[Obs Alerting] Add snapshot telemetry for rule configurations

[jasonrhodes]

We currently have trouble answering questions about which configurations our customers use within their observability rules. We want to add a snapshot telemetry usage collector to report on the rules running in each cluster. For this collector, we want to report the following telemetry answers.

Overall rules and alerts

TBD: Check if any of these are already collected by alerting telemetry

• Number of active alerts in the cluster (total, per rule type)
• Number of "untracked" alerts in the cluster (total, per rule type)

Custom threshold rule configurations

Config	Value	Value existence only (NO value collected)	Schema
Query filter	❌	✅	params.searchConfiguration.query.query
Number of rule conditions, i.e. Condition 1, Condition 2, etc.	❌	✅	params.criteria.length
Number of rule aggregations per condition i.e. Agg A, Agg B, etc.	❌	✅	params.criteria[CON].metrics.length
Aggregation type	✅	❌	params.criteria[CON].metrics[METRIC].aggType
KQL Filter	❌	✅	params.criteria[CON].metrics[METRIC].aggType
Custom equation	✅	❌	params.criteria[CON].metrics[METRIC].filter
Comparator	✅	❌	params.criteria[CON].comparator
Threshold	✅	❌	params.criteria[CON].threshold
Group alerts by	✅	❌	params.groupBy
Check every	✅	❌	schedule.interval

Metric threshold rule configurations

TBA

Inventory rule configurations

TBA

Log threshold rule configurations

TBA

APM rule configurations

TBA

ES query rule configurations (?)

TBA

[elasticmachine]

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)

[fkanout]

@jasonrhodes, in case of rule, changing/adding config (I know it's less likely to happen), how can we ensure that we report this update to the snapshot telemetry? Is it better/feasible to report the entire params object (without defining its map) from the rule saved object and then parse it later? Or this is not an issue, as we can update the telemetry snapshot query anytime?