Investigate logs
Inspect errors, exceptions, timeouts, warning spikes, log volume changes and affected datasets or services.
Demo run
Watch one workflow: from intent to approved Elastic output.
This demo shows one workflow end-to-end: from operational intent to a published, verified Kibana dashboard.
FlexiClaw for Elastic Codex plugin demo
intent, preview, approval, publish, verification
Operating workflow
From operational intent to verified Elastic output.
FlexiClaw starts with evidence and decides whether the useful next step is a report, a Case File, validated ES|QL, an approval-gated RAG workflow or a Kibana dashboard.
01
Ask from Codex
Describe the incident, service, time window, knowledge need or operational question in plain language. FlexiClaw turns that into an investigation plan.
02
Gather Elastic evidence
It checks logs, APM traces, metrics, alerts, streams, fields and ES|QL, preferring aggregate evidence before individual samples.
03
Preview the output
FlexiClaw prepares the relevant output for review: an explanation, report, Case File, ES|QL, RAG plan or dashboard preview.
04
Approve and verify
When an action can write to Elastic or Kibana, FlexiClaw waits for approval and verifies the result before reporting success.
MVP 0.4.0
What FlexiClaw for Elastic can do today.
FlexiClaw for Elastic is the Codex plugin surface. It focuses on Elastic observability investigations, auto-dashboards, alert plans, alert triage, daily SRE health reports, integration advisor checks, Case Files, validated ES|QL, RAG workflows that run only after approval, evidence-based reports and dashboard previews when a visual handoff is useful.
Analyze APM signals
Review latency, throughput, failure rate, transactions, dependencies and representative traces with baseline comparison.
Correlate metrics
Check CPU, memory, disk, network, runtime and host signals against application symptoms without jumping from correlation to causation.
Generate validated ES|QL
Prepare and validate aggregate queries, explain what each query proves and keep result sizes bounded.
Preview dashboards
Create native investigation dashboard previews before saving, with panel intent tied to the evidence and the incident question.
Publish Lens dashboards
Publish editable Kibana Lens dashboards only after explicit approval, then verify the saved object before reporting success.
Plan and triage alerts
Propose reviewed Kibana alert plans from log baselines, create FlexiClaw-tagged rules after approval and pre-triage firing alerts into Case Files.
Run SRE health checks
Summarize new error signatures, ingestion freshness, dataset trends and observability blind spots that need attention.
Advise integrations
Detect hosts without metrics, services without APM and Elastic Agent visibility gaps, then produce read-only setup guidance.
Capture Case Files
Keep a local incident record with evidence, assumptions, open questions and selected dashboard drilldown evidence.
Build approval-gated RAG
Preview RAG plans from local documents, Case Files or capped existing Elastic indices, then execute only after approval against the intended target.
Query operational memory
Ask approved FlexiClaw RAG indices for similar incidents or operational knowledge, with cited sources in the answer.
Write incident reports
Produce RCA drafts, executive summaries and technical reports that separate facts, hypotheses, unknowns and next actions.
Elastic signals
Elastic already stores the signals. FlexiClaw gives Codex an operating method.
The plugin routes natural incident questions to the right Elastic evidence, then explains what is known, what is likely, what was previewed and what still needs validation.
LogsErrors, exceptions, log groups, change points and volume changes.
APMLatency, transactions, traces, dependencies and service topology.
MetricsHosts, runtime metrics, resource pressure and infrastructure correlation.
AlertsIncident context and available alert signals when present.
StreamsSchema, data quality, failed documents and stream queries.
ES|QLGenerated, validated and explained queries for investigation and panels.
Example prompts
Ask like an operator, not like an API.
FlexiClaw is designed for natural operational language. The user should not need to know internal tool names or transport details.
DiscoveryWhat can you see in my Elastic? Give me services, relevant indices and streams, alerts and available observability data.
IncidentInvestigate why checkout is returning 500 errors in production during the last 2 hours. Use logs, traces and metrics.
LatencyAnalyze the latency spike for payments in the last 6 hours. Compare it with the previous 6 hours and identify the most likely cause with evidence.
DashboardCreate a native dashboard preview for my Elastic logs from the last 30 days. I want to review it before saving it to Kibana.
PublishApproved. Publish it to Kibana and verify the saved dashboard object before claiming success.
Case FileAttach the useful dashboard drilldowns and investigation evidence to a Case File for this incident.
AlertsReview my logs and propose alerts for the errors. I want to see the plan before creating anything in Kibana.
HealthHow is my platform today? Show new errors, freshness gaps and anything that needs attention.
AdvisorWhat observability coverage am I missing? Check metrics, APM and Elastic Agent visibility.
RAGCreate a RAG plan from this existing Elastic documentation index, cap the source read, show the target index and wait for approval before indexing.
MemorySearch similar incidents in the active FlexiClaw RAG and answer with cited sources.
ReportWrite an RCA summary that separates proven evidence from suspected causes and open questions.
Local setup
Install from GitHub. Keep credentials out of chat.
FlexiClaw for Elastic is available from the public GitHub repository, byviz/flexiclaw-for-elastic-codex. Install the plugin in Codex, then use a local configuration file. Normal investigation should use a read-only Elastic API key. Dashboard publishing and RAG execution should use separate restricted keys when possible.
codex plugin marketplace add byviz/flexiclaw-for-elastic-codex --ref main
codex plugin add flexiclaw-codex-plugin@flexiclawmkdir -p ~/.config/flexiclaw
nano ~/.config/flexiclaw/config.json
{
"kibanaUrl": "https://your-kibana.example.com",
"elasticsearchUrl": "https://your-elasticsearch.example.com",
"apiKey": "your-read-only-api-key",
"dashboardApiKey": "your-dashboard-write-api-key",
"alertingApiKey": "your-alerting-write-api-key",
"rag": {
"inferenceId": "your-elasticsearch-inference-endpoint",
"targetPrefix": "flexiclaw-rag"
}
}Safety boundaries
Built for cautious incident work.
FlexiClaw complements Kibana. Kibana remains the system of record for observability data and dashboards, while FlexiClaw handles intent-driven investigation, preview, approval and verification.
Noautomatic remediation or self-healing incident response.
NoElastic cluster setting changes, ILM changes, template changes or data stream modification.
Nodashboard publishing without explicit approval and saved-object verification.
NoRAG execution without an approved plan, target index and intended source.
Nomodifying source indices when creating RAG from existing Elastic data.
Noalert connectors, notification actions, or modifying and deleting existing alert rules in the current MVP.
NoFleet writes, automatic integration installation or Elastic Agent enrollment in the current MVP.
Nounsupported root-cause certainty. Evidence and guesses never get mixed.
NoElastic Security-specific workflows in the current MVP.
FlexiClaw for Elastic
Turn Elastic intent into evidence, previews and verified outputs.
Use AI agents in Codex to investigate real Elastic observability data, prepare evidence-backed dashboard previews, keep Case Files, build RAG workflows that run only after approval and verify what was saved.