[Discover][Alerting] Use Discover locator for alert results link

[dimaanj]

Summary

Closes #145815, #134232

• Moves Discover locator to common area
• Builds alerts results link from the server
• Now there are two implementations of setStateToKbnUrl which is used in locator. New one in common are lost HashedItemStore support, since sessions storage are actual only for browser
• Toasts Alert rule has changed, Data View has changed removed
• link generated per each alert will be unique representation of those rule params and data view state which were at the time of invocation
• Restuls link will live even after data view and rule removal

How to create rule

• Create an output index and data view test

Query to use

PUT test
{
    "settings" : {
        "number_of_shards" : 1
    },
    "mappings" : {
        "properties" : {
            "rule_id" : { "type" : "text" },
            "rule_name" : { "type" : "text" },
            "alert_id" : { "type" : "text" },
            "context_message": { "type" : "text" }
        }
    }
}

• Create alerts connector using test index
• Open Elasticsearch query alert in KQL or Lucene mode or just using Discover Alerts button
• Specify the following params: IS ABOVE: 1, FOR THE LAST: 30 min
• Try execute it by clicking Test query. It should match some results
• When choosing connector, use the following config

{
    "rule_id": "{{rule.id}}",
    "rule_name": "{{rule.name}}",
    "alert_id": "{{alert.id}}",
    "context_message": "{{context.message}}"
}

• Create the alert

How to test

• Create Elasticsearch query rule in KQL or Lucene mode like described above
• Wait for some seconds and find the triggered alert document by browsing test data view in Discover. There should be a link to results in context_message field. Save the link somewhere
• Change rule params by adding/removing filters / changing query / changing data view
• Follow saved link, you should see previous filters, query and data view state
• Open rule in management and click View in app, you should see actual state of rule
• Try to remove used data view and then follow saved link, you should still see the results
• Try to remove rule and then follow saved link, you should still see the results.

Checklist

• Unit or functional tests were updated or added to match the most common scenarios
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This was checked for cross-browser compatibility

[dimaanj]

@elasticmachine merge upstream

[kibanamachine]

expected head sha didn’t match current head ref.

[kertal]

So here's the hopefully last thing I've found. When using dataStart to generate the link, this doesn't take
excludeHitsFromPreviousRun into consideration (L120)

updateSearchSource on L95 returns dataStart always the full time range. But given excludeHitsFromPreviousRun is set, there can be an additional filter to prevent to have documents counted twice. This leads to the following mismatch of count when clicking the link in the notification:

Correct me if I'm wrong but I think this was already broken before this PR?

[kertal]

ok, this ain't an issue of this PR, just tried out on a previous version, works the same ... we should open an issue for this

[dimaanj]

Created #148282

[kertal]

LGTM! Tested again on the cloud. The issue I've found, that the timerange of the notification doesn't take Exclude matches from previous runs into consideration, works the same on previous versions, so it can be fixed in a follow up

Great idea and work to use locators for the link 👍

[dimaanj]

@elasticmachine merge upstream

[dimaanj]

@elasticmachine merge upstream

[dimaanj]

@elasticmachine merge upstream

[dimaanj]

@elasticmachine merge upstream

[dimaanj]

@elasticmachine merge upstream

[dimaanj]

@elasticmachine merge upstream

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 5a9b14d

Failed CI Steps

• Security Solution Tests #4

Test Failures

• [job] [logs] Security Solution Tests #4 / Add exception using data views from rule details Creates an exception item from alert actions overflow menu

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
discover	448	446	-2
kibanaUtils	165	168	+3
total			+1

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
alerting	418	420	+2
discover	82	88	+6
kibanaUtils	424	418	-6
total			+2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
dashboard	365.3KB	365.4KB	+39.0B
dataViewManagement	116.1KB	116.2KB	+92.0B
discover	407.1KB	395.4KB	-11.7KB
kibanaUtils	60.8KB	60.8KB	+5.0B
transform	347.9KB	347.9KB	+2.0B
total			-11.6KB

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id	before	after	diff
discover	4	7	+3
kibanaUtils	8	9	+1
total			+4

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
dashboard	25.4KB	25.5KB	+149.0B
discover	28.0KB	28.1KB	+73.0B
kibanaUtils	68.7KB	69.7KB	+932.0B
transform	15.3KB	15.4KB	+138.0B
visualizations	56.6KB	56.6KB	+10.0B
total			+1.3KB

Unknown metric groups

API count

id	before	after	diff
alerting	427	429	+2
discover	100	107	+7
kibanaUtils	624	619	-5
total			+4

History

• 💔 Build #98011 failed 2065008
• 💚 Build #97839 succeeded eee2e1b
• 💔 Build #97738 failed f54bca5
• 💔 Build #97715 failed 6a620ff
• 💔 Build #97568 failed cae7153

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dimaanj

[ymao1]

Response Ops changes LGTM