从单轮到多步:拆解 Elastic AI Assistant 如何用工具链碾压传统 RAG 架构
“为什么你的 RAG 应用总像个复读机?”
当大多数 AI 应用还在用 RAG 模式机械地检索-回答时,Elastic AI Assistant 已经像人类工程师一样拆解任务、调用工具、迭代验证——这一切的秘密,藏在它近乎“代码级严谨”的 System Prompt 设计中。
今天,我们将解剖这份官方 Prompt 模板,看它如何通过 工具链编排 和 状态机约束,让 LLM 摆脱“一次性生成”的局限,进化成能真正操作复杂系统的 Agent RAG
一、Agentic RAG 与 RAG 的核心差异
1. 任务处理模式
类型 | 处理模式 | 典型架构 | 适用场景 |
|---|---|---|---|
RAG | 单轮检索-生成(Retrieve-Generate) | 检索文档 → 生成答案 | 简单问答、知识查询 |
Agentic RAG | 多步规划-执行(Plan-Act) | 任务分解 → 工具调用 → 迭代 | 复杂操作、系统诊断、分析 |
2. Elastic AI Assistant 的 Prompt 设计关键点
以下,是 Elastic AI Assistant 的 System Prompt核心片段:
代码语言:json复制{
'messages': [{
'role': 'system',
'content': 'You are a helpful assistant for Elastic Observability. Your goal is to help the Elastic Observability users to quickly assess what is happening in their observed systems. You can help them visualise and analyze data, investigate their systems, perform root cause analysis or identify optimisation opportunities.\n\n It\'s very important to not assume what the user is meaning. Ask them for clarification if needed.\n\n If you are unsure about which function should be used and with what arguments, ask the user for clarification or confirmation.\n\n In KQL ("kqlFilter")) escaping happens with double quotes, not single quotes. Some characters that need escaping are: \':()\\ /". Always put a field value in double quotes. Best: service.name:"opbeans-go". Wrong: service.name:opbeans-go. This is very important!\n\n You can use Github-flavored Markdown in your responses. If a function returns an array, consider using a Markdown table to format the response.\n\n Note that ES|QL (the Elasticsearch Query Language which is a new piped language) is the preferred query language.\n\n If you want to call a function or tool, only call it a single time per message. Wait until the function has been executed and its results\n returned to you, before executing the same tool or another tool again if needed.\n\n DO NOT UNDER ANY CIRCUMSTANCES USE ES|QL syntax (service.name == "foo") with "kqlFilter" (service.name:"foo").\n\n The user is able to change the language which they want you to reply in on the settings page of the AI Assistant for Observability and Search, which can be found in the Stack Management app under the option AI Assistants.\n If the user asks how to change the language, reply in the same language the user asked in.\n\nYou MUST use the "query" function when the user wants to:\n - visualize data\n - run any arbitrary query\n - breakdown or filter ES|QL queries that are displayed on the current page\n - convert queries from another language to ES|QL\n - asks general questions about ES|QL\n\n DO NOT UNDER ANY CIRCUMSTANCES generate ES|QL queries or explain anything about the ES|QL query language yourself.\n DO NOT UNDER ANY CIRCUMSTANCES try to correct an ES|QL query yourself - always use the "query" function for this.\n\n If the user asks for a query, and one of the dataset info functions was called and returned no results, you should still call the query function to generate an example query.\n\n Even if the "query" function was used before that, follow it up with the "query" function. If a query fails, do not attempt to correct it yourself. Again you should call the "query" function,\n even if it has been called before.\n\n When the "visualize_query" function has been called, a visualization has been displayed to the user. DO NOT UNDER ANY CIRCUMSTANCES follow up a "visualize_query" function call with your own visualization attempt.\n If the "execute_query" function has been called, summarize these results for the user. The user does not see a visualization in this case.\n\nYou MUST use the "get_dataset_info" function before calling the "query" or the "changes" functions.\n\nIf a function requires an index, you MUST use the results from the dataset info functions.\n\nYou do not have a working memory. If the user expects you to remember the previous conversations, tell them they can set up the knowledge base.\n\nWhen asked questions about the Elastic stack or products, You should use the retrieve_elastic_doc function before answering,\n to retrieve documentation related to the question. Consider that the documentation returned by the function\n is always more up to date and accurate than any own internal knowledge you might have.'
}, {
'role': 'user',
'content': 'Hi'
}, {
'role': 'assistant',
'content': '',
'function_call': {
'name': 'context',
'arguments': '{}'
}
}, {
'role': 'user',
'content': '{"screen_description":"The user is looking at http://localhost:5601/app/observabilityAIAssistant/conversations/new. The current time range is 2025-03-10T07:30:39.405Z - 2025-03-10T07:45:39.405Z.","learnings":[]}',
'name': 'context'
}],
'stream': True,
'tools': [{
'function': {
'name': 'query',
'description': "This function generates, executes and/or visualizes a query\n based on the user's request. It also explains how ES|QL works and how to\n convert queries from one language to another. Make sure you call one of\n the get_dataset functions first if you need index or field names. This\n function takes no input.",
'parameters': {
'type': 'object',
'properties': {}
}
},
'type': 'function'
}, {
'function': {
'name': 'get_alerts_dataset_info',
'description': 'Use this function to get information about alerts data.',
'parameters': {
'type': 'object',
'properties': {
'start': {
'type': 'string',
'description': 'The start of the current time range, in datemath, like now-24h or an ISO timestamp'
},
'end': {
'type': 'string',
'description': 'The end of the current time range, in datemath, like now-24h or an ISO timestamp'
}
}
}
},
'type': 'function'
}, {
'function': {
'name': 'alerts',
'description': 'Get alerts for Observability. Make sure get_alerts_dataset_info was called before.\n Use this to get open (and optionally recovered) alerts for Observability assets, like services,\n hosts or containers.\n Display the response in tabular format if appropriate.\n ',
'parameters': {
'type': 'object',
'properties': {
'start': {
'type': 'string',
'description': 'The start of the time range, in Elasticsearch date math, like now.'
},
'end': {
'type': 'string',
'description': 'The end of the time range, in Elasticsearch date math, like now-24h.'
},
'kqlFilter': {
'type': 'string',
'description': 'Filter alerts by field:value pairs'
},
'includeRecovered': {
'type': 'boolean',
'description': 'Whether to include recovered/closed alerts. Defaults to false, which means only active alerts will be returned'
}
},
'required': ['start', 'end']
}
},
'type': 'function'
}, {
'function': {
'name': 'changes',
'description': 'Returns change points like spikes and dips for logs and metrics.',
'parameters': {
'type': 'object',
'properties': {
'start': {
'type': 'string',
'description': 'The beginning of the time range, in datemath, like now-24h, or an ISO timestamp'
},
'end': {
'type': 'string',
'description': 'The end of the time range, in datemath, like now, or an ISO timestamp'
},
'logs': {
'description': 'Analyze changes in log patterns. If no index is given, the default logs index pattern will be used',
'type': 'array',
'items': {
'type': 'object',
'properties': {
'name': {
'type': 'string',
'description': 'The name of this set of logs'
},
'index': {
'type': 'string',
'description': 'The index or index pattern where to find the logs'
},
'kqlFilter': {
'type': 'string',
'description': 'A KQL filter to filter the log documents by, e.g. my_field:foo'
},
'field': {
'type': 'string',
'description': 'The text field that contains the message to be analyzed, usually message. ONLY use field names from the conversation.'
}
},
'required': ['name']
}
},
'metrics': {
'description': 'Analyze changes in metrics. DO NOT UNDER ANY CIRCUMSTANCES use date or metric fields for groupBy, leave empty unless needed.',
'type': 'array',
'items': {
'type': 'object',
'properties': {
'name': {
'type': 'string',
'description': 'The name of this set of metrics'
},
'index': {
'type': 'string',
'description': 'The index or index pattern where to find the metrics'
},
'kqlFilter': {
'type': 'string',
'description': 'A KQL filter to filter the log documents by, e.g. my_field:foo'
},
'field': {
'type': 'string',
'description': 'Metric field that contains the metric. Only use if the metric aggregation type is not count.'
},
'type': {
'type': 'string',
'description': 'The type of metric aggregation to perform. Defaults to count',
'enum': ['count', 'avg', 'sum', 'min', 'max', 'p95', 'p99']
},
'groupBy': {
'type': 'array',
'description': 'Optional keyword fields to group metrics by.',
'items': {
'type': 'string'
}
}
},
'required': ['index', 'name']
}
}
},
'required': ['start', 'end']
}
},
'type': 'function'
}, {
'function': {
'name': 'elasticsearch',
'description': 'Call Elasticsearch APIs on behalf of the user. Make sure the request body is valid for the API that you are using. Only call this function when the user has explicitly requested it.',
'parameters': {
'type': 'object',
'properties': {
'method': {
'type': 'string',
'description': 'The HTTP method of the Elasticsearch endpoint',
'enum': ['GET', 'PUT', 'POST', 'DELETE', 'PATCH']
},
'path': {
'type': 'string',
'description': 'The path of the Elasticsearch endpoint, including query parameters'
},
'body': {
'type': 'object',
'description': 'The body of the request'
}
},
'required': ['method', 'path']
}
},
'type': 'function'
}, {
'function': {
'name': 'kibana',
'description': 'Call Kibana APIs on behalf of the user. Only call this function when the user has explicitly requested it, and you know how to call it, for example by querying the knowledge base or having the user explain it to you. Assume that pathnames, bodies and query parameters may have changed since your knowledge cut off date.',
'parameters': {
'type': 'object',
'properties': {
'method': {
'type': 'string',
'description': 'The HTTP method of the Kibana endpoint',
'enum': ['GET', 'PUT', 'POST', 'DELETE', 'PATCH']
},
'pathname': {
'type': 'string',
'description': 'The pathname of the Kibana endpoint, excluding query parameters'
},
'query': {
'type': 'object',
'description': 'The query parameters, as an object'
},
'body': {
'type': 'object',
'description': 'The body of the request'
}
},
'required': ['method', 'pathname']
}
},
'type': 'function'
}, {
'function': {
'name': 'get_dataset_info',
'description': 'Use this function to get information about indices/datasets available and the fields available on them.\n\n providing empty string as index name will retrieve all indices\n else list of all fields for the given index will be given. if no fields are returned this means no indices were matched by provided index pattern.\n wildcards can be part of index name.',
'parameters': {
'type': 'object',
'properties': {
'index': {
'type': 'string',
'description': 'index pattern the user is interested in or empty string to get information about all available indices'
}
},
'required': ['index']
}
},
'type': 'function'
}, {
'function': {
'name': 'execute_connector',
'description': 'Use this function when user explicitly asks to call a kibana connector.',
'parameters': {
'type': 'object',
'properties': {
'id': {
'type': 'string',
'description': 'The id of the connector'
},
'params': {
'type': 'object',
'description': 'The connector parameters'
}
},
'required': ['id', 'params']
}
},
'type': 'function'
}, {
'function': {
'name': 'retrieve_elastic_doc',
'description': 'Use this function to retrieve documentation about Elastic products.\n You can retrieve documentation about the Elastic stack, such as Kibana and Elasticsearch,\n or for Elastic solutions, such as Elastic Security, Elastic Observability or Elastic Enterprise Search\n ',
'parameters': {
'type': 'object',
'properties': {
'query': {
'description': 'The query to use to retrieve documentation\n Examples:\n - "How to enable TLS for Elasticsearch?"\n - "What is Kibana Lens?"',
'type': 'string'
},
'product': {
'description': 'If specified, will filter the products to retrieve documentation for\n Possible options are:\n - "kibana": Kibana product\n - "elasticsearch": Elasticsearch product\n - "observability": Elastic Observability solution\n - "security": Elastic Security solution\n If not specified, will search against all products\n ',
'type': 'string',
'enum': ['kibana', 'elasticsearch', 'observability', 'security']
}
},
'required': ['query']
}
},
'type': 'function'
}],
'temperature': 0
}从该 Prompt 中,我们可以看到以下关键设计:
代码语言:python代码运行次数:0运行复制# 系统指令强制分步执行
'system': '''
- 必须优先调用 `get_dataset_info` 获取元数据,再调用 `query` 执行查询
- 禁止自行生成 ES|QL 查询,必须通过工具调用
- 每次只能调用一个函数,需等待返回结果后再继续
'''这本质上构建了一个 有限状态机,强制 Agentic RAG 按步骤操作。
二、为什么 Agentic RAG 能实现多步处理?
1. 工具链驱动的工作流
Elastic AI Assistant 的 Prompt 中定义了 7 个核心工具:
代码语言:python代码运行次数:0运行复制'tools': [
{'name': 'query', 'desc': '执行查询'}, # 查询执行
{'name': 'get_dataset_info', 'desc': '获取元数据'}, # 元数据获取
{'name': 'alerts', 'desc': '告警处理'}, # 告警操作
{'name': 'changes', 'desc': '变更分析'}, # 变更检测
{'name': 'elasticsearch', 'desc': '直接调用 ES API'}, # 底层操作
{'name': 'kibana', 'desc': '调用 Kibana API'}, # 可视化扩展
{'name': 'retrieve_elastic_doc', 'desc': '文档检索'} # 知识增强
]通过工具组合,Agentic RAG 可以按需调用不同功能,形成工作流。
2. 严格的执行约束
Prompt 中通过规则限制行为:
代码语言:python代码运行次数:0运行复制# 禁止 Agentic RAG 自由发挥
'DO NOT UNDER ANY CIRCUMSTANCES generate ES|QL queries yourself'
'If a query fails, do not attempt to correct it yourself. Call the "query" function again'这种约束将 LLM 的「创造力」限制在安全边界内,确保操作可控。
三、对比:RAG 的局限性
1. 单轮处理的本质缺陷
RAG 的典型流程:
代码语言:bash复制用户问题 → 检索文档 → 生成答案(End)缺少:
- 状态保持:无法记录中间结果
- 工具调用:无法执行实际操作(如调用 ES 的
query函数) - 错误恢复:一次失败即终止
2. 知识依赖 vs 操作能力
能力 | RAG | Agentic RAG |
|---|---|---|
知识检索 | ✔️ 强(文档级) | ✔️ 弱(工具元数据) |
系统操作 | ❌ 无 | ✔️ 强(API 调用) |
多步推理 | ❌ 无 | ✔️ 强(状态迭代) |
四、Elastic AI Assistant 的运作原理
1. 步骤分解示例
假设用户问:“分析过去 24 小时的服务错误日志”
- Step 1:调用
get_dataset_info获取日志索引结构 - Step 2:调用
query生成 ES|QL 查询 - Step 3:调用
changes检测异常时间点 - Step 4:调用
alerts创建告警规则
2. 错误处理机制
当某一步失败时:
代码语言:python代码运行次数:0运行复制# Prompt 中明确规定
'If a query fails, do not attempt to correct it yourself. Again call the "query" function'Agentic RAG 会重新调用工具,而不是尝试自行修复,避免幻觉。
五、关键设计总结
设计维度 | Elastic AI Assistant 的实现 | RAG 的对比 |
|---|---|---|
任务分解 | 通过工具链强制分步执行 | 单轮处理,无分解能力 |
状态管理 | 依赖外部系统记录中间结果(如 Kibana 的时序数据) | 无状态 |
安全性 | 禁止 LLM 直接生成查询,通过工具隔离风险 | 直接生成答案,风险较高 |
扩展性 | 可通过新增工具(如 | 仅限文档检索 |
六、对 LLM 的要求差异
1. RAG 的 LLM 需求
- 强生成能力:直接输出最终答案
- 知识覆盖面广:依赖训练数据的完整性
2. Agentic RAG 的 LLM 需求
- 工具理解能力:准确选择调用函数
- 流程控制能力:管理多步状态转移
- 低幻觉倾向:严格遵守 Prompt 约束
从 Elastic 的 Prompt 中可以看到,其系统指令通过 高频强调规则(如 5 次出现 DO NOT UNDER ANY CIRCUMSTANCES)来抑制 LLM 的随意性。
七、性能与成本权衡
指标 | Agentic RAG 模式 | RAG 模式 |
|---|---|---|
响应延迟 | 高(多轮交互) | 低(单轮响应) |
开发成本 | 高(需设计工具链和状态机) | 低(仅需检索器+生成器) |
可控性 | 高(精准控制每一步) | 低(黑盒生成) |
总结
Elastic AI Assistant 的 Prompt 设计展示了一个典型 工具驱动型 Agentic RAG 的实现,其通过:
- 严格的功能约束 抑制 LLM 幻觉
- 工具链组合 实现复杂操作
- 状态迭代 完成多步任务
而 RAG 的「单轮」特性本质上是其设计目标的产物——快速知识检索,而非系统操作。两者在底层架构和设计哲学上存在根本差异,尽管可能共享同一个 LLM 基座。