[ES|QL] Enable ESQL alerts from the Discover app

[stratoula]

Summary

Enables the Alerts menu in Discover nav for the ES|QL mode and defaults to ESQL alerts by carrying the query that the user has typed.

Checklist

• Unit or functional tests were updated or added to match the most common scenarios

[elasticmachine]

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

[ninoslavmiskovic]

👏

[jughosta]

Great addition for ES|QL!

[jughosta]

I am seeing this UI for the first time and "Alerts generated" label looks confusing when you are just creating a new alert. Can we remove or rephrase it?

[stratoula]

This is not owned by us. If you have any recommendations for the alerting team it is better to create an issue for them cc @mikecote

[jughosta]

• Not related to this line

"View in app" link seems to be not working for ES|QL alerts:

I would expect it to open ES|QL view in Discover if possible instead of this error:

[stratoula]

Also not related to us cc @mikecote maybe it makes sense to have a look on this when this PR is being merged

[mikecote]

We have it configured so rules created from discover navigate to the following path whenever a user clicks "View in app": /app/discover#/viewAlert/${alert.id}.

Is there something that should change with the path for ES|QL rules? The code comes from here: https://github.com/elastic/kibana/blob/main/x-pack/plugins/stack_alerts/public/rule_types/es_query/index.ts#L51C15-L51C51.

cc @XavierM as he is working on changing this in the recent release.

[stratoula]

I think I can take a look to see if we can make it work from Discover side.

[stratoula]

I fixed that 👍

[jughosta]

Great, thanks! Now the feature looks complete to me 🙂

@kertal Could you please also review this change 2800b2e if you have time?

[kertal]

thx Julia! Code looks good, but I wonder if it is used when generating the link to Discover? I've created a rule with a notification containing a {{context.link}} field:

But what was ingested was the link to the alert rule:

@stratoula we intend to link to Discover also in ES|QL cases right?

[stratoula]

This already exists in main unfortunately so better been handled on a separate PR. I synced with Matthias and we are going to open an issue on alerting.

[stratoula]

@jughosta thanx for the review. From all your comments only one was related to this PR and was a limitation from the Alerts ui. I changed it to get the timestamp info also on initialization when there is an existing query

[jughosta]

Changes related to enabling ES|QL alerts from Discover LGTM 👍

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 2800b2e

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
discover	551.0KB	551.7KB	+689.0B
stackAlerts	203.0KB	203.0KB	+30.0B
total			+719.0B

History

• 💚 Build #158359 succeeded 38d89fa
• 💔 Build #158279 failed 6464397
• 💚 Build #158208 succeeded b165687
• 💔 Build #157867 failed af91499
• 💚 Build #157653 succeeded 04791a1
• 💔 Build #157260 failed a6d4486

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @stratoula

[doakalexi]

ResponseOps changes LGTM!

[kertal]

Using ES|QL in alerting 🥳 ... who could imagine this would be possible so quickly!

One thing I noticed when testing the preview, it also works with timestamp selection! Great! The preview table seems to ignore the custom timestamp, having selected the customer birth date as a timestamp, there seem to be lots of customers born in the last 5 minutes. While in theory this is not impossible, I think it's because in the request for the preview there's no time filter involved

[stratoula]

@kertal this is correct. In ESQL the users can write a where clause with a timefield on their own if there is no @timestamp detected. The same is happening in Discover too. Possibly the alerting team should disable the timefilter selection in these cases cc @doakalexi but it is irrelevant with this PR I think.