[ResponseOps][Alerts] Add alerts grouping aggregations endpoint

packages/kbn-alerts-ui-shared/src/common/hooks/index.ts

@@ -13,3 +13,4 @@ export * from './use_load_alerting_framework_health';
 export * from './use_create_rule';
 export * from './use_update_rule';
 export * from './use_resolve_rule';
+export * from './use_get_alerts_group_aggregations_query';

packages/kbn-alerts-ui-shared/src/common/hooks/use_get_alerts_group_aggregations_query.ts

@@ -0,0 +1,80 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { i18n } from '@kbn/i18n';
+import { useQuery } from '@tanstack/react-query';
+import type { HttpStart } from '@kbn/core-http-browser';
+import type { ToastsStart } from '@kbn/core-notifications-browser';
+import { SearchResponseBody } from '@elastic/elasticsearch/lib/api/types';
+import { AlertConsumers } from '@kbn/rule-data-utils';
+import type {
+  AggregationsAggregationContainer,
+  QueryDslQueryContainer,
+  SortCombinations,
+} from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
+import { BASE_RAC_ALERTS_API_PATH } from '../constants';
+
+export interface UseGetAlertsGroupAggregationsQueryProps {
+  http: HttpStart;
+  toasts: ToastsStart;
+  enabled?: boolean;
+  params: {
+    featureIds: AlertConsumers[];
+    groupByField: string;
+    aggregations?: Record<string, AggregationsAggregationContainer>;
+    filters?: QueryDslQueryContainer[];
+    sort?: SortCombinations[];
+    pageIndex?: number;
+    pageSize?: number;
+  };
+}
+
+/**
+ * Fetches alerts aggregations for a given groupByField.
+ *
+ * Some default aggregations are applied:
+ * - `groupByFields`, to get the buckets based on the provided grouping field,
+ *   - `unitsCount`, to count the number of alerts in each bucket,
+ * - `unitsCount`, to count the total number of alerts targeted by the query,
+ * - `groupsCount`, to count the total number of groups.
+ *
+ * The provided `aggregations` are applied within `groupByFields`. Here the `groupByField` runtime
+ * field can be used to perform grouping-based aggregations.
+ *
+ * Applies alerting RBAC through featureIds.
+ */
+export const useGetAlertsGroupAggregationsQuery = <T>({
+  http,
+  toasts,
+  enabled = true,
+  params,
+}: UseGetAlertsGroupAggregationsQueryProps) => {
+  const onErrorFn = (error: Error) => {
+    if (error) {
+      toasts.addDanger(
+        i18n.translate(
+          'alertsUIShared.hooks.useFindAlertsQuery.unableToFetchAlertsGroupingAggregations',
+          {
+            defaultMessage: 'Unable to fetch alerts grouping aggregations',
+          }
+        )
+      );
+    }
+  };
+
+  return useQuery({
+    queryKey: ['getAlertsGroupAggregations', JSON.stringify(params)],
+    queryFn: () =>
+      http.post<SearchResponseBody<{}, T>>(`${BASE_RAC_ALERTS_API_PATH}/_group_aggregations`, {
+        body: JSON.stringify(params),
+      }),
+    onError: onErrorFn,
+    refetchOnWindowFocus: false,
+    enabled,
+  });
+};

x-pack/plugins/rule_registry/common/types.ts

@@ -311,6 +311,11 @@ export const bucketAggsSchemas = t.intersection([
   ),
 ]);
 
+export const alertsAggregationsSchema = t.record(
+  t.string,
+  t.intersection([metricsAggsSchemas, bucketAggsSchemas])
+);
+
 export type PutIndexTemplateRequest = estypes.IndicesPutIndexTemplateRequest & {
   body?: { composed_of?: string[] };
 };

x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.mock.ts

@@ -19,6 +19,7 @@ const createAlertsClientMock = () => {
     bulkUpdate: jest.fn(),
     bulkUpdateCases: jest.fn(),
     find: jest.fn(),
+    getGroupAggregations: jest.fn(),
     getFeatureIdsByRegistrationContexts: jest.fn(),
     getBrowserFields: jest.fn(),
     getAlertSummary: jest.fn(),

x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 import Boom from '@hapi/boom';
+import { v4 as uuid } from 'uuid';
 import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { PublicMethodsOf } from '@kbn/utility-types';
 import { Filter, buildEsQuery, EsQueryConfig } from '@kbn/es-query';
@@ -27,6 +28,7 @@ import {
 
 import {
   InlineScript,
+  MappingRuntimeFields,
   QueryDslQueryContainer,
 } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { RuleTypeParams, PluginStartContract as AlertingStart } from '@kbn/alerting-plugin/server';
@@ -41,6 +43,8 @@ import { AuditLogger } from '@kbn/security-plugin/server';
 import { FieldDescriptor, IndexPatternsFetcher } from '@kbn/data-plugin/server';
 import { isEmpty } from 'lodash';
 import { RuleTypeRegistry } from '@kbn/alerting-plugin/server/types';
+import { TypeOf } from 'io-ts';
+import { DEFAULT_ALERTS_GROUP_BY_FIELD_SIZE, MAX_ALERTS_GROUPING_QUERY_SIZE } from './constants';
 import { BrowserFields } from '../../common';
 import { alertAuditEvent, operationAlertAuditActionMap } from './audit_events';
 import {
@@ -53,6 +57,7 @@ import { ParsedTechnicalFields } from '../../common/parse_technical_fields';
 import { IRuleDataService } from '../rule_data_plugin_service';
 import { getAuthzFilter, getSpacesFilter } from '../lib';
 import { fieldDescriptorToBrowserFieldMapper } from './browser_fields';
+import { alertsAggregationsSchema } from '../../common/types';
 
 // TODO: Fix typings https://github.com/elastic/kibana/issues/101776
 type NonNullableProps<Obj extends {}, Props extends keyof Obj> = Omit<Obj, Props> & {
@@ -88,15 +93,15 @@ export interface ConstructorOptions {
 export interface UpdateOptions<Params extends RuleTypeParams> {
   id: string;
   status: string;
-  _version: string | undefined;
+  _version?: string;
   index: string;
 }
 
 export interface BulkUpdateOptions<Params extends RuleTypeParams> {
-  ids: string[] | undefined | null;
+  ids?: string[] | null;
   status: STATUS_VALUES;
   index: string;
-  query: object | string | undefined | null;
+  query?: object | string | null;
 }
 
 interface MgetAndAuditAlert {
@@ -129,17 +134,18 @@ interface GetAlertSummaryParams {
 }
 
 interface SingleSearchAfterAndAudit {
-  id?: string | null | undefined;
-  query?: string | object | undefined;
-  aggs?: Record<string, any> | undefined;
+  id?: string | null;
+  query?: string | object;
+  aggs?: Record<string, any>;
   index?: string;
-  _source?: string[] | undefined;
+  _source?: string[] | false;
   track_total_hits?: boolean | number;
-  size?: number | undefined;
+  size?: number;
   operation: WriteOperations.Update | ReadOperations.Find | ReadOperations.Get;
-  sort?: estypes.SortOptions[] | undefined;
-  lastSortIds?: Array<string | number> | undefined;
+  sort?: estypes.SortOptions[];
+  lastSortIds?: Array<string | number>;
   featureIds?: string[];
+  runtimeMappings?: MappingRuntimeFields;
 }
 
 /**
@@ -213,13 +219,10 @@ export class AlertsClient {
     items: Array<{
       _id: string;
       // this is typed kind of crazy to fit the output of es api response to this
-      _source?:
-        | {
-            [ALERT_RULE_TYPE_ID]?: string | null | undefined;
-            [ALERT_RULE_CONSUMER]?: string | null | undefined;
-          }
-        | null
-        | undefined;
+      _source?: {
+        [ALERT_RULE_TYPE_ID]?: string | null;
+        [ALERT_RULE_CONSUMER]?: string | null;
+      } | null;
     }>,
     operation: ReadOperations.Find | ReadOperations.Get | WriteOperations.Update
   ) {
@@ -236,8 +239,8 @@ export class AlertsClient {
       { hitIds: [], ownersAndRuleTypeIds: [] } as {
         hitIds: string[];
         ownersAndRuleTypeIds: Array<{
-          [ALERT_RULE_TYPE_ID]: string | null | undefined;
-          [ALERT_RULE_CONSUMER]: string | null | undefined;
+          [ALERT_RULE_TYPE_ID]?: string | null;
+          [ALERT_RULE_CONSUMER]?: string | null;
         }>;
       }
     );
@@ -289,6 +292,7 @@ export class AlertsClient {
     sort,
     lastSortIds = [],
     featureIds,
+    runtimeMappings,
   }: SingleSearchAfterAndAudit) {
     try {
       const alertSpaceId = this.spaceId;
@@ -322,6 +326,7 @@ export class AlertsClient {
             },
           },
         ],
+        runtime_mappings: runtimeMappings,
       };
 
       if (lastSortIds.length > 0) {
@@ -982,6 +987,7 @@ export class AlertsClient {
     sort,
     track_total_hits: trackTotalHits,
     _source,
+    runtimeMappings,
   }: {
     aggs?: object;
     featureIds?: string[];
@@ -991,7 +997,8 @@ export class AlertsClient {
     size?: number;
     sort?: estypes.SortOptions[];
     track_total_hits?: boolean | number;
-    _source?: string[];
+    _source?: string[] | false;
+    runtimeMappings?: MappingRuntimeFields;
   }) {
     try {
       let indexToUse = index;
@@ -1013,6 +1020,7 @@ export class AlertsClient {
         operation: ReadOperations.Find,
         sort,
         lastSortIds: searchAfter,
+        runtimeMappings,
       });
 
       if (alertsSearchResponse == null) {
@@ -1028,6 +1036,104 @@ export class AlertsClient {
     }
   }
 
+  /**
+   * Performs a `find` query to extract aggregations on alert groups
+   */
+  public getGroupAggregations({
+    featureIds,
+    groupByField,
+    aggregations,
+    filters,
+    pageIndex = 0,
+    pageSize = DEFAULT_ALERTS_GROUP_BY_FIELD_SIZE,
+    sort = [{ unitsCount: { order: 'desc' } }],
+  }: {
+    /**
+     * The feature ids the alerts belong to, used for authorization
+     */
+    featureIds: string[];
+    /**
+     * The field to group by
+     * @example "kibana.alert.rule.name"
+     */
+    groupByField: string;
+    /**
+     * The aggregations to perform on the groupByField buckets
+     */
+    aggregations?: TypeOf<typeof alertsAggregationsSchema>;
+    /**
+     * The filters to apply to the query
+     */
+    filters?: estypes.QueryDslQueryContainer[];
+    /**
+     * Any sort options to apply to the groupByField aggregations
+     */
+    sort?: object[];
+    /**
+     * The page index to start from
+     */
+    pageIndex?: number;
+    /**
+     * The page size
+     */
+    pageSize?: number;
+  }) {
+    const uniqueValue = uuid();
+    return this.find({
+      aggs: {
+        groupByField: {
+          terms: {
+            field: 'groupByField',
+            size: MAX_ALERTS_GROUPING_QUERY_SIZE,
+          },
+          aggs: {
+            unitsCount: { value_count: { field: 'groupByField' } },
+            bucket_truncate: {
+              bucket_sort: {
+                sort,
+                from: pageIndex * pageSize,
+                size: pageSize,
+              },
+            },
+            ...(aggregations ?? {}),
+          },
+        },
+        unitsCount: { value_count: { field: 'groupByField' } },
+        groupsCount: { cardinality: { field: 'groupByField' } },
+      },
+      featureIds,
+      query: {
+        bool: {
+          filter: filters,
+        },
+      },
+      runtimeMappings: {
+        groupByField: {
+          type: 'keyword',
+          script: {
+            source:
+              // When size()==0, emits a uniqueValue as the value to represent this group  else join by uniqueValue.
+              "if (doc[params['selectedGroup']].size()==0) { emit(params['uniqueValue']) }" +
+              // Else, join the values with uniqueValue. We cannot simply emit the value like doc[params['selectedGroup']].value,
+              // the runtime field will only return the first value in an array.
+              // The docs advise that if the field has multiple values, "Scripts can call the emit method multiple times to emit multiple values."
+              // However, this gives us a group for each value instead of combining the values like we're aiming for.
+              // Instead of .value, we can retrieve all values with .join().
+              // Instead of joining with a "," we should join with a unique value to avoid splitting a value that happens to contain a ",".
+              // We will format into a proper array in parseGroupingQuery .
+              " else { emit(doc[params['selectedGroup']].join(params['uniqueValue']))}",
+            params: {
+              selectedGroup: groupByField,
+              uniqueValue,
+            },
+          },
+        },
+      },
+      size: 0,
+      _source: false,
+    });
+  }
+
   public async getAuthorizedAlertsIndices(featureIds: string[]): Promise<string[] | undefined> {
     try {
       const authorizedRuleTypes = await this.authorization.getAuthorizedRuleTypes(

x-pack/plugins/rule_registry/server/alert_data_client/constants.ts

@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/**
+ * The maximum number of alert groups to render
+ */
+export const DEFAULT_ALERTS_GROUP_BY_FIELD_SIZE = 10;
+
+/**
+ * Grouping pagination breaks if the field cardinality exceeds this number
+ *
+ * @external https://github.com/elastic/kibana/issues/151913
+ */
+export const MAX_ALERTS_GROUPING_QUERY_SIZE = 10000;

x-pack/plugins/rule_registry/server/alert_data_client/tests/find_alerts.test.ts

@@ -181,6 +181,7 @@ describe('find()', () => {
                 "should": Array [],
               },
             },
+            "runtime_mappings": undefined,
             "size": undefined,
             "sort": Array [
               Object {
@@ -314,6 +315,7 @@ describe('find()', () => {
                 "should": Array [],
               },
             },
+            "runtime_mappings": undefined,
             "size": undefined,
             "sort": Array [
               Object {