Make it more clear which index patterns the Log threshold alert / rule uses

[jakommo]

Describe the feature: A user asked me why there are no fields listed when trying to create a Log threshold alert.

Looking at the call that is made to collect the fields it becomes apparent that only some index patterns are checked.

GET /api/index_patterns/_fields_for_wildcard?pattern=logs-*%2Cfilebeat-*%2Ckibana_sample_data_logs*&meta_fields=_source&meta_fields=_id&meta_fields=_type&meta_fields=_index&meta_fields=_score&allow_no_index=true

Those are the index patterns configured for the Logs UI under Observability -> Logs -> Settings -> Log indices

If creating the Alert from within the Observability/Logs app, this might be more obvious, but one can also create this via Stack Management -> Rules and Connectors -> Create rule and then it's very confusing why only certain index patterns are used (or no fields can be selected if none of those patterns exists).

I think we should do two things:

• Add a note to the docs so that users know which patterns are used by default and where to configure them, i.e. on https://www.elastic.co/guide/en/observability/7.13/logs-threshold-alert.html
• Add something to the UI that indicates which index patterns are used

Describe a specific use case for the feature:

[elasticmachine]

Pinging @elastic/stack-monitoring (Team:Monitoring)

[Conky5]

I came across this and found it confusing as well.

[elasticmachine]

Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui)

[weltenwort]

I agree that we should display something to indicate that in the UI.

Regarding the docs, in the page you linked to it already says:

With log threshold rules, it’s not possible to set an explicit index pattern as part of the configuration. The index pattern is instead inferred from Log indices on the Settings page of the Logs app.

With each execution of the rule check, the Log indices setting is checked, but it is not stored when the rule is created.

Any ideas how to clarify that more?

[jakommo]

Any ideas how to clarify that more?

Ha, I actually didn't see this at all. I think it would help to move this further up on the doc page. Currently there are two code blocks with example queries above this and that makes it easy to miss it. How about adding a note in the Fields and comparators paragraph and then link to https://www.elastic.co/guide/en/observability/7.13/logs-threshold-alert.html#settings from that?

[jakommo]

Also, if we could have a hint in the UI, that would help even more I think.

[elasticmachine]

Pinging @elastic/obs-ux-logs-team (Team:obs-ux-logs)