[Metric/custom threshold] Additional context might not be included correctly depending on how the data is ingested

[maryam-saeidi]

Summary

The custom and metric threshold rules have an issue with adding additional context when the data is ingested as host.hostname: 'host1' instead of host: { hostname: 'host1' }. The log threshold rule does not have such an issue, and we need to verify this issue for other rules that have additional context.

Here is the log for these 2 cases: (code)

host.hostname: 'host1'	host: { hostname: 'host1' }

How to reproduce?

Follow these steps (slack for more info)

1. Create an index:

   DELETE /metrics-index1
   PUT /metrics-index1
   {
     "mappings": {
       "properties": {
         "host.hostname": {
           "type": "keyword"
         },
         "host.name": {
           "type": "keyword"
         }
       }
     }
   }

2. Ingest some data with the following format:

     {
       "@timestamp": "${date1}",
       "host.hostname": "${content1}",
       "value": ${content2}
     }

3. Create a rule that triggers an alert based on this data and group by host.hostname

4. Check the alert document, you should not be able to see host.name in the AAD document.

Acceptance criteria

• Add additional context to the custom and metric threshold rules regardless of how the data is ingested similar to the log threshold rule.

Thanks @bsturg for reporting this!

[elasticmachine]

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)