Elasticsearch: Search Logs
AvailabilityThis workflow action is available on Business and Enterprise for Incident Management pricing plans. Contact the Sales Team to upgrade to an account with this action.
Description
The action runs a search against the Index Pattern you specify using Lucene, KQL, EQL, or Query DSL, and returns up to Max Results documents (allowed range 1–1000; default 100). Use it to pull logs or events from Elasticsearch while you investigate or automate around an incident.
PagerDuty does not inject a default time range. For time-bounded results, include time constraints in your query (for example in Query DSL with a range filter on @timestamp) or as supported by your query type and index mappings.
Prerequisites
- An Elasticsearch cluster reachable from PagerDuty over HTTPS (compatible with Elasticsearch 7.x or 8.x; confirm with your administrator).
- An Elasticsearch API key with permission for connection validation and for searching your index patterns.
- An Elasticsearch connection in PagerDuty. See the Elasticsearch subsection in Workflow Integrations .
Instructions
- If you have not done so, follow the instructions to Create an Incident Workflow.
- When the instructions prompt you to add actions, select this action.
- Enter the following Inputs and click Save.
- Continue following instructions to Publish the Workflow.
- When the action runs, you will see the Outputs listed below.
Inputs
Field ReferencesFields with the {+} icon accept Field References, which can be useful for referencing incident data or outputs created in prior workflow steps. To add Field References, click {+}, or enter
{{, and select relevant fields. Refer to the Field References article for more information.
| Name | Description |
|---|---|
| Connection Input | The Elasticsearch Workflow Integration connection (Elasticsearch URL and API Key configured in PagerDuty). If you have not yet configured a Elasticsearch integration, please see the Elasticsearch Integration instructions. |
| Index Pattern | Index pattern to search (for example logs-*, filebeat-*, logstash-*). This value is used in the request path to Elasticsearch. |
| Query Type | Lucene (default), KQL, EQL, or Query DSL. See Query types below. |
| Query | The search string or JSON for the selected query type. |
| Max Results | Maximum number of documents to return. Allowed range: 1–1000. Default: 100. |
Query Types
Lucene — Sent to Elasticsearch
_searchusing aquery_stringquery with your Query text.KQL — Sent to
_searchusing aquery_stringquery with lenient parsing and default operator AND. KQL and Lucene are not identical; verify results against your data.EQL — Sent to
_eql/searchwith your Query as the EQL expression and Max Results as the request size.Query DSL — Query must be valid JSON for the inner query object only (not the full request body). PagerDuty wraps it as
{ "query": <your JSON>, "size": <Max Results> }and sends it to_search. Invalid JSON produces an error.
Outputs
| Name | Description |
|---|---|
| Logs | JSON array of matching documents (fields such as _index, _id, _source, and a derived timestamp when present). Empty array if the search fails or returns no hits. |
| Log Count | Number of documents in Logs for this response. |
| Query Used | The Query input as processed for the action. |
| Index Pattern Used | The Index Pattern that was searched. |
| Total Hits | Total matching documents reported by Elasticsearch (may exceed Log Count when limited by Max Results). |
| Search Duration | Query execution time as reported by Elasticsearch (for example 42ms). |
| Result | Success or Failed. |
| Result Summary | Brief description of what the action did or if it failed. Example: "Successfully retrieved 42 logs." |
| Error | Populated when the action fails (for example authentication, index not found, or invalid Query DSL). |
Updated about 4 hours ago