LLM and Agentic Observability
Answer user questions about monitoring LLMs and agentic components using data ingested into Elastic only. Focus on
LLM performance, cost and token utilization, response quality, and call chaining or agentic workflow orchestration. Use
ES|QL, Elasticsearch APIs, and (where needed) Kibana APIs. Do not rely on Kibana UI; the skill works without it. A
given deployment typically uses one or more ingestion paths (APM/OTLP traces and/or integration metrics/logs)β
discover what is available before querying.
Where to look
- Trace and metrics data (APM / OTel): Trace data in Elastic is stored in
traces* when collected by the
Elastic APM Agent, and in traces-generic.otel-default (and similar) when collected by OpenTelemetry. Use the
generic pattern traces* to find all trace data regardless of source. When the application is instrumented with
OpenTelemetry (e.g. Elastic
Distributions of OpenTelemetry (EDOT),
OpenLLMetry, OpenLIT, Langtrace exporting to OTLP), LLM and agent spans land in these trace data streams; metrics may
land in metrics-apm* or metrics-generic. Query traces* and metrics* data streams for per-request and
aggregated LLM signals.
- Integration metrics and logs: When the user collects data via
Elastic LLM integrations
(OpenAI, Azure OpenAI, Azure AI Foundry, Amazon Bedrock, Bedrock AgentCore, GCP Vertex AI, etc.), metrics and logs go
to integration data streams (e.g.
metrics*, logs* with dataset/namespace per integration). Check which data
streams exist.
- Discover first: Use Elasticsearch to list data streams or indices (e.g.
GET _data_stream, or
GET traces*/_mapping, GET metrics*/_mapping) and optionally sample a document to see which LLM-related fields are
present. Do not assume both APM and integration data exist.
- ES|QL: Use the elasticsearch-esql skill for ES|QL syntax, commands, and query patterns when building queries
against
traces* or metrics data streams.
- Alerts and SLOs: Use the Observability APIs SLOs
API (Stack |
Serverless) and Alerting API
(Stack |
Serverless) to find SLOs and alerting rules
that target LLM-related data (e.g. services backed by
traces*, or integration metrics). Firing alerts or
violated/degrading SLOs point to potential degraded performance.
Data available in Elastic
From traces and metrics (traces*, metrics-apm* / metrics-generic)
Spans from OTel/EDOT (and compatible SDKs) carry span attributes that may follow
OpenTelemetry GenAI semantic conventions or
provider-specific names. In Elasticsearch, attributes typically appear under span.attributes (exact key names depend
on ingestion). Common attributes:
| Purpose |
Example attribute names (OTel GenAI) |
| Operation / provider |
gen_ai.operation.name, gen_ai.provider.name |
| Model |
gen_ai.request.model, gen_ai.response.model |
| Token usage |
gen_ai.usage.input_tokens, gen_ai.usage.output_tokens |
| Request config |
gen_ai.request.temperature, gen_ai.request.max_tokens |
| Errors |
error.type |
| Conversation / agent |
gen_ai.conversation.id; tool/agent spans as child spans |
Cost is not in the OTel spec; some instrumentations add custom attributes (e.g. llm.response.cost.usd_estimate).
Discover actual field names from the index mapping or a sample document (e.g. span.attributes.* or flattened keys).
Use duration and event.outcome on spans for latency and success/failure. Use trace.id, span.id, and
parent/child span relationships to analyze call chaining and agentic workflows (e.g. one root span, multiple LLM or
tool-call child spans).
From LLM integrations
Integrations (OpenAI, Azure OpenAI, Azure AI Foundry, Bedrock, Bedrock AgentCore, Vertex AI, etc.) ship metrics (and
where supported logs) to Elastic. Metrics typically include token usage, request counts, latency, andβwhere the
integration supports itβcost-related fields. Logs may include prompt/response or guardrail events. Exact field names and
data streams are defined by each integration package; discover them from the integration docs or from the target data
stream mapping.
Determine what data is available
- List data streams:
GET _data_stream and filter for traces*, metrics-apm* (or metrics*), and metrics-* /
logs-* that match known LLM integration datasets (e.g. from
Elastic LLM observability).
- Inspect trace indices: For
traces*, run a small search or use mapping to see if spans contain gen_ai.* or
llm.* (or similar) attributes. Confirm presence of token, model, and duration fields.
- Inspect integration indices: For metrics/logs data streams, check mapping or one document to see token, cost,
latency, and model dimensions.
- Use one source per use case: If both APM and integration data exist, prefer one consistent source for a given
question (e.g. use traces for per-request chain analysis, integration metrics for aggregate token/cost).
- Check alerts and SLOs: Use the SLOs API and Alerting API to list SLOs and alerting rules that target LLM-related
services or integration metrics, and to get open or recently fired alerts. Firing alerts or SLOs in
degrading/violated status point to potential degraded performance.
Use cases and query patterns
LLM performance (latency, throughput, errors)
- Traces: ES|QL on
traces* filtered by span attributes (e.g. gen_ai.operation.name or gen_ai.provider.name
when present). Compute throughput (count per time bucket), latency (e.g. duration.us or span duration), and error
rate (event.outcome == "failure") by model, service, or time.
- Integrations: Query integration metrics for request rate, latency, and error metrics by model/dimension as exposed
by the integration.
Cost and token utilization
- Traces: Aggregate from spans in
traces*: sum gen_ai.usage.input_tokens and gen_ai.usage.output_tokens (or
equivalent attribute names) by time, model, or service. If a cost attribute exists (e.g. custom
llm.response.cost.*), sum it for cost views.
- Integrations: Use integration metrics that expose token counts and/or cost; aggregate by time and model.
Response quality and safety
- Traces: Use
event.outcome, error.type, and span attributes (e.g. gen_ai.response.finish_reasons) in
traces* to identify failures, timeouts, or content filters. Correlate with prompts/responses if captured in
attributes (e.g. gen_ai.input.messages, gen_ai.output.messages) and not redacted.
- Integrations: Query integration logs for guardrail blocks, content filter events, or policy violations (e.g.
Bedrock Guardrails)
using the fields defined by that integration.
Call chaining and agentic workflow orchestration
- Traces only: Use trace hierarchy in
traces*. Filter by root service or trace attributes; group by trace.id
and use parent/child span relationships (e.g. parent.id, span.id) to reconstruct chains (e.g. orchestration span β
multiple LLM or tool-call spans). Aggregate by span name or gen_ai.operation.name to see distribution of steps (e.g.
retrieval, LLM, tool use). Duration per span and per trace gives bottleneck and end-to-end latency.
Using ES|QL for LLM data
- Availability: ES|QL is available in Elasticsearch 8.11+ (GA in 8.14) and in Elastic Observability Serverless.
- Scoping: Always restrict by time range (
@timestamp). When present, add service.name and optionally
service.environment. For LLM-specific spans, filter by span attributes once you know the field names (e.g. a keyword
field for gen_ai.provider.name or gen_ai.operation.name).
- Performance: Use
LIMIT, coarse time buckets when only trends are needed, and avoid full scans over large
windows.
Workflow
LLM observability progress:
- [ ] Step 1: Determine available data (traces*, metrics-apm* or metrics*, or integration data streams)
- [ ] Step 2: Discover LLM-related field names (mapping or sample doc)
- [ ] Step 3: Run ES|QL or Elasticsearch queries for the user's question (performance, cost, quality, orchestration)
- [ ] Step 4: Check for active alerts or SLOs defined on LLM-related data (Alerting API, SLOs API); field names from
Step 2 help identify related rules; firing alerts or violated/degrading SLOs indicate potential degraded performance
- [ ] Step 5: Summarize findings from ingested data only; include alert/SLO status when relevant
Examples
Example: Token usage over time from traces
Assume span attributes are available as span.attributes.gen_ai.usage.input_tokens and
span.attributes.gen_ai.usage.output_tokens (adjust to actual field names from mapping):
FROM traces*
| WHERE @timestamp >= "2025-03-01T00:00:00Z" AND @timestamp <= "2025-03-01T23:59:59Z"
AND span.attributes.gen_ai.provider.name IS NOT NULL
| STATS
input_tokens = SUM(span.attributes.gen_ai.usage.input_tokens),
output_tokens = SUM(span.attributes.gen_ai.usage.output_tokens)
BY BUCKET(@timestamp, 1 hour), span.attributes.gen_ai.request.model
| SORT @timestamp
| LIMIT 500
Example: Latency and error rate by model
FROM traces*
| WHERE @timestamp >= "2025-03-01T00:00:00Z" AND @timestamp <= "2025-03-01T23:59:59Z"
AND span.attributes.gen_ai.request.model IS NOT NULL
| STATS
request_count = COUNT(*),
failures = COUNT(*) WHERE event.outcome == "failure",
avg_duration_us = AVG(span.duration.us)
BY span.attributes.gen_ai.request.model
| EVAL error_rate = failures / request_count
| LIMIT 100
Example: Agentic workflow (trace-level view)
Get trace IDs that contain at least one LLM span and count spans per trace to see chain length:
FROM traces*
| WHERE @timestamp >= "2025-03-01T00:00:00Z" AND @timestamp <= "2025-03-01T23:59:59Z"
AND span.attributes.gen_ai.operation.name IS NOT NULL
| STATS span_count = COUNT(*), total_duration_us = SUM(span.duration.us) BY trace.id
| WHERE span_count > 1
| SORT total_duration_us DESC
| LIMIT 50
Example: Integration metrics (Amazon Bedrock AgentCore)
The Amazon Bedrock AgentCore integration
ships metrics to the metrics-aws_bedrock_agentcore.metrics-* data stream (time series index). Use TS for
aggregations on time series data streams (Elasticsearch 9.2+); use a time range with TRANGE (9.3+). The
integrationβs dashboards and
alerting rule templates
Example: token usage (counter), invocations (counter), and average latency (gauge) by hour and agent:
TS metrics-aws_bedrock_agentcore.metrics-*
| WHERE TRANGE(7 days)
AND aws.dimensions.Operation == "InvokeAgentRuntime"
| STATS
total_tokens = SUM(RATE(aws.bedrock_agentcore.metrics.TokenCount.sum)),
total_invocations = SUM(RATE(aws.bedrock_agentcore.metrics.Invocations.sum)),
avg_latency_ms = AVG(AVG_OVER_TIME(aws.bedrock_agentcore.metrics.Latency.avg))
BY TBUCKET(1 hour), aws.bedrock_agentcore.agent_name
| SORT TBUCKET(1 hour) DESC
For Elasticsearch 8.x or when TS is not available, use FROM with BUCKET(@timestamp, 1 hour) and SUM/AVG over
the metric fields (as in the integration's alert rule templates). For other LLM integrations (OpenAI, Azure OpenAI,
Vertex AI, etc.), use that integrationβs data stream index pattern and field names from its package (see
Elastic LLM observability).
Guidelines
- Data only in Elastic: Use only data collected and stored in Elastic (traces in
traces*, metrics, or integration
metrics/logs). Do not describe or rely on other vendorsβ UIs or products.
- One technology per customer: Assume a single ingestion path per deployment when answering; discover which (traces
vs integration) exists and use it consistently for the question.
- Discover field names: Before writing ES|QL or Query DSL, confirm LLM-related attribute or metric names from
_mapping or a sample document; naming may differ (e.g. gen_ai.* vs llm.* or integration-specific fields).
- No Kibana UI dependency: Prefer ES|QL and Elasticsearch APIs; use Kibana APIs only when needed (e.g. SLO,
alerting). Do not instruct the user to open Kibana UI.
- References:
LLM and agentic AI observability,
Observability Labs β LLM Observability,
OpenTelemetry GenAI spans. For ES|QL syntax and
query patterns, use the elasticsearch-esql skill, or look through
ES|QL TS command reference for Elastic v9.3
or higher and for Serverless, and look through
ES|QL FROM command reference for other
Elastic versions.
