Add organization structure to watcher

[rukas]

This issue came from elastic/elasticsearch#31511

Currently there is no way to organize the watcher list into a folder or tree structure. As the list of watches grows it would be nice to have a way to organize the watches so that they're easier to find.

We currently use watches to alert on events from the following scenarios:

• Using metricbeat for monitoring our servers, processes, and Windows services

• Using heartbeat for monitoring server / service / URL up time

• Using filebeat to gather logs and alert on the absence of the logs altogether as well as error level events and keyword events

• Using winlogbeat to gather security and application logs and alert on server / database login events and other application error events

For our team this would allow us to break out the watches into a structure like the following:

• Server Health

• Application Health

• Elasticsearch Cluster Health

• User Specific watches

[cjcenizal]

@elastic/kibana-app-arch @elastic/kibana-platform Do we have a common need for this type of organization system throughout Kibana? If so, would it make sense to somehow make a centralized service for grouping entities into folders?

[lukeelmers]

If you don't need a deeply nested tree, then this sounds like a problem that would possibly be solved by Saved Object Tagging, e.g. you attach an arbitrary tag to a saved object, and can later filter against that tag in the UI.

[cjcenizal]

Thanks @lukeelmers! I think that's a great solution. Watches aren't saved objects (they're just documents), but they do support arbitrary metadata which could be used to store tags.

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[pmuellr]

FWIW, Kibana Alerting exposes tags on the top-level alert objects, and you can filter them in the search bar of the alerts list. Seems like it's worked out well, but we'll see ...

It would be interesting to think about a view of the alert lists that had groupings based on the tags, I guess a depth=2 tree, one branch for every unique tag, an alert could be listed under multiple tags, the tag lists are collapsible.

[alisonelizabeth]

Closing as not planned