[8.14] [Response Ops][Alerting] Fixing bug with agg building for ES q…

…uery rule when there are multi-terms and a group by field (#182865) (#182898)

# Backport

This will backport the following commits from `main` to `8.14`:
- [[Response Ops][Alerting] Fixing bug with agg building for ES query
rule when there are multi-terms and a group by field
(#182865)](#182865)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Ying
Mao","email":"ying.mao@elastic.co"},"sourceCommit":{"committedDate":"2024-05-08T02:58:19Z","message":"[Response
Ops][Alerting] Fixing bug with agg building for ES query rule when there
are multi-terms and a group by field
(#182865)","sha":"3f7731c8b79dc349111a843e39247f11b946b228","branchLabelMapping":{"^v8.15.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Feature:Alerting","Team:ResponseOps","v8.14.0","v8.15.0"],"title":"[Response
Ops][Alerting] Fixing bug with agg building for ES query rule when there
are multi-terms and a group by
field","number":182865,"url":"#182865
Ops][Alerting] Fixing bug with agg building for ES query rule when there
are multi-terms and a group by field
(#182865)","sha":"3f7731c8b79dc349111a843e39247f11b946b228"}},"sourceBranch":"main","suggestedTargetBranches":["8.14"],"targetPullRequestStates":[{"branch":"8.14","label":"v8.14.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.15.0","branchLabelMappingKey":"^v8.15.0$","isSourceBranch":true,"state":"MERGED","url":"#182865
Ops][Alerting] Fixing bug with agg building for ES query rule when there
are multi-terms and a group by field
(#182865)","sha":"3f7731c8b79dc349111a843e39247f11b946b228"}}]}]
BACKPORT-->

Co-authored-by: Ying Mao <ying.mao@elastic.co>

x-pack/plugins/triggers_actions_ui/common/data/lib/build_agg.test.ts

@@ -793,6 +793,51 @@ describe('buildAgg', () => {
       });
     });
 
+    it('should create correct aggregation when condition params are defined and multi terms selected', async () => {
+      expect(
+        buildAggregation({
+          aggType: 'sum',
+          aggField: 'avg-field',
+          termField: ['the-term', 'second-term'],
+          termSize: 100,
+          condition: {
+            resultLimit: 1000,
+            conditionScript: `params.compareValue <= 0`,
+          },
+        })
+      ).toEqual({
+        groupAgg: {
+          multi_terms: {
+            size: 100,
+            terms: [{ field: 'the-term' }, { field: 'second-term' }],
+            order: {
+              metricAgg: 'desc',
+            },
+          },
+          aggs: {
+            conditionSelector: {
+              bucket_selector: {
+                buckets_path: {
+                  compareValue: 'metricAgg',
+                },
+                script: `params.compareValue <= 0`,
+              },
+            },
+            metricAgg: {
+              sum: {
+                field: 'avg-field',
+              },
+            },
+          },
+        },
+        groupAggCount: {
+          stats_bucket: {
+            buckets_path: 'groupAgg._count',
+          },
+        },
+      });
+    });
+
     it('should add topHitsAgg if topHitsSize is defined', () => {
       expect(
         buildAggregation({

x-pack/plugins/triggers_actions_ui/common/data/lib/build_agg.ts

@@ -46,7 +46,7 @@ export const buildAggregation = ({
   condition,
   topHitsSize,
 }: BuildAggregationOpts): Record<string, AggregationsAggregationContainer> => {
-  const aggContainer = {
+  const aggContainer: AggregationsAggregationContainer = {
     aggs: {},
   };
   const isCountAgg = isCountAggregation(aggType);
@@ -78,7 +78,7 @@ export const buildAggregation = ({
         : terms
       : terms;
 
-  let aggParent: any = aggContainer;
+  let aggParent: AggregationsAggregationContainer = aggContainer;
 
   const getAggName = () => (isDateAgg ? 'sortValueAgg' : 'metricAgg');
 
@@ -114,9 +114,15 @@ export const buildAggregation = ({
     // if not count add an order
     if (!isCountAgg) {
       const sortOrder = aggType === 'min' ? 'asc' : 'desc';
-      aggParent.aggs.groupAgg.terms!.order = {
-        [getAggName()]: sortOrder,
-      };
+      if (isMultiTerms && aggParent.aggs.groupAgg.multi_terms) {
+        aggParent.aggs.groupAgg.multi_terms.order = {
+          [getAggName()]: sortOrder,
+        };
+      } else if (aggParent.aggs.groupAgg.terms) {
+        aggParent.aggs.groupAgg.terms.order = {
+          [getAggName()]: sortOrder,
+        };
+      }
     } else if (includeConditionInQuery) {
       aggParent.aggs.groupAgg.aggs = {
         conditionSelector: {
@@ -193,7 +199,7 @@ export const buildAggregation = ({
   }
 
   if (timeSeries && dateRangeInfo) {
-    aggParent = aggParent.aggs.dateAgg;
+    aggParent = aggParent?.aggs?.dateAgg ?? {};
 
     // finally, the metric aggregation, if requested
     if (!isCountAgg) {
@@ -207,5 +213,5 @@ export const buildAggregation = ({
     }
   }
 
-  return aggContainer.aggs;
+  return aggContainer.aggs ?? {};
 };