Kibana
Kibana is a visualization and analytics platform for Elasticsearch, offering dashboards, data exploration, and monitoring capabilities for gaining insights from data
Verdict
Common use cases
- Build incident dashboards from chat during outages
- Create alerting rules when thresholds change
- Open and assign cases for security events
- Query log indices and visualize trends inline
- Update saved objects without opening Kibana UI
Integration
- Vendor
- Kibana
- Category
- developer-tools
- Auth
- API_KEY
- Tools
- 49
- Composio slug
kibana
Tools
- Check Fleet Permissions
Tool to check the permissions for the fleet api. use when you need to verify if the current user has the necessary privileges for fleet operations.
- Create Alerting Rule
Tool to create a new alerting rule in kibana. use when you need to define a new condition that, when met, triggers an alert and potentially executes predefined actions.
- Create Case
Tool to create a new case in kibana. use when you need to open and track issues, incidents, or investigations. you can assign users, set severity levels, add tags, and configure external connectors for integration with itsm systems.
- Create Dashboard
Tool to create a new dashboard in kibana. use when you need to create a dashboard to visualize data. dashboards can contain visualizations, saved searches, and other embeddable objects.
- Create Data View
Tool to create a new data view (index pattern) in kibana. use when you need to define which elasticsearch indices to query and analyze in kibana. data views determine which fields are available in discover, visualize, and other kibana apps.
- Create Kibana Connector
Tool to create a new connector in kibana. use when you need to integrate kibana with an external service.
- Create or Update Saved Object
Tool to create or update a saved object in kibana. use when you need to programmatically manage kibana dashboards, visualizations, index patterns, etc.
- Delete Actiondestructive
Tool to delete an action in kibana. use when you need to remove a specific action by its id, optionally within a specific space.
- Delete Alerting Ruledestructive
Tool to delete an alerting rule in kibana. use when you need to remove a specific alerting rule by its id.
- Delete Connectordestructive
Tool to delete a connector in kibana. use when you need to remove an existing connector.
- Delete Fleet Outputdestructive
Tool to delete a specific output configuration in kibana fleet. use when you need to remove an existing output by its id.
- Delete Fleet Proxydestructive
Tool to delete a specific fleet proxy configuration by its id. use when you need to remove an existing proxy setup.
- Delete Listdestructive
Deletes a list. use when you want to delete a list by its id.
- Delete Osquery Saved Querydestructive
Tool to delete a saved osquery query by its id. use when you need to remove a specific osquery saved query.
- Delete Saved Objectdestructive
Tool to delete a saved object in kibana. use when you need to remove a specific saved object like a visualization or dashboard.
- Find Detection Engine Rules
Retrieves a list of detection engine rules based on specified criteria. use this tool to find detection rules.
- Find Kibana Alerts
Tool to find and/or aggregate detection alerts in kibana. use this to retrieve a list of alerts, optionally filtering them with a query and performing aggregations.
- Get Action Types
Tool to fetch the list of available action types (e.g., '.slack', '.email', '.webhook') in kibana. use this to discover the 'actiontypeid' needed when creating a new action.
- Get Alerting Rules
Tool to retrieve a list of alerting rules in kibana. use when you need to get a paginated set of rules based on specified conditions.
- Get Alert Types
Tool to retrieve available alert types in kibana. use when you need to get a list of all possible alert types and their metadata.
- Get All Connectors
Tool to retrieve a list of all connectors in kibana. use this tool when you need to get information about available connectors.
- Get Cases
Tool to retrieve a list of cases in kibana. use when you need to find or list existing security or operational cases, potentially filtering by various attributes like status, assignee, or severity.
- Get Data Views
Tool to retrieve a list of data views available in kibana. use when you need to get a list of available data views, optionally filtering by a name pattern.
- Get Endpoint List Items
Tool to retrieve all items from an endpoint exception list. use when you need to get a list of endpoint exceptions, for example, to check existing exceptions before adding a new one.
- Get Entity Store Engines
Retrieves the list of engines from the entity store.
- Get Entity Store Status
Tool to retrieve the status of the entity store in kibana. use this to check if the entity store is operational.
- Get EPM Package Statistics
Tool to retrieve statistics for a specific package in the elastic package manager. use when you need to get epm package statistics.
- Get Fleet Agent Policies
Fetches a list of agent policies in fleet. use when you need to retrieve agent policy configurations.
- Get Fleet Agents Available Versions
Tool to retrieve the available versions for fleet agents. use when you need to get a list of all available elastic agent versions.
- Get Fleet Agents Setup Status
Tool to check if the fleet agents are set up. use when you need to verify the fleet agent setup status.
- Get Fleet Data Streams
Retrieves the list of data streams in fleet.
- Get Fleet Enrollment API Key
Tool to retrieve details of a specific enrollment api key by its id. use when you have the id of an enrollment api key and need its details.
- Get Fleet Enrollment API Keys
Tool to fetch a list of enrollment api keys. use when you need to retrieve existing enrollment tokens for kibana fleet.
- Get Fleet EPM Categories
Tool to fetch the list of categories in the elastic package manager. use when you need to retrieve available package categories.
- Get Fleet EPM Data Streams
Tool to retrieve the list of data streams in the elastic package manager. use when you need to get a list of available data streams, optionally filtering by type, dataset, or categorization.
- Get Fleet EPM Package Details
Tool to fetch details of a specific package and version in the elastic package manager (epm). use when you need to get information about a particular epm package, such as its title, description, or type.
- Get Fleet EPM Package File
Tool to retrieve a specific file from a package in the elastic package manager. use when you need to inspect the contents of a package file.
- Get Fleet EPM Packages
Tool to fetch the list of available packages in the elastic package manager. use when you need to find available integrations or their details.
- Get Fleet EPM Packages (Limited)
Tool to fetch a limited list of packages from the elastic package manager. use when you need to retrieve a list of available epm packages with minimal details.
- Get Fleet Package Policies
Tool to retrieve a list of all package policies (agent & epm), providing their ids and associated details. use when you need to get an overview of existing package policies.
- Get Fleet Server Host
Tool to fetch details of a specific fleet server host by its item id. use when you need to get information about a particular fleet server host.
- Get Fleet Server Hosts
Tool to retrieve the list of fleet server hosts. use when you need to get information about the available fleet server hosts.
- Get Index Management Indices
Tool to fetch information about indices managed by kibana's index management feature. it queries the underlying elasticsearch / cat/indices api to retrieve index details. use when you need to list or get details about one or more indices in
- Get Installed EPM Packages
Tool to retrieve the list of installed packages in the elastic package manager. use this when you need to check which packages are currently installed in fleet.
- Get Kibana Status
Tool to get the current status of kibana. use when you need to check if kibana is healthy, monitor its state, or get information about the kibana instance including version, uuid, and metrics.
- Get Node Metrics
Tool to retrieve statistics for nodes in an elasticsearch cluster, often visualized in kibana. use when you need to monitor node health, performance, or resource usage. this action calls the elasticsearch nodes stats api.
- Get Reporting Jobs
Tool to retrieve a list of reporting jobs in kibana. use when you need to see pending or completed reports. this uses an internal api endpoint, which might be subject to change without notice.
- Get Saved Objects
Tool to retrieve a list of saved objects in kibana based on specified criteria. use when you need to find dashboards, visualizations, index patterns, or other saved entities.
- List Entity Store Entities
Tool to list entity records in the entity store with support for paging, sorting, and filtering. use when you need to retrieve a list of entities such as users, hosts, or services.
Setup
Setup guide
- 11. In Switchy, open your workspace settings and navigate to the MCP integrations panel. 2. Select 'Add MCP' and choose Kibana from the developer tools category. 3. You'll be prompted to enter your Kibana instance URL (e.g., https://your-cluster.kb.us-east-1.aws.found.io) and an API key. 4. Generate the API key in Kibana under Stack Management → API Keys; grant it privileges matching the tools you plan to use (at minimum: read/write on saved objects, alerting, and cases). 5. Paste the key into Switchy and click 'Connect'. 6. Test the connection by opening a Space and typing '@Kibana list my data views' — if it returns your index patterns, you're live. 7. To invoke a tool, @mention Kibana in any message and describe what you need (e.g., '@Kibana create a dashboard for today's error logs').
What teammates see: by default, memories from Kibana are scoped to the Space (PROJECT visibility) - you can mark any memory PRIVATE or share it ORG-wide.
Works well with
Top models
Compatibility data appears once enough Spaces have used this MCP together with a given model.
How Switchy teams use it
Starter prompts
Snapshot Error Trends
@Kibana create a data view for logs-* indices from the last 4 hours, then build a bar chart showing error counts by service name.Open in a Space →
Set Up Latency Alert
@Kibana create an alerting rule that triggers when the 95th percentile response time for the checkout service exceeds 500ms over a 5-minute window.Open in a Space →
Open Security Case
@Kibana create a case titled 'Unusual login from new IP' with high severity, assign it to the security team, and tag it 'auth-anomaly'.Open in a Space →
Check Fleet Permissions
@Kibana check if I have the necessary permissions to manage Fleet agents and policies.Open in a Space →
Export Dashboard Config
@Kibana fetch the saved object configuration for the 'Production Metrics' dashboard and show me the JSON.Open in a Space →
Example outputs
Illustrative - representative of the model's voice and quality, not literal recordings.
@Kibana show me all open cases tagged 'production-incident' with high severity from the last 7 days
Found 4 open cases matching your criteria: 1. **Database Connection Pool Exhausted** (Case #2847) — Opened 2 days ago by @sarah, assigned to @mike. Tags: production-incident, database. Severity: High. 2. **API Gateway 503 Errors** (Case #2851) — Opened 4 days ago by @jordan, unassigned. Tags: production-incident, api. Severity: High. 3. **Memory Leak in Order Service** (Case #2839) — Opened 6 days ago by @alex, assigned to @chris. Tags: production-incident, memory. Severity: High. 4. **Redis Cluster Failover** (Case #2835) — Opened 7 days ago by @taylor, assigned to @sam. Tags: production-incident, cache. Severity: High. This is an illustrative example based on typical case structures. Actual results depend on your Kibana instance's case data and field configurations.
This example demonstrates read-heavy case querying. Requires 'cases:read' privilege in your Kibana role. The MCP filters by status, tags, severity, and date range — but complex queries may need multiple API calls. If your team uses custom case fields or external connectors (Jira, ServiceNow), those won't appear in the basic output without additional tool calls.
@Kibana create an alerting rule that notifies #ops-alerts when CPU usage exceeds 85% for 5 minutes on any production host
Created alerting rule **'Production CPU Threshold Alert'** (ID: `cpu-alert-prod-2024`). **Trigger condition:** Metric threshold — CPU usage > 85% for 5 consecutive minutes across hosts tagged `env:production`. **Actions configured:** - Send Slack message to #ops-alerts channel via connector 'Slack-Ops' - Create Kibana case with severity 'Medium' and tag 'auto-generated' **Rule schedule:** Checks every 1 minute. **Throttle:** No repeat notifications for 15 minutes after firing. This is an illustrative example. Actual rule creation requires a pre-configured Slack connector and appropriate index patterns for host metrics (e.g., `metricbeat-*`).
This example shows write-action capability for proactive monitoring. Requires 'alerting:write' and 'actions:execute' privileges. You must have a Kibana connector already set up for Slack (or email, PagerDuty, etc.) — the MCP can create connectors but needs credentials you provide. Rule syntax varies by alert type (metric threshold, log threshold, anomaly detection). Side-effect: the rule starts running immediately.
@Kibana analyze the last 500 error logs from our payment service and create a dashboard showing error distribution by status code and endpoint
Analyzed 500 error logs from index `logs-payment-service-*` (last 24 hours). **Error breakdown:** - 402 errors (80.4%): Status 500 — `/api/v2/checkout/confirm` endpoint (database timeout pattern detected) - 67 errors (13.4%): Status 503 — `/api/v2/payment/process` endpoint (external gateway unavailable) - 31 errors (6.2%): Status 400 — `/api/v2/refund/initiate` endpoint (validation failures) Created dashboard **'Payment Service Error Analysis'** with 3 visualizations: 1. Pie chart: Error distribution by HTTP status code 2. Bar chart: Top 5 failing endpoints by error count 3. Time series: Error rate over 24-hour window (1-hour buckets) Dashboard URL: `https://your-kibana.com/app/dashboards#/view/payment-errors-dash`. This is an illustrative example; actual log structure and field names depend on your Elasticsearch mappings.
This example demonstrates synthesis — the MCP queries logs, the AI identifies patterns, then the MCP creates a persistent dashboard. Requires 'discover:read' for log queries and 'dashboard:write' for creation. The AI's pattern detection (e.g., 'database timeout') is inferred from log messages, not guaranteed. If your logs lack structured fields (status_code, endpoint), results will be less precise. Dashboard persists in Kibana and can be shared with your team.
Use-case deep-dives
When Kibana MCP turns standup into a war room
A 6-person SRE team runs post-mortems after production incidents. They pull logs from Elasticsearch, create cases in Kibana to track remediation, and build dashboards to visualize error spikes. The Kibana MCP lets them do all three from a single Switchy thread: create the case, query the data view for the time window, and spin up a dashboard without leaving the conversation. The 49 tools cover the full incident lifecycle—alerting rules, connector setup, even Fleet permissions if you're managing agents. This works best when your team already lives in Kibana; if you're stitching together Datadog, PagerDuty, and Jira, the MCP won't bridge those gaps. For teams running the Elastic stack end-to-end, this is the fastest path from 'we're down' to 'here's the root cause dashboard.'
Why this MCP isn't built for support ticket lookup
A 10-person support team wants to search historical tickets and customer logs stored in Elasticsearch. The Kibana MCP can create data views and query indices, but it's optimized for observability workflows—dashboards, alerting, case management—not full-text search across unstructured support data. You'll hit friction if your use case is 'find the ticket where the customer mentioned billing error X': the MCP doesn't expose Elasticsearch's query DSL directly, and the tooling assumes you're building visualizations or managing alerts. If your support data lives in Zendesk or Intercom, skip this entirely. If you're already indexing tickets into Elastic and want to automate case creation when certain patterns appear, the MCP starts to make sense—but only as part of a larger alerting pipeline, not as a search interface.
When 49 tools justify the API key setup cost
A 4-person DevOps team monitors CI/CD pipelines, container health, and deployment metrics in Kibana. They want to automate dashboard creation when a new service ships, set up alerting rules for failed builds, and create connectors to Slack for real-time notifications. The Kibana MCP handles all of this without writing custom scripts: create the data view for the new service's logs, define the alerting rule with thresholds, wire up the Slack connector, and generate the dashboard in one conversation. The API key auth is a one-time setup; after that, the 49 tools cover edge cases like Fleet permissions for agent management or saved object updates for dashboard templates. This pays off when you're shipping 3+ services a quarter and the manual Kibana UI work becomes a bottleneck. Below that cadence, the MCP is overkill—just use the UI.
Frequently asked
What does the Kibana MCP let me do in Switchy?
It lets AI agents manage your Kibana environment — create dashboards, set up alerting rules, open cases for incident tracking, configure data views, and manage connectors to external services. Instead of clicking through Kibana's UI, you describe what you need and the MCP executes the API calls. Useful for teams that want to automate Kibana setup or let non-technical users trigger dashboard changes via chat.
Do I need admin access to connect Kibana MCP?
You need an API key with permissions matching what you want the MCP to do. Creating dashboards and data views requires editor-level access; managing alerting rules and Fleet operations typically needs admin privileges. Generate the key in Kibana's Stack Management section, then paste it into Switchy. The MCP won't work if the key lacks the necessary Kibana role assignments.
Can the Kibana MCP query Elasticsearch data directly?
No. It manages Kibana objects — dashboards, visualizations, alerting rules, cases — but doesn't run Elasticsearch queries or return log data. If you need to search logs or aggregate metrics, use the Elasticsearch MCP instead. This one is for configuring Kibana itself, not for data retrieval. Think of it as the control plane, not the data plane.
How is this different from just using Kibana's UI?
The MCP is faster for repetitive tasks and lets non-Kibana-experts create dashboards by describing what they want in plain English. You skip the multi-step UI workflow. Trade-off: you lose the visual preview and drag-and-drop layout control. Best for teams that want to templatize Kibana setups or let support staff open cases without learning Kibana's interface.
Who on my team should connect the Kibana MCP?
Whoever owns your observability stack and has admin access to generate API keys. Once connected, you can share the Switchy workspace with engineers or support staff who need to create dashboards or manage alerts but shouldn't have full Kibana admin rights. The MCP inherits the permissions of the API key, so scope it carefully.