// Query Elasticsearch/Kibana using ES|QL via the Kibana async search API. Requires an initial curl command from the user to extract session credentials. Triggers: /esql, "query elastic", "search logs", "check elastic logs", "run esql", "elasticsearch query", "check kibana"
Generate a concise weekly status update in team format by pulling data from the current Jira sprint (tickets assigned to me), backlog, and recent activity. Outputs bullet points covering "What I worked on" (completed/in-progress this sprint), "What's next" (To Do in current sprint), and standard blockers/leaves fields. When asked for last week's report, covers completed items from last week. Upcoming items are based on the current sprint's To Do tickets. Triggers: /my-weekly-report, "my weekly update", "my weekly status", "generate my weekly", "write my weekly", "my weekly report"
Look up a URL (Teams message, Jira ticket, GitHub PR/issue, incident.io alert) and create a concise backlog entry with a [ref] link. Triggers: /backlog-add, "add this link to backlog", "backlog from link", "look up and add to backlog"
Update the daily backlog by gathering data from Jira sprint, GitHub PRs, and existing backlog, then collaboratively deciding what to work on today. Handles checked-off items, moves existing tasks to Today, and adds new items with reference links. Commits the backlog folder before making changes. Triggers: /update-backlog, "update my backlog", "plan my backlog", "what should I work on today", "refresh backlog", "backlog update"
Look up, read, create, update, search, and navigate Confluence pages using the confluence CLI. Use as fallback when Atlassian MCP tools are unavailable. Triggers: /confluence, "look up confluence page", "check confluence", "read confluence", "create confluence page", "update confluence page", "search confluence", "find in confluence", "confluence page", any Confluence page URL like https://veeam-vdc.atlassian.net/wiki/...
Create a Jujutsu (jj) commit with a concise message
Manage Jira issues using the jira CLI — lookup, create, edit, transition, assign, comment, link, and search. Triggers: /jira, "look up jira issue", "check jira ticket", "create jira issue", "update jira", "move ticket to", "assign issue", "add comment to", "what's the status of PROJ-123", any mention of a Jira issue key like PROJ-123
| name | esql |
| description | Query Elasticsearch/Kibana using ES|QL via the Kibana async search API. Requires an initial curl command from the user to extract session credentials. Triggers: /esql, "query elastic", "search logs", "check elastic logs", "run esql", "elasticsearch query", "check kibana" |
Query Elasticsearch via the Kibana ES|QL async search API. Run ES|QL queries directly against Kibana clusters without the user needing to copy-paste results.
,es-web CLIThe ,es-web CLI at /Users/meain/.local/bin/utils/,es-web handles Kibana ES|QL queries with automatic async polling, session management, and table output.
First-time setup for a cluster: the user provides a curl command from Kibana's network tab:
pbpaste | ,es-web init stg-us
pbpaste | ,es-web init prd-eu
Check configured clusters:
,es-web list
Session cookies expire after a few hours. If you get a 401/session expired error:
confluence page 405504500)open <url> (with dangerouslyDisableSandbox: true)! pbpaste | ,es-web init <cluster>,es-web# Simple: service + time window
,es-web -c stg-us -s earn -t 1h -n 20
# With additional WHERE clause
,es-web -c stg-us -s earn -t 1h -q 'message LIKE "*validation*"'
# Custom fields
,es-web -c stg-us -s earn -t 1h -f '@timestamp, message, labels.error'
# Raw ES|QL query
,es-web -c stg-us 'FROM logs-* | WHERE service.name == "earn" | STATS count = COUNT(*) BY labels.event_type | SORT count DESC | LIMIT 10'
# JSON output for further processing
,es-web -c stg-us -s earn -t 30m --json
# Debug: print generated query
,es-web -c stg-us -s earn -t 1h --debug
,es-web options-c — Cluster alias (e.g. stg-us, prd-eu)-s — service.name filter-t — Time window (e.g. 30m, 1h, 2d). Defaults to 4h if omitted (a warning is printed to stderr)-n — Max rows (default: 20)-q — Additional WHERE clause-f — Comma-separated fields for KEEP clause-i — Index pattern (default: logs-*)--json — Raw JSON output--debug — Print generated query to stderrlabels.status is a keyword field — compare with strings, not integers (e.g., labels.status >= "500")-f is specified, default fields are: @timestamp, service.name, message, labels.error, labels.error_message, labels.path, labels.status, trace.idmessage across many services can be slow — scope with service and tight time windowsThese are the service.name values for control-plane-backend services:
| Service | service.name |
|---|---|
| Workload Tenants | workload-tenants-svc |
| Subscriptions | subscriptions-svc |
| User Management | user-management |
| Routing | routing |
| EARN | earn |
| EARN Telemetry | earn-telemetry |
| Usage Reports | usage_reports |
| Onboarding | onboarding |
| Scheduler | scheduler |
The nginx ingress controller logs under service.name == "nginx".
@timestamp — event timestamp (ISO 8601)service.name — service identifier (see table above)service.environment — prod, prd, qa, devmessage — log message textlevel — log level (info, warn, error)trace.id — distributed trace ID for correlating across serviceslabels.status — HTTP status code (string, not int)labels.path — request pathlabels.method — HTTP methodlabels.error / labels.error_message — error detailslabels.organization_id / labels.org_id — organization identifierlabels.organization.id — alternative org ID fieldlabels.workload_tenant.id — workload tenant identifierlabels.user.id / labels.principal.id — user/principal identifierslabels.operation — operation being performedlabels.handler — handler namelabels.earn.event.type — EARN event typelabels.earn.event.dedupe_key — EARN dedup keylabels.scheduler.event.id — scheduler event IDlabels.request.url — outgoing request URLlabels.http.router.request_id — request IDnumeric_labels.* — numeric values (latency, counts, etc.)These are set via clog.Label() and appear in a labels field:
http_server_overview, dispatcher_overview, queue_dispatcher_overviewearn_event_delivery, events_processorpanic_recovery, panic_recoveredazure_sdk_logging, secrets_handlingdeprecated_behavior_overviewFROM logs-*
| WHERE service.environment == "prod"
AND @timestamp >= "2026-04-07T07:00:00.000Z"
AND @timestamp <= "2026-04-07T08:00:00.000Z"
| STATS count = COUNT(*) BY service.name
| SORT count DESC
| LIMIT 30
FROM logs-*
| WHERE service.name == "nginx"
AND service.environment == "prod"
AND labels.status >= "500"
| SORT @timestamp DESC
| LIMIT 20
| KEEP @timestamp, labels.status, labels.path, labels.method, message
FROM logs-*
| WHERE service.name == "earn"
AND service.environment == "prod"
AND level == "error"
AND @timestamp >= "START"
AND @timestamp <= "END"
| SORT @timestamp DESC
| LIMIT 30
| KEEP @timestamp, message, labels.error, labels.error_message, labels.operation, trace.id
FROM logs-*
| WHERE service.environment == "prod"
AND @timestamp >= "START"
AND @timestamp <= "END"
AND (labels.organization_id == "ORG_ID" OR labels.org_id == "ORG_ID" OR labels.organization.id == "ORG_ID")
| SORT @timestamp DESC
| LIMIT 20
| KEEP @timestamp, service.name, message, labels.error, trace.id
FROM logs-*
| WHERE service.environment == "prod"
AND @timestamp >= "START"
AND @timestamp <= "END"
AND labels.workload_tenant.id == "TENANT_ID"
| SORT @timestamp DESC
| LIMIT 30
| KEEP @timestamp, service.name, message, labels.error, labels.operation
FROM logs-*
| WHERE trace.id == "TRACE_ID"
| SORT @timestamp ASC
| LIMIT 100
| KEEP @timestamp, service.name, level, message, labels.error, labels.status, labels.path
FROM logs-*
| WHERE service.name == "SERVICE"
AND service.environment == "prod"
AND message LIKE "*metric*latency*"
| SORT @timestamp DESC
| LIMIT 30
| KEEP @timestamp, message, numeric_labels.value_ms
FROM logs-*
| WHERE service.environment == "prod"
AND @timestamp >= "START"
AND @timestamp <= "END"
AND level == "error"
| STATS error_count = COUNT(*) BY service.name
| SORT error_count DESC
| LIMIT 20
FROM logs-*
| WHERE service.environment == "prod"
AND @timestamp >= "START"
AND @timestamp <= "END"
AND (message LIKE "*panic*" OR labels.panic_recovered == "true" OR labels.panic_recovery == "true")
| SORT @timestamp DESC
| LIMIT 20
| KEEP @timestamp, service.name, message, labels.error, trace.id
,es CLIThe ,es CLI at /Users/meain/.local/bin/utils/,es provides a simpler way to query Elasticsearch, but it only works for the dev environment. Do not use it for staging or production.
Search by trace ID:
,es -q 'trace.id:<TRACE_ID>' -n 50
Filter for errors:
,es -q 'trace.id:<TRACE_ID> AND event.type:error' -n 10
Broader service-level search (no trace ID):
,es -q 'service.name:<SERVICE_NAME> AND (level:error OR event.type:error)' -n 20
,es CLI options-q — Lucene query string-n — Number of results-f — Comma-separated fields to display-s — Sort field (e.g. @timestamp:desc)| Environment | Method |
|---|---|
| Dev / personal | Use ,es CLI directly |
| Staging / production | Use ,es-web -c <cluster> (requires session cookie from user) |
| No session available | Fall back to clipboard mode (see below) |
Cluster naming convention: <env>-<region>, e.g. stg-us, stg-eu, prd-us, prd-eu, prd-apac.
When no ,es-web session is configured for the target cluster:
confluence page 405504500), open <kibana-base-url>/app/discover#/ with open <url> (with dangerouslyDisableSandbox: true), then ask the user to copy a curl from the network tab and run ! pbpaste | ,es-web init <cluster>pbcopylabels.error and labels.error_message.numeric_labels.* fields are numeric; labels.* fields are keywords (strings).-t is omitted. If a query times out, retry with a narrower window (e.g., 1h → 30m). For very broad searches (e.g., no service filter), start at 30m and expand only if needed.http_server_overview, dispatcher_overview) are useful for filtering to structured log categories without needing to match on message text.