[Alerting] Add "Group By" support to ES Query alert type

[ymao1]

This PR introduced a basic ES query alert type that allows users to specify a query and a threshold condition for the number of matches against that query. We would like to enhance this alert type by adding the ability to group by a field within the index and then threshold against the hits within each group.

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[pmuellr]

For index threshold, we do do grouping via a top-N terms aggregation. Would we do the same here? IIRC, it's fairly a fairly straight-forward implementation, and seems pretty simple to understand for customers. Not sure if we'd need to do more than that though. Opening up the possibility of other bucket aggregations seems super-interesting, and kind of in line with this alert's "lower-level access" to ES bits.

We'd need to discuss what the instance id's would be - if it's a top-N terms agg, it's simple - just the term, for other aggs we'd need to check to see how useful the grouping keys would be.

[ymao1]

I think a top-N terms aggregation like the Index Threshold would make the most sense since the simple ES query implementation is comparing hit count to a threshold condition. We could extend that to comparing the count of each bucket to a threshold condition. We could review other aggregation types to see if they would fit within this paradigm. We should also think about what "hits" we'd be returning if an aggregation is selected. Would we want to return the top N hits within each bucket as well?

[ferryversteeg]

+1
We are interested in this feature too!