Elasticsearch MCP in Claude Code

Quick answer: Install the Elasticsearch MCP server with npx -y elasticsearch-mcp-server, add the JSON block below to ~/.claude/settings.json, restart Claude Code, and run /mcp to confirm the connection. Setup runs about 5 minutes on a fresh machine, verified on elasticsearch-mcp-server as of April 15, 2026.

The Elasticsearch MCP server gives Claude Code a tool surface on any Elasticsearch cluster. After setup, the model can list indices, run searches and aggregations, inspect mappings, and read cluster health. The server is published as elasticsearch-mcp-server and uses a standard HTTPS URL with optional basic auth or API key.

This guide covers what you get after the wiring is done, the exact config, verification steps, prompt patterns that tend to work well, and the 4 issues that trip people up most often in the first week.

What you get when it is connected

Once the Elasticsearch server is attached, Claude Code can call the server tools from inside any conversation. You do not invoke the tools by hand. When you ask Claude a question the model decides which tool to call and parses the response for you. For teams that live inside Elasticsearch day to day, this replaces dozens of context switches per week with a single line in chat.

Tools exposed include list_indices, search, count, aggregate, get_mapping, get_cluster_health, get_index_stats. Query DSL is passed as structured JSON; the model builds bodies directly. For cross-cluster search, the server supports the ccs namespace prefix in index patterns.

Prerequisites

An Elasticsearch 7+ or 8+ cluster reachable from your machine. If auth is enabled, a username and password or an API key. Node 20 or later on the host.

If you use a version manager like nvm or asdf for Node, confirm the version Claude Code inherits. Open a terminal, run node -v, and note the output. Claude Code uses the Node it sees on PATH at launch, so a shell profile that sets the right version is the reliable path.

Install via npx

Run the package once with npx to verify it starts cleanly:

npx -y elasticsearch-mcp-server

The first run downloads the package (a few MB) and starts the server on stdio. The server does not print much on success - it waits for MCP protocol messages on stdin. Press Ctrl-C to stop it. The actual runtime setup happens through Claude Code itself in the next step.

If the install fails with a network error, your npm registry may be blocked. Set npm config set registry https://registry.npmjs.org and retry. Behind a corporate proxy, also set HTTP_PROXY and HTTPS_PROXY in your shell.

Add the config block to ~/.claude/settings.json

Open ~/.claude/settings.json in your editor. If the file does not exist yet, create it with {} as the starting content. Add an mcpServers object with an entry for this server:

{
  "mcpServers": {
    "elasticsearch": {
      "command": "npx",
      "args": ["-y", "elasticsearch-mcp-server"],
      "env": {
        "ELASTICSEARCH_URL": "https://es.example.com:9200",
        "ELASTICSEARCH_API_KEY": "BASE64KEY"
      }
    }
  }
}

Save the file. If you already have other MCP servers defined, merge the new entry into the existing mcpServers object rather than replacing it.

Restart Claude Code fully (quit and reopen, not just close the window). The server is spawned lazily on the first tool call in a session, not at launch, but the config is read once per Claude Code start.

Verify the connection

Open a new Claude Code session and type /mcp at the prompt. You should see the server listed with a green or connected indicator. If it shows as failed, click into it for the stderr output - the error message usually points at the problem directly (bad token, wrong path, missing Node).

Run a trivial first prompt to confirm round trips work. Good smoke tests:

• For read servers: ask for a list of whatever resource type it exposes.
• For write servers: ask for a describe on a known resource first, then try a safe write on a test resource.

If the first prompt works, the wiring is done. From here on you interact with the server purely through normal prompts in Claude Code.

Example prompts that work well

Here are prompts that tend to get good responses once the server is attached:

• List every index in the cluster and tell me the doc count and size for each.
• Run a match query against the logs-* indices for error messages in the last 15 minutes and return the top 20 hits.
• Aggregate the products index by category and return the top 5 categories by average price.
• Read the mapping for the orders index and tell me which fields are keyword versus text.
• Check the cluster health and tell me whether any shards are unassigned.
• Count how many documents in logs-2026 match the query service equals api and level equals warn.

Claude will chain tool calls on its own when the prompt implies several steps. For a summarize-then-write flow the model will often call read tools first, then a single write tool at the end. If a prompt keeps burning tool calls, narrow it: specify the resource ID, the time range, or the exact field you want rather than asking Claude to scan everything.

Environment variable security

At minimum set ELASTICSEARCH_URL. For auth, use either ELASTICSEARCH_USERNAME and ELASTICSEARCH_PASSWORD or the ELASTICSEARCH_API_KEY base64 value. API keys are preferred because they support scoped permissions per index. Rotate via the Kibana UI under Stack Management > API Keys if compromised.

A general rule across every MCP server: never paste secrets directly into settings.json that lives in a shared or git-tracked directory. Keep the actual secret values in your shell profile (~/.zshrc, ~/.bashrc, or a 1Password-cli helper), export them at shell start, and reference the variable names from the Claude config. That way the secret stays on your machine and the config file is safe to share with teammates.

On macOS, terminals launched from Spotlight or from the Dock both inherit the shell profile. If you launch Claude Code from a GUI shortcut that does not go through a shell, env vars may not propagate - launch from a terminal instead.

Troubleshooting

Tool calls return 401. Auth credentials are wrong. Verify the API key is still active at Stack Management > API Keys in Kibana. Username-password combos fail silently if the native realm is disabled - switch to API keys in that case.

Searches return partial results. Some shards may be slow or failing. Include shard failures in the response by asking Claude to pass allow_partial_search_results=false, then fix the red shard before retrying.

Large aggregations run out of memory. Default bucket limits are 65535. Narrow the cardinality with a filter, or increase search.max_buckets temporarily with a cluster setting update.

Connection fails with self-signed cert. Set NODE_TLS_REJECT_UNAUTHORIZED=0 for local testing only. For real use, export the CA cert and set NODE_EXTRA_CA_CERTS to its path. Never ship the insecure flag to production.

For any issue not listed here, the first step is /mcp inside Claude Code to see the current status and any recent stderr from the server. The second step is running the exact npx command from your terminal to see if the server starts cleanly outside Claude Code. Between those two checks, most problems become obvious within a minute.

Next steps

Once the Elasticsearch server is attached and verified, the useful next move is writing a short prompt template you keep in your notes. List the 3 or 4 prompts you run most often against this server, and paste them into Claude Code when needed. Over a few weeks you build a personal command library that gets real work done without typing much.

For team projects, commit a .mcp.json at the repo root with the same structure. Everyone on the team gets the server wired up automatically on first open, and individual secrets stay in shell profiles. That is the setup pattern that scales past a single developer.