[event log] add a millisecond version of kibana.task.schedule_delay to the schema

[pmuellr]

In PR Implement writing rule execution events to event_log #112286 we are starting to standardize on time units used within event log documents. ECS only defines one duration field - event.duration - which is in nanoseconds. But nanoseconds are a pain to deal with, especially since we typically only need millisecond or second precision.

Part of this "standardization" is to use the time unit as a suffix of the field name, e.g. _ms for millseconds, _s for seconds, etc.

In a prior PR, we added the event log field kibana.task.schedule_delay, which is measurement of task manager "drift" for the task execution. And it's stored in nanosecond units. Which would then mean we should probably start storing a field kibana.task.schedule_delay_ms in millsecond format. The question then is, if we want to use this field with old versions of the event log, how would we do that. Runtime field trickery?

If it's too hard to do this, it's probably not critical. We could always leave it as is, and then create a runtime field for the _ms version ...

This isn't a critical issue, but I thought it would be interesting to think about this one, as a somewhat practical exercise in figuring out the event log schema can be changed over time, for cases like this.

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[mikecote]

As a workaround, until this issue removes the pain points, you can modify the event log index pattern to convert nanoseconds to something else. This will only work when displaying the values in specific places (ex: discover), the pain points still exist on filters, etc.