Observability Logs Search
Query Elastic Observability log indices with correct ECS field names, index patterns, and OTel alias fallbacks when debugging production incidents.
Overview
Observability Logs Search is an agent skill for the Operate phase that documents Elastic log index patterns, ECS field names for queries, and OpenTelemetry alias fallbacks for observability log search.
Install
npx skills add https://github.com/elastic/agent-skills --skill observability-logs-searchWhat is this skill?
- Documents log index patterns: logs-*-*, logs-*, filebeat-*, and logs.* wired streams
- ECS-only query guidance with built-in aliases from OpenTelemetry (body.text→message, severity_text→log.level)
- Trace correlation fields: trace.id, span.id, @timestamp for event ordering
- Resource fallback chains for service.name, host.name, kubernetes.pod.name display and grouping
- Maps deployment.environment to service.environment for environment-scoped log filters
Adoption & trust: 1.2k installs on skills.sh; 502 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are debugging production logs but OTel and ECS field names differ, so agent-written queries miss data or use wrong index patterns.
Who is it for?
Solo builders shipping services on Elastic Observability who need agents to write correct log queries during incidents or monitoring setup.
Skip if: Teams not using Elastic Observability or who only need metric or APM skills without log index/ECS mapping.
When should I use this skill?
Agent needs to search or explain Elastic Observability logs using ECS fields, index patterns, or OTel-to-ECS aliases.
What do I get? / Deliverables
Queries target the right log indices and ECS fields (message, log.level, trace.id, service.name) with correct metadata fallbacks for grouping and display.
- Correct ECS-based log queries
- Index pattern selection for log streams
- Resource metadata field fallback lists for grouping
Recommended Skills
Journey fit
Log search reference maps directly to running systems—finding errors, tracing requests, and grouping by service or K8s metadata after ship. Monitoring subphase is where builders run KQL/ES|QL against logs-* streams and correlate trace.id with spans during incident response.
How it compares
Reference field-and-index cheat sheet for log search—not a full observability onboarding or ingest pipeline skill.
Common Questions / FAQ
Who is observability-logs-search for?
Indie builders and small teams running apps on Elastic Observability who want coding agents to search logs with ECS names and standard index patterns instead of inventing OTel-only fields.
When should I use observability-logs-search?
Use it in Operate when triaging errors, correlating traces in logs, or writing Kibana/ES queries; also when Build agents document logging fields for services you will monitor in production.
Is observability-logs-search safe to install?
It is documentation-only with no shell or network hooks in the skill body; review the Security Audits panel on this Prism page before installing any repo skill.
SKILL.md
READMESKILL.md - Observability Logs Search
# Log Search Reference Reference for Observability log search: index patterns, ECS/OpenTelemetry field mapping, and resource metadata fallbacks. ## Log index patterns - `logs-*-*,logs-*,filebeat-*` — common pattern for log data streams - `logs.*`- to also include wired streams ## ECS and OpenTelemetry Observability index templates provide **field aliases** that map OpenTelemetry fields to ECS. Query using **ECS field names** only; aliases handle the mapping. | ECS field | OTel / other notes | | ---------------------- | ------------------------ | | `message` | `body.text` (OTel) | | `log.level` | `severity_text` | | `trace.id` | `trace_id` | | `span.id` | `span_id` | | `service.name` | Service name | | `service.environment` | `deployment.environment` | | `host.name` | Host name | | `kubernetes.pod.name` | `k8s.pod.name` | | `kubernetes.namespace` | `k8s.namespace.name` | | `@timestamp` | Event time | ## Resource metadata field fallbacks For display or grouping, use the first available in each line (ECS then OTel aliases): | Resource | Preferred field(s) — try in order | | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Service | `service.name` | | Container | `kubernetes.container.name` → `k8s.container.name` → `container.name` | | Host/Node | `kubernetes.node.name` → `k8s.node.name` → `host.name` | | Cluster | `orchestrator.cluster.name` → `k8s.cluster.name` | | Namespace | `kubernetes.namespace` → `k8s.namespace.name` | | Pod | `kubernetes.pod.name` → `k8s.pod.name` | | Workload | One of: `kubernetes.deployment.name`, `k8s.deployment.name`, `kubernetes.replicaset.name`, `k8s.replicaset.name`, `kubernetes.statefulset.name`, `k8s.statefulset.name`, `kube