. The workflow is explicit: confirm `EC_API_KEY` is set (via shell and `.env`, never typed into conversation), capture sensible defaults, then validate the Cloud API connection. It steers new users to Elastic’s registration flow when they lack an account and clarifies that only organization owners can mint keys with enough privilege. For indie operators, this is the guard-railed credential gate that keeps secrets out of chat logs while still letting Claude Code or Cursor automate infra tasks consistently.973installs24Cloud Network SecurityCloud Network Security is an Elastic agent skill that packages the Serverless traffic filter API as procedural reference for coding agents helping you lock down Elastic Cloud projects. Indie builders shipping observability or search-backed SaaS on Elastic Serverless still need IP allowlists, egress rules, and PrivateLink alignment—the skill walks through list, create, get, update, and delete calls on the traffic-filters resource group plus PrivateLink region metadata discovery. Every call assumes the Elastic Cloud API base URL and an EC_API_KEY in the Authorization header, with explicit note that “network security” in higher-level docs equals “traffic filters” in JSON and paths. The content is reference-dense rather than a narrative tutorial: schema blocks for requests, patches, rules, and filter info, plus a project association section for attaching filters to deployments. Reach for it when automating infra as code or when an agent must not hallucinate endpoint shapes during incident response or hardening sprints.962installs25Cloud Manage Projectcloud-manage-project is an Elastic agent skill that documents how to operate existing Elastic Cloud Serverless projects through a Python management script and a shared `.elastic-credentials` file format. Solo builders and small teams shipping search or observability on Elastic Serverless can list and inspect projects, rename or retag them, adjust search_lake settings, rotate credentials, and delete environments without leaving the terminal. The skill explains how credential sections are written and merged, when to use `--include-admin` for one-off API key creation, and how project headers tie names to IDs for reliable `load-credentials` behavior. It fits agents that already automate Elastic provisioning and need a safe, repeatable handoff for day-two cloud ops.949installs26Observability Edot Python Instrumentobservability-edot-python-instrument is an agent skill for solo builders who need production-grade visibility on a Python backend without bolting on a legacy Elastic APM agent. It walks through Elastic Distribution of OpenTelemetry (EDOT) for Python: add the pip package, bootstrap auto-instrumentation for libraries already in the project, and run the app under `opentelemetry-instrument` so traces, metrics, and logs actually emit. The skill stresses reading Elastic’s EDOT setup and configuration references first, then applying a small, repeatable checklist—requirements change, Docker build hook for bootstrap, and OTLP endpoint plus API key headers aimed at the managed OTLP endpoint or EDOT Collector, explicitly avoiding APM Server URLs. Use it when a service ships to staging or production and you need standard OpenTelemetry signals into Elastic without rewriting the app for manual spans on day one.949installs27Cloud Create ProjectCloud Create Project is an agent skill that documents the Elastic Cloud Serverless project management API for solo builders wiring search, observability, or security backends into a new product. Every call uses `Authorization: ApiKey <your-api-key>` against `https://api.elastic-cloud.com`, with `{type}` constrained to elasticsearch, observability, or security. The reference maps create, list, detail, update, delete, status, credential reset, resume, and roles endpoints so your coding agent can script provisioning instead of clicking only through the console. Use it during Build when you stand up logging, RAG search, or SIEM-style monitoring as managed Elastic projects, and again in Operate when you patch config, rotate credentials, or resume suspended tenants. It complements infra skills by focusing on Elastic’s control plane HTTP contract rather than self-hosted cluster operations.944installs28Observability Edot Java Instrumentobservability-edot-java-instrument is an Elastic-authored agent skill that walks solo builders through zero-code Java observability using the Elastic Distribution of OpenTelemetry Java agent. It is meant when you have a running service and no incumbent APM library, and you want traces, metrics, and logs flowing into Elastic-compatible OTLP endpoints. The workflow stresses operational correctness: download the agent jar, attach it with -javaagent, set the three mandatory environment variables, and route export to managed OTLP or an EDOT Collector—not legacy APM Server URLs. It references official Elastic and OpenTelemetry setup pages before edits, reducing misconfigured exporters that silently drop telemetry. Builders use it during backend hardening before production cutover and again when onboarding a new microservice into an existing Elastic stack, without embedding SDKs in application code.937installs29Observability Edot Dotnet InstrumentObservability EDOT .NET Instrument is an Elastic-authored agent skill for adding automatic tracing, metrics, and logs to .NET applications using the Elastic Distribution of OpenTelemetry SDK. It targets services that lack an existing APM agent and walks agents through NuGet dependencies, Program.cs registration, and the minimal environment contract for OTLP export to Elastic-managed endpoints or an EDOT Collector. Solo builders shipping ASP.NET Core APIs or worker services use it during Build when observability is a launch requirement, and again in Operate when extending telemetry for new endpoints. The skill emphasizes correct endpoint shapes and auth headers while avoiding legacy APM Server URLs and unnecessary exporter overrides. Version 0.1.0 metadata; always cross-check current Elastic documentation linked from the skill before production rollout.936installs30Cloud Access Managementcloud-access-management is an Elastic agent skill that gives solo builders and small teams a precise API reference for governing who can access Elastic Cloud and serverless Elasticsearch projects. Instead of clicking through consoles ad hoc, agents can list organization members, invite users, cancel invitations, attach or remove role assignments, rotate Cloud API keys, and define custom security roles on serverless endpoints using the documented auth modes. The skill fits operators who already run workloads on Elastic and need least-privilege access patterns that survive team churn. Invoke it when onboarding collaborators, auditing keys, or aligning application_roles with deployment automation. Pair with your existing Elastic deployment skills so access changes stay synchronized with how your agent provisions environments.932installs31Observability Edot Dotnet Migrateobservability-edot-dotnet-migrate is an Elastic-authored agent skill for solo builders maintaining .NET services who must leave the classic Elastic APM .NET agent for the EDOT OpenTelemetry SDK. It enforces a clean break: strip NuGet references such as Elastic.Apm.NetCoreAll, remove middleware registration and appsettings ElasticApm sections, and delete ELASTIC_APM_* environment variables so dual agents do not fight. Installation guidance adds Elastic.OpenTelemetry and ASP.NET Core instrumentation, then registers telemetry through AddElasticOpenTelemetry on the host application builder in Program.cs. Export is OTLP-first with OTEL_SERVICE_NAME, a managed OTLP or EDOT Collector endpoint, and OTLP headers—explicitly not legacy APM server URLs reused by mistake. Use it when upgrading observability stacks before ship hardening or when production incidents need consistent traces on Elastic’s OpenTelemetry path.932installs32Observability Edot Java Migrateobservability-edot-java-migrate is an Elastic-maintained agent skill for Java teams moving from the classic Elastic APM agent to the EDOT (OpenTelemetry-based) Java agent. Solo builders running JVM services in production invoke it when switching from elastic-apm-agent.jar to elastic-otel-javaagent.jar so the agent systematically strips legacy APM artifacts—properties files, environment variables, and Maven or Gradle dependencies—and replaces them with the correct javaagent attachment and OTEL exporter settings. The skill emphasizes reading Elastic’s official migration guide first and setting OTEL_SERVICE_NAME and OTEL_EXPORTER_OTLP_ENDPOINT to the managed OTLP or EDOT Collector endpoint rather than blindly reusing ELASTIC_APM_SERVER_URL. It fits Operate when you are upgrading observability without a full rewrite of application code, and it keeps scope bounded to agent and env configuration rather than business logic changes.930installs33Observability Edot Python Migrateobservability-edot-python-migrate is an agent skill that walks a solo builder or small team through replacing the classic Elastic APM Python agent with the EDOT OpenTelemetry distribution. It is for anyone already shipping Python APIs or SaaS backends who wants traces and metrics in Elastic without maintaining two parallel instrumentation models. The workflow is deliberately destructive-then-rebuild: strip requirements and code paths that reference elastic-apm and ELASTIC_APM_* configuration, add elastic-opentelemetry, run edot-bootstrap during image build so common libraries get auto-instrumentation, and wrap the real entrypoint with opentelemetry-instrument so spans are not silently dropped. The skill stresses using Elastic’s managed OTLP endpoint or EDOT Collector URL rather than copying old APM server URLs, and renaming service identity via OTEL_SERVICE_NAME. Use it during an operate-phase cutover or before scaling traffic on a stack you plan to standardize on OpenTelemetry-first Elastic docs.927installs