Nested grouping-over

[arisonl]

As an alerting user I want to be able to generate separate alert instances by defining a group-over a field within a group-over (nested group-overs). As a solutions-specific example, metrics would like to be able to determine an alert per disk, per host (see 'Separate alerts are sent for each combination of host and disk' section.

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[pmuellr]

This presumably for the built-in index threshold? I don't think there's anything alert-generic about this request, but not entirely sure. And if the question is about an existing alert besides the index threshold alert, we'll want an issue for that alert as well (eg, an observability-provided alert).

I think the implication is that we can have multiple top-N groups in the search spec that gets built, where we have a single one today. It seems like it should be a limited grouping (using the same sort of top-N limit), to keep the ES query less expensive (in the worst case).

This will likely be a usefulness blocker: #64268 - the instanceIds for an alert with N groups will be something like group1-group2-...-groupN, so we'll want human-readable versions of those for the UI.

We'll have to think about how to represent the group data in the context here - I guess it will need to be an array of groups, where we have a single group today.

[sorantis]

We're tracking this request here: #65119
A PR has already been merged.

[mikecote]

Closing as implemented within O11y.