[ML] Enable alerts filtering with KQL bar

[rbrtj]

Resolves #136392
This PR adds alert filtering capability for the Anomaly Detection Alerting Rule using the KQL bar.
It provides proper auto-suggestions for the selected result and job type.

How to test:

1. Create a pre-configured Kibana sample e-commerce job without starting the datafeed.
2. Create an Anomaly Detection alerting rule based on the created job, e.g., with a 168h lookback interval and 168 latest buckets, select either the `record` or `influencer` result type.
3. Go to the AD jobs page and start the datafeed with `beginning of data` and `no end time`
4. Navigate back to the alerting rule, run the rule, and verify that it triggers an alert.
5. Create a new alerting rule with the desired filter. For example, if you alert was triggered for `customer_full_name.keyword: Eddie Lambert`, try filtering it out with: `NOT customer_full_name.keyword: "Eddie Lambert"`
6. Verify that the new rule does not trigger an alert for the specified `customer_full_name`
7. It's easier to use an email or slack connector to inspect the alerts.

[elasticmachine]

Pinging @elastic/ml-ui (:ml)

[Copilot]

Pull Request Overview

This PR adds KQL-based filtering capability to ML Anomaly Detection alerting rules, allowing users to filter which anomalies trigger alerts based on field values. The implementation provides autocomplete suggestions tailored to the selected job and result type, and automatically disables conflicting UI controls when users specify score or interim filters in the KQL expression.

Key Changes:

• Added KQL filter input component with autocomplete for anomaly result fields
• Implemented logic to detect when KQL filters conflict with UI controls (severity, interim results) and disable those controls accordingly
• Extended server-side query logic to apply custom KQL filters when fetching anomaly results

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
alerting_service.ts	Added KQL filter parsing and integration into Elasticsearch queries for anomaly detection alerts
severity_control.tsx	Added disabled state support with help text when KQL contains score filters
register_anomaly_detection_rule.tsx	Added KQL filter validation in rule registration
ml_anomaly_alert_trigger.tsx	Integrated KQL filter component and state management for field usage detection
interim_results_control.tsx	Added disabled state with tooltip when KQL contains is_interim filter
get_relevant_anomaly_fields.ts	Helper function to determine which anomaly fields are relevant for autocomplete based on job configuration and result type
anomaly_kql_filter.tsx	New component implementing KQL search bar with ML anomalies data view and filtered suggestions
detect_anomaly_alert_field_usage.ts	Utility to parse KQL and detect usage of score and interim fields
alerts.ts	Added customFilter parameter to alert params type definition
alerts.ts (constants)	Moved score field mapping to shared constant
v1.ts	Added customFilter to schema validation

[github-actions]

@rbrtj, it looks like you're updating the parameters for a rule type!

Please review the guidelines for making additive changes to rule type parameters and determine if your changes require an intermediate release.

[peteharverson]

I'm finding that alerts aren't triggering if I don't have a filter set (Kibana sample data logs, logs_response_code_rates job, record type). Have you seen alerts with no filter?

[peteharverson]

There might be some odd results here as the job against the sample logs data had results going into the future. Running up 'now' looks better, but worth checking the query when no filter and the time range being applied.

[rbrtj]

Good catch!
It should be fixed with 61f41ce
What happened is that the query was missing 'LTE' filter

 range: {
                timestamp: {
                  gte: `now-${lookBackTimeInterval}`,
                  lte: 'now', // previously missing
                },
              },

It was working fine previously (probably by coincidence). I assume that after adding filters, Elasticsearch computes it differently, and future anomalies are detected. Adding the LTE filter fixes this behavior and makes it more predictable.

[rbrtj]

I'm also able to see alerts when no filter and the time range being applied (with proper lookback interval).

[peteharverson]

Looking at the labels used for some other rules (cluster health, index threshold), this would be more consistent...

Use a KQL expression to limit which anomalies trigger alerts.

Also I wonder if the filter query bar should be below the severity slider seeing as it's an optional field?

[rbrtj]

Updated the label in c8dd2a5
Also moved the query bar below the severity slider + moved the Test button closer to the interval input in f6d67f6

[darnautov]

Left some comments. I also think this change deserves some API integration tests.

[darnautov]

I think we should validate query string on the schema level, because alerting rules can be created via the API.

• Check if it's a valid KQL string
• Should not contain a job_id. Perhaps it'd be better to have an allowlist of fields.

[rbrtj]

Added an allowlist along with schema validation in 803676d
As discussed, I added validation against disallow list: b1db8fb

[darnautov]

Not sure about the name, because this filter and other params are not mutually exclusive. queryStringmaybe?

[rbrtj]

Renamed to kqlQueryString in 803676d

[darnautov]

Would it be easier to validate the query string and disallow these fields?

[darnautov]

And only show fields from allowlist in KQL bar suggestions

[rbrtj]

Totally makes sense to me, removed in c9fadcf

[darnautov]

potentially setting state for unmounted component here

[rbrtj]

Good catch, updated in fcc5584

[darnautov]

there is const for this index pattern

[rbrtj]

Updated in fcc5584

[darnautov]

you also need to clean up ad-hoc data views on unmount

[rbrtj]

Updated in fcc5584

[darnautov]

do we need this effect? can this logic be a part of onChange callback?

[rbrtj]

This part is gone within c9fadcf

[darnautov]

why do we need this effect? it is quite difficult to follow. is it here to restore the prev filter value when the user is clicking on different result type tiles?

[rbrtj]

Yup, I wanted to achieve such behavior:

• The user types something into the query bar when the record type is record or influencer
• They switch to the bucket result type -> the KQL bar becomes empty and disabled
• They switch back to the record or influencer type -> the KQL bar is restored with the previous filter
  When switching between record and influencer it is preserved.

[peteharverson]

Overall looks good. Tested each of the result types with a variety of filters. Just left one question on jobs without influencers.

[peteharverson]

Tested latest changes and LGTM

[jgowdyelastic]

Sorry, left a load of nit picks about the preferred use of ?? over ||
But otherwise, LGTM

[jgowdyelastic]

nit

Suggested change

	const detectors = job.analysis_config?.detectors || [];
	const detectors = job.analysis_config?.detectors ?? [];

[rbrtj]

updated in 7ac1dee

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: c9f4eb9

Failed CI Steps

• Quick Checks
• FTR Configs #86

Test Failures

• [job] [logs] FTR Configs #86 / Search solution tests Search index details page Solution Nav - Search search index details page page loading error reload button shows details page again

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
ml	2813	2815	+2

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
@kbn/ml-anomaly-utils	13	14	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
ml	5.6MB	5.6MB	+37.8KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
ml	86.4KB	86.7KB	+241.0B

Unknown metric groups

API count

id	before	after	diff
@kbn/ml-anomaly-utils	221	228	+7

ESLint disabled line counts

id	before	after	diff
ml	563	562	-1

Total ESLint disabled count

id	before	after	diff
ml	566	565	-1

History

• 💔 Build #364821 failed 6ca822c
• 💔 Build #361263 failed 7ac1dee
• 💔 Build #360564 failed 2eb304f
• 💔 Build #360407 failed d050da7
• 💛 Build #359080 was flaky 7d45666

cc @rbrtj