From e0601cfe0e79719214b43d806f78fef4f81426c5 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Wed, 3 Jun 2026 14:01:25 -0400 Subject: [PATCH 1/2] Workflows lookup reference: add glossary and expand cheat-sheet gotchas MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes docs-content-internal#1159. Two deliverables in one PR: 1. New explore-analyze/workflows/reference/glossary.md (48 terms). Adapted from the PM internal docset (elastic/workflows-internal- docs, reference/glossary.md). One H3 per term with per-term anchor; alphabetical groups (A-B, C, D-E, F-H, I-K, L, N-O, P-R, S, T, V-W, Y) mirror the PM source. Cross-links rewritten from PM-site relative paths to docs-content paths. Cut 7 terms not Workflows-specific (devops/security/observability acronyms): CI, EDR, NL authoring (experimental, not documented), SIEM, SLO, SOAR, SOC. Fixed version-prose in 5 PM-source entries (Composition, Event- driven trigger, Streams, Tech Preview, Trigger, workflows.failed) — moved version info to applies_to directives, dropped "in 9.4" qualifiers. Updated Terminal state to include timed_out (matches the lifecycle-table fix that shipped in PR #6669). 2. Cheat-sheet expansion: added a worked-example YAML snippet under each of the 10 gotchas that support one (gotcha 1 is purely UI- driven and has no YAML form). Each snippet is 3-12 lines, shows either wrong/right comparison or a single correct shape. Patterns anchored in existing reference pages, not invented. TOC: added glossary.md to the Reference sub-parent in explore- analyze/toc.yml; alphabetized the existing entries (cheat-sheet, context-variables, glossary, liquid-filters, step-types). Cross-links: glossary added to cheat-sheet's Related section, a terminology pointer added near the top of pass-data-handle-errors, and a Glossary signpost added to the workflows.md landing-page Learn-more section. Co-authored-by: Cursor --- explore-analyze/toc.yml | 3 +- explore-analyze/workflows.md | 1 + .../pass-data-handle-errors.md | 2 + .../workflows/reference/cheat-sheet.md | 127 ++++++++- .../workflows/reference/glossary.md | 261 ++++++++++++++++++ 5 files changed, 392 insertions(+), 2 deletions(-) create mode 100644 explore-analyze/workflows/reference/glossary.md diff --git a/explore-analyze/toc.yml b/explore-analyze/toc.yml index 4a370b32a7..7b42e55c7f 100644 --- a/explore-analyze/toc.yml +++ b/explore-analyze/toc.yml @@ -514,9 +514,10 @@ toc: - file: workflows/reference.md children: - file: workflows/reference/cheat-sheet.md - - file: workflows/reference/step-types.md - file: workflows/reference/context-variables.md + - file: workflows/reference/glossary.md - file: workflows/reference/liquid-filters.md + - file: workflows/reference/step-types.md - file: workflows/authoring-techniques.md children: - file: workflows/authoring-techniques/use-yaml-editor.md diff --git a/explore-analyze/workflows.md b/explore-analyze/workflows.md index bbea0400d0..73dc520c4d 100644 --- a/explore-analyze/workflows.md +++ b/explore-analyze/workflows.md @@ -121,4 +121,5 @@ Concepts, reference, and authoring: - [Workflow concepts](/explore-analyze/workflows/concepts.md): Triggers, steps, templating, and quick-reference pages. - [Workflow authoring techniques](/explore-analyze/workflows/authoring-techniques.md): How to use the YAML editor, the anatomy of a workflow, workflow settings, choosing the right step, passing data between steps, handling errors, and more. +- [Glossary](/explore-analyze/workflows/reference/glossary.md): Definitions for every term used across the Workflows documentation. - [Workflow templates](/explore-analyze/workflows/templates.md): Pre-built workflows you can adapt. diff --git a/explore-analyze/workflows/authoring-techniques/pass-data-handle-errors.md b/explore-analyze/workflows/authoring-techniques/pass-data-handle-errors.md index be4f2b390f..8c825a366e 100644 --- a/explore-analyze/workflows/authoring-techniques/pass-data-handle-errors.md +++ b/explore-analyze/workflows/authoring-techniques/pass-data-handle-errors.md @@ -17,6 +17,8 @@ products: A key feature of workflows is the ability to pass data between steps and handle failures gracefully. This page explains the mechanisms for controlling data flow and building resilient, fault-tolerant automations. +For definitions of the terms used on this page (context, inputs, on-failure, fallback, retry, and so on), refer to the [Glossary](/explore-analyze/workflows/reference/glossary.md). + ## Data flow [workflows-data-flow] Every step in a workflow produces an output. By default, this output is added to a global `steps` object in the workflow's context, making it available to all subsequent steps. diff --git a/explore-analyze/workflows/reference/cheat-sheet.md b/explore-analyze/workflows/reference/cheat-sheet.md index b15ede9aa0..2b2c82d144 100644 --- a/explore-analyze/workflows/reference/cheat-sheet.md +++ b/explore-analyze/workflows/reference/cheat-sheet.md @@ -168,20 +168,145 @@ Full reference: [Pass data and handle errors](/explore-analyze/workflows/authori ## Top gotchas [workflows-cheat-gotchas] 1. **Alert trigger needs rule Action attachment.** `type: alert` alone isn't enough. [Attach the workflow](/explore-analyze/workflows/triggers/alert-triggers.md) to the rule's Actions. + 2. **`while` defaults to `max-iterations: 2000` with `on-limit: continue`.** When the loop hits the cap, the step succeeds quietly. Set `on-limit: fail` if you want the workflow to fail at the cap. + + ```yaml + - name: poll_status + type: while + condition: "steps.check.output.status != 'ready'" + max-iterations: + limit: 100 + on-limit: fail # Fail the workflow at the cap; default is continue + steps: + - name: check + type: http + with: + url: "https://api.example.com/jobs/{{ inputs.job_id }}" + ``` + 3. **`switch.cases` is an array**, not a map. Each case is a `{ case: , steps: [...] }` object. Refer to [`switch`](/explore-analyze/workflows/steps/switch.md). + + ```yaml + - name: route + type: switch + expression: "{{ steps.classify.output.severity }}" + cases: + - case: critical + steps: + - { name: page_oncall, type: pagerduty.triggerIncident, with: { ... } } + - case: high + steps: + - { name: notify_team, type: slack.postMessage, with: { ... } } + default: + - { name: log_only, type: console, with: { message: "low severity" } } + ``` + 4. **`cases.*` parameters use `snake_case`:** `case_id`, not `caseId`. + + ```yaml + # Wrong + - type: cases.addComment + with: + caseId: "{{ steps.create.output.case.id }}" + + # Right + - type: cases.addComment + with: + case_id: "{{ steps.create.output.case.id }}" + comment: "Investigation started." + ``` + 5. **`kibana.SetAlertsStatus` / `kibana.SetAlertTags` are PascalCase.** Not `kibana.set_alerts_status`. -6. **AI step identifiers are top-level kebab-case:** `connector-id`, `agent-id`, `inference-id`. + + ```yaml + - name: close_false_positive + type: kibana.SetAlertsStatus # PascalCase step type + with: + signal_ids: ["{{ event.alerts[0]._id }}"] + status: closed + reason: "Verified non-malicious." + ``` + +6. **AI step identifiers are top-level kebab-case:** `connector-id`, `agent-id`, `inference-id`. Liquid expressions in these top-level fields aren't evaluated; use literal values. Refer to [AI steps](/explore-analyze/workflows/steps/ai-steps.md). + + ```yaml + # Wrong — fields nested under with, and templated agent-id is not substituted + - type: ai.agent + with: + agentId: "{{ consts.agent_id }}" + message: "..." + + # Right — top-level kebab-case with literal values + - type: ai.agent + agent-id: elastic-ai-agent + with: + message: "..." + ``` + 7. **Composition's `workflow-id` is kebab-case but lives *inside* `with`.** It's the one exception to the top-level-kebab-case pattern. + + ```yaml + - name: enrich + type: workflow.execute + with: + workflow-id: "shared--enrich-alerts" # kebab-case, inside with + inputs: + alerts: "${{ event.alerts }}" + ``` + 8. **`data.*` steps (except `data.set`) put source data at the top level:** `items:`, `arrays:`, or `source:`. The transformation configuration goes in `with`. + + ```yaml + - name: keep_critical + type: data.filter + items: "${{ steps.search.output.hits.hits }}" # top-level source + with: + condition: "item._source.severity : 'critical'" + ``` + 9. **Use `${{ ... }}` for arrays and objects**, `{{ ... }}` for strings. + + ```yaml + # Wrong — array is stringified + - type: foreach + foreach: "{{ event.alerts }}" + + # Right — raw-value form preserves the array + - type: foreach + foreach: "${{ event.alerts }}" + ``` + 10. **`to_json` doesn't exist.** Use `json` to serialize or `json_parse` to parse. + + ```yaml + # Serialize an object to a JSON string + payload: "{{ event.alerts[0] | json }}" + + # Parse a JSON string into an object + parsed: "{{ steps.http.output.body | json_parse }}" + ``` + 11. **`data.filter` and `if` conditions are KQL, not Liquid.** Use `item.severity : 'critical'`, not `item.severity == 'critical'`. + ```yaml + # Wrong — Liquid comparison + - type: data.filter + items: "${{ steps.search.output }}" + with: + condition: "item.severity == 'critical'" + + # Right — KQL equality + - type: data.filter + items: "${{ steps.search.output }}" + with: + condition: "item.severity : 'critical'" + ``` + ## Related [workflows-cheat-related] - [Build your first workflow](/explore-analyze/workflows/get-started/build-your-first-workflow.md): Hands-on tutorial if you're new. +- [Glossary](/explore-analyze/workflows/reference/glossary.md): Definitions for every term used in this docset. - [Step type index](/explore-analyze/workflows/reference/step-types.md): The A-Z lookup. - [Troubleshooting](/explore-analyze/workflows/authoring-techniques/troubleshooting.md): When something isn't working. - [`elastic/workflows` library](https://github.com/elastic/workflows): 57 example workflows you can adapt. diff --git a/explore-analyze/workflows/reference/glossary.md b/explore-analyze/workflows/reference/glossary.md new file mode 100644 index 0000000000..f12fdd110f --- /dev/null +++ b/explore-analyze/workflows/reference/glossary.md @@ -0,0 +1,261 @@ +--- +navigation_title: Glossary +applies_to: + stack: ga 9.4+ + serverless: ga +description: Reference of terms used across Elastic Workflows documentation, with concrete examples and links to the canonical reference pages. +products: + - id: kibana + - id: cloud-serverless + - id: cloud-hosted + - id: cloud-enterprise + - id: cloud-kubernetes + - id: elastic-stack +--- + +# Glossary [workflows-glossary] + +Every term and acronym used elsewhere in the Workflows documentation. Each entry links to the canonical reference page where one exists. + +## A-B [workflows-glossary-a-b] + +### Action [workflows-glossary-action] + +In alerting, an operation a rule takes when it fires. Workflows runs as an action through the **Run workflow** rule action. Refer to [Alert triggers](/explore-analyze/workflows/triggers/alert-triggers.md). + +### Agent Builder [workflows-glossary-agent-builder] + +A {{kib}} feature for building conversational AI agents. Workflows integrates as a tool provider (workflows can be called by agents) and as a step type (`ai.agent` calls agents from a workflow). Refer to [{{agent-builder}}](/explore-analyze/ai-features/elastic-agent-builder.md). + +### Alert [workflows-glossary-alert] + +A document produced by an alerting rule when it fires. See also [Detection alert](#workflows-glossary-detection-alert). + +### Alert state [workflows-glossary-alert-state] + +One of `new`, `ongoing`, or `recovered`. Workflows can trigger on any combination of these states. Refer to [Alert triggers](/explore-analyze/workflows/triggers/alert-triggers.md). + +### Alerting rule [workflows-glossary-alerting-rule] + +A {{kib}} construct that watches data and fires when a condition is met. Triggers alert-type workflows. Refer to [Alert triggers](/explore-analyze/workflows/triggers/alert-triggers.md). + +### Anatomy [workflows-glossary-anatomy] + +The top-level structure of a workflow YAML file. Refer to [Anatomy of a workflow](/explore-analyze/workflows/authoring-techniques/anatomy.md). + +## C [workflows-glossary-c] + +### Case [workflows-glossary-case] + +A {{kib}} Cases document for tracking an investigation. Workflows provides 25+ `cases.*` step types. Refer to [Cases action steps](/explore-analyze/workflows/steps/cases.md). + +### Composition [workflows-glossary-composition] + +```{applies_to} +stack: preview 9.4+ +serverless: preview +``` + +Invoking one workflow from another. The parent calls a child through `workflow.execute` (synchronous) or `workflow.executeAsync` (fire-and-forget). Refer to [Composition steps](/explore-analyze/workflows/steps/composition.md) and [Compose workflows](/explore-analyze/workflows/authoring-techniques/compose-workflows.md). + +### Composition depth [workflows-glossary-composition-depth] + +How deep a nested `workflow.execute` chain goes. Capped by the engine to prevent infinite recursion. Refer to [Composition steps](/explore-analyze/workflows/steps/composition.md). + +### Concurrency [workflows-glossary-concurrency] + +Controls for what happens when overlapping executions would otherwise run at the same time. Configured under `settings.concurrency`. Refer to [Workflow settings](/explore-analyze/workflows/authoring-techniques/settings.md). + +### Connector [workflows-glossary-connector] + +A configured integration with an external system (Slack, Jira, PagerDuty, OpenAI, and so on). Referenced from workflow steps by `connector-id`. Refer to [{{kib}} connectors](/deploy-manage/manage-connectors.md). + +### Context [workflows-glossary-context] + +The shared data environment a workflow execution builds up as steps run. Accessed in YAML through Liquid templating. Refer to [Pass data and handle errors](/explore-analyze/workflows/authoring-techniques/pass-data-handle-errors.md). + +### Context variable [workflows-glossary-context-variable] + +A named item in the workflow context: `inputs.*`, `consts.*`, `steps.*`, `event.*`, `foreach.*`, `execution.*`, and so on. Refer to [Context variables](/explore-analyze/workflows/reference/context-variables.md). + +## D-E [workflows-glossary-d-e] + +### Data step [workflows-glossary-data-step] + +A step type in the `data.*` namespace for transformations: `data.filter`, `data.map`, `data.aggregate`, and others. Refer to [Data action steps](/explore-analyze/workflows/steps/data.md). + +### Detection alert [workflows-glossary-detection-alert] + +An alert produced by a {{elastic-sec}} detection rule. Always in state `new` when delivered to a workflow. Refer to [Alert triggers](/explore-analyze/workflows/triggers/alert-triggers.md). + +### ES|QL [workflows-glossary-esql] + +Elasticsearch Query Language. {{es}}'s SQL-like query language. Used in `elasticsearch.esql.query` steps. Refer to [Elasticsearch action steps](/explore-analyze/workflows/steps/elasticsearch.md) and [ES|QL reference](/explore-analyze/query-filter/languages/esql.md). + +### Event [workflows-glossary-event] + +The trigger payload. For alert triggers, the alert data; for scheduled triggers, empty. Accessed as `event.*` in Liquid templates. Refer to [Context variables](/explore-analyze/workflows/reference/context-variables.md). + +### Event-driven trigger [workflows-glossary-event-driven-trigger] + +```{applies_to} +stack: preview 9.4+ +serverless: preview +``` + +A trigger that fires on a platform event rather than on a schedule or manual invocation. Includes `workflows.failed` and the `cases.*` event triggers. Refer to [Event-driven triggers](/explore-analyze/workflows/triggers/event-driven-triggers.md). + +### Execution [workflows-glossary-execution] + +One run of a workflow. Has an ID, a start time, a trigger, a terminal state, and an execution view. Refer to [Monitor workflow execution](/explore-analyze/workflows/authoring-techniques/monitor-workflows.md). + +## F-H [workflows-glossary-f-h] + +### Fallback [workflows-glossary-fallback] + +An `on-failure` strategy that runs alternative steps when the primary step fails and all retries are exhausted. Refer to [Pass data and handle errors](/explore-analyze/workflows/authoring-techniques/pass-data-handle-errors.md). + +### Fan-out [workflows-glossary-fan-out] + +Starting multiple concurrent pieces of work from one workflow. Implement with [`workflow.executeAsync`](/explore-analyze/workflows/steps/composition.md) for independent child executions, or [`foreach`](/explore-analyze/workflows/steps/foreach.md) for per-item iteration within one execution. + +### Foreach [workflows-glossary-foreach] + +Both a step type and a step-level field. The step type is a loop; the field is a per-step iteration modifier. Refer to [`foreach`](/explore-analyze/workflows/steps/foreach.md) and the [Steps overview](/explore-analyze/workflows/steps.md). + +### GenAI [workflows-glossary-genai] + +Generative AI. A model class that produces text, code, or structured data from a prompt. Workflows integrates through connectors (OpenAI, Bedrock, Gemini, Generic GenAI) and the `ai.*` step types. Refer to [AI steps](/explore-analyze/workflows/steps/ai-steps.md). + +### HITL [workflows-glossary-hitl] + +Human-in-the-loop. A workflow that pauses for human input, typically through `waitForInput`. Refer to [Human-in-the-loop](/explore-analyze/workflows/authoring-techniques/human-in-the-loop.md). + +## I-K [workflows-glossary-i-k] + +### Input [workflows-glossary-input] + +A runtime parameter of a workflow. Declared under the `manual` trigger on 9.5+ and serverless, or at the workflow root on 9.4. Refer to [Anatomy: `inputs`](/explore-analyze/workflows/authoring-techniques/anatomy.md#workflows-anatomy-inputs). + +### KQL [workflows-glossary-kql] + +{{kib}} Query Language. Used for `if` conditions and `data.filter` predicates in workflows. Refer to the [KQL reference](/explore-analyze/query-filter/languages/kql.md). + +## L [workflows-glossary-l] + +### Liquid [workflows-glossary-liquid] + +The template language used to reference context variables inside workflow YAML. The engine evaluates expressions like `{{ inputs.name }}` and `${{ steps.fetch.output }}` at runtime. Refer to [Templating engine](/explore-analyze/workflows/templating.md). + +## N-O [workflows-glossary-n-o] + +### Observable [workflows-glossary-observable] + +In Cases, an indicator of compromise (IP, hash, domain, URL). Added with `cases.addObservables`. Refer to [`cases.addObservables`](/explore-analyze/workflows/steps/cases.md#cases-addobservables). + +### On-failure [workflows-glossary-on-failure] + +Per-step error-handling configuration. Strategies: `retry`, `continue`, `fallback`, `abort`. Refer to [Pass data and handle errors](/explore-analyze/workflows/authoring-techniques/pass-data-handle-errors.md). + +### Output [workflows-glossary-output] + +Either the data a step produces (accessed through `steps..output`), or a top-level declaration of what a workflow returns (required for workflows invoked through composition). Refer to [Anatomy: `outputs`](/explore-analyze/workflows/authoring-techniques/anatomy.md#workflows-anatomy-outputs). + +## P-R [workflows-glossary-p-r] + +### RBAC [workflows-glossary-rbac] + +Role-based access control. {{kib}}'s privilege system. Workflows defines seven sub-feature privileges (`create`, `read`, `update`, `delete`, `execute`, `readExecution`, `cancelExecution`). Refer to [Set up Workflows](/explore-analyze/workflows/get-started/setup.md). + +### Resume [workflows-glossary-resume] + +Continuing a paused workflow after a `waitForInput` step. Done through the UI or the REST API. Refer to [Human-in-the-loop](/explore-analyze/workflows/authoring-techniques/human-in-the-loop.md). + +### Retry [workflows-glossary-retry] + +An `on-failure` strategy that re-runs a step. Supports exponential backoff, jitter, and per-error conditions. Refer to [Pass data and handle errors](/explore-analyze/workflows/authoring-techniques/pass-data-handle-errors.md). + +### RRule [workflows-glossary-rrule] + +Recurrence Rule. The iCalendar recurrence specification. Scheduled triggers accept rrules for calendar-style recurrence. Refer to [Scheduled triggers](/explore-analyze/workflows/triggers/scheduled-triggers.md). + +## S [workflows-glossary-s] + +### Scheduled trigger [workflows-glossary-scheduled-trigger] + +A trigger that runs a workflow on a time-based schedule. Refer to [Scheduled triggers](/explore-analyze/workflows/triggers/scheduled-triggers.md). + +### Schema (output) [workflows-glossary-schema-output] + +The declared shape of a workflow's outputs. Required for workflows invoked through `workflow.execute`. The engine validates child outputs against this schema before returning them to the parent. Refer to [Anatomy: `outputs`](/explore-analyze/workflows/authoring-techniques/anatomy.md#workflows-anatomy-outputs). + +### Space [workflows-glossary-space] + +A {{kib}} tenancy construct. Workflows belong to spaces; triggers and connectors scope to the space. + +### Step [workflows-glossary-step] + +One unit of work in a workflow. Has a `name`, a `type`, and step-specific parameters. Refer to the [Steps overview](/explore-analyze/workflows/steps.md). + +### Step type [workflows-glossary-step-type] + +The identifier of a particular kind of step (`elasticsearch.search`, `cases.createCase`, and so on). Refer to the [Step type index](/explore-analyze/workflows/reference/step-types.md). + +### Streams [workflows-glossary-streams] + +```{applies_to} +stack: preview 9.4+ +serverless: preview +``` + +A {{kib}} Observability feature. Workflow steps in the `kibana.streams.*` namespace operate on Observability streams. Refer to [Streams action steps](/explore-analyze/workflows/steps/streams.md). + +## T [workflows-glossary-t] + +### Tech Preview [workflows-glossary-tech-preview] + +A stability level. Features are usable and documented, but the schema or behavior can change in future releases. Marked with `applies_to: : preview` in this docset; the badge appears at the top of each affected page and beside the navigation entry. + +### Terminal state [workflows-glossary-terminal-state] + +An execution's final state. One of `completed`, `failed`, `cancelled`, `timed_out`, or `skipped`. Refer to [Anatomy: execution lifecycle](/explore-analyze/workflows/authoring-techniques/anatomy.md#workflows-anatomy-lifecycle). + +### Trigger [workflows-glossary-trigger] + +What starts a workflow. Supported types: `manual`, `scheduled`, `alert`, `workflows.failed`, and the `cases.*` event-driven triggers. Refer to [Triggers](/explore-analyze/workflows/triggers.md). + +## V-W [workflows-glossary-v-w] + +### Variables [workflows-glossary-variables] + +Named values set by `data.set` steps. Global within an execution. Accessed as `variables.`. Refer to [`data.set`](/explore-analyze/workflows/steps/data.md#data-set). + +### waitForInput [workflows-glossary-wait-for-input] + +The human-in-the-loop primitive. Pauses a workflow for human input. Refer to [Human-in-the-loop](/explore-analyze/workflows/authoring-techniques/human-in-the-loop.md) and [`waitForInput`](/explore-analyze/workflows/steps/wait-for-input.md). + +### Workflow [workflows-glossary-workflow] + +A declarative YAML automation. The primary unit of work in Elastic Workflows. Refer to [Anatomy of a workflow](/explore-analyze/workflows/authoring-techniques/anatomy.md). + +### `workflows.failed` [workflows-glossary-workflows-failed] + +```{applies_to} +stack: preview 9.4+ +serverless: preview +``` + +An [event-driven trigger](/explore-analyze/workflows/triggers/event-driven-triggers.md) that fires when another workflow's execution reaches the `failed` terminal state. Used to build handler workflows that react to failures. + +## Y [workflows-glossary-y] + +### YAML [workflows-glossary-yaml] + +YAML Ain't Markup Language. The format in which workflows are authored. Whitespace-sensitive. + +## Related [workflows-glossary-related] + +- [Cheat sheet](/explore-analyze/workflows/reference/cheat-sheet.md): One-page bookmark reference for the YAML shape, common patterns, and top gotchas. +- [Step type index](/explore-analyze/workflows/reference/step-types.md): Alphabetical catalog of every step type. +- [Context variables](/explore-analyze/workflows/reference/context-variables.md): Every variable you can reference in a Liquid expression. +- [Liquid filters](/explore-analyze/workflows/reference/liquid-filters.md): Filters available in workflow expressions. From ff19f4967dac9557101b5a220d537c15999cb120 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Thu, 18 Jun 2026 09:22:02 -0700 Subject: [PATCH 2/2] Fix redirected ES|QL link in workflows glossary Update the ES|QL reference link to the canonical elasticsearch://reference/query-languages/esql.md path so the strict docs build no longer fails on the redirect warning. Co-authored-by: Cursor --- explore-analyze/workflows/reference/glossary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/explore-analyze/workflows/reference/glossary.md b/explore-analyze/workflows/reference/glossary.md index f12fdd110f..f44a6f3a6a 100644 --- a/explore-analyze/workflows/reference/glossary.md +++ b/explore-analyze/workflows/reference/glossary.md @@ -90,7 +90,7 @@ An alert produced by a {{elastic-sec}} detection rule. Always in state `new` whe ### ES|QL [workflows-glossary-esql] -Elasticsearch Query Language. {{es}}'s SQL-like query language. Used in `elasticsearch.esql.query` steps. Refer to [Elasticsearch action steps](/explore-analyze/workflows/steps/elasticsearch.md) and [ES|QL reference](/explore-analyze/query-filter/languages/esql.md). +Elasticsearch Query Language. {{es}}'s SQL-like query language. Used in `elasticsearch.esql.query` steps. Refer to [Elasticsearch action steps](/explore-analyze/workflows/steps/elasticsearch.md) and [ES|QL reference](elasticsearch://reference/query-languages/esql.md). ### Event [workflows-glossary-event]