[Log threshold] Filtering out a group will still result in triggering an alert

[maryam-saeidi]

Summary

In the log threshold rule, when we exclude a group, it will still consider this group in the result and can lead to a firing alert for that group. Here is an example of how to reproduce this issue:

1. Create a rule that filters out a group and set the threshold to "less than or equal to 1"
2. Notice that you will have the group in preview but the related value is 0
3. By executing the rule, you will see an alert is going to be triggered for this group:

Here is the related rule executor query for this rule:

Example rule query

``` { "index": "logs-*-*,logs-*,filebeat-*,kibana_sample_data_logs*,metrics*,apm*,remote_cluster:logs*", "allow_no_indices": true, "ignore_unavailable": true, "body": { "query": { "bool": { "filter": [ { "range": { "@timestamp": { "gte": 1727436598164, "lte": 1727437498164, "format": "epoch_millis" } } } ] } }, "aggregations": { "groups": { "composite": { "size": 2000, "sources": [ { "group-0-host.name": { "terms": { "field": "host.name" } } } ] }, "aggregations": { "filtered_results": { "filter": { "bool": { "filter": [ { "range": { "@timestamp": { "gte": 1727436898164, "lte": 1727437198164, "format": "epoch_millis" } } } ], "must_not": [ { "term": { "host.name": { "value": "gke-edge-oblt-edge-oblt-pool-8fc2868f-q6rh" } } } ] } }, "aggregations": { "additionalContext": { "top_hits": { "size": 1, "fields": [ "host.*" ], "_source": false } } } } } } }, "runtime_mappings": {}, "size": 0 } } ```

Acceptance criteria

• Filtering a group should not trigger an alert fo that group in the above example

[elasticmachine]

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)