Custom interval per alert type

[mikecote]

Would be nice to be able to specify:

• default interval per alert type
• minimum interval. This could be by alert type or in general. It's been mentioned that some may not want users to be able to make alerts run too frequently and bring their system down. Original issue Ability to set a minimum interval for alerts #51194

[elasticmachine]

Pinging @elastic/kibana-stack-services (Team:Stack Services)

[mikecote]

Use case from @darnautov to provide a default or recommended interval (#89880 (comment))

It's not that critical for us to set the interval programmatically, but it'll definitely help with a better default value. For instance, if the anomaly detection job configuration has a narrow bucket span, it's worth decreasing the check interval so the user is notified about the anomalous data on time.

[pmuellr]

This makes sense to me. I guess the alert type would define some "default" values for things like interval and throttle (null might be appropriate for some, on-status-change for others). I think those are the two generic alert parameters that would make sense to allow an alert type to provide defaults for.

This fits into my "default all the things" thoughts as well, where we should be allowing nullable values for config/params which could be filled in by alert/action types, out of the box. So we can also make use of these "defaults" for anyone using the HTTP APIs directly. But it has a lot more value just in the UI for now.

[mikecote]

This could work well with #51194 if it doesn't make sense to have alerts run so frequently.

[pmuellr]

Ya, adding some constraints here like "minimum interval" sound good as well. But will then require the params validation to get tweaked - which could actually get complicated if it has to go in the config-schema validation.

[pmuellr]

From issue #89898 (comment)

Another type of rule-type validation of general rule params comes from the anomaly detection rule type - for that one, ML jobs are already configured with an interval of some sort, which should influence the rule interval itself. Specifically, there's no sense making it smaller than the interval in the ML job.

In this case, we'd want to somehow allow the rule to override the interval, based on some other rule-specific application data. In the particular case of anomaly detection rules, each rule can deal with multiple ML jobs, so presumably we'd collect the minimum interval of those jobs, and use it to set the minimum interval in the rule itself.

Not sure if this would just be a UI thing, or something lower-level, in the rule processing itself. But in any case, it needs to be "live", based on existing ES resources, and not just "static".