[APM] Improving KQL bar in APM rule types

[kpatticha]

internal SDH (https://github.com/elastic/sdh-apm/issues/1387)

Latency threshold rule and Failed transaction rate threshold rule use the following indices by default

• Metrics indices: metrics-apm*,apm-* (aggregated transaction documents)

Error count threshold rule

• Error indices: logs-apm*,apm-*

The problem

The KQL bar allows the user to select and filter on fields that don't exist in the documents which is misleading

For example, url.path field exists in transaction events but not in the aggregated metric documents.

Proposal

1. Fallback to query transaction events when the KQL bar uses fields that don't exist in the aggregated documents. This is a better solution but more complicated to implement.
2. KQL should only show and suggest fields that exist in the aggregated metric documents.

[elasticmachine]

Pinging @elastic/obs-ux-infra_services-team (Team:obs-ux-infra_services)

[elasticmachine]

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)

[jasonrhodes]

Possible solution: change the look up for APM rules to specify the indices used for that rule, and not include ALL indices specified by APM generally. This may not solve all the issues, but should make this better.