[eventLog] provide bulk query facility

[pmuellr]

Currently the event log only provides a query of events scoped to a single saved object (eg, alert or action).

An obvious next step is to allow a query over a number of saved objects - a bulk query.

This should eventually be available in the alert client as a bulk getStatus() call, and should probably be implemented in the same PR to make sure whatever gets added to event log is actually usable.

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[pmuellr]

The first bulk query request from a product seems to be this one - #64144 (note there is a different observability feature request for bulk getState() which doesn't involve the event log).

In this case, the query they want is pretty simple. Find all the alerts | alert instances (not sure which) which have been active within a specified time frame. I'd think this would be a simple query dsl aggregation over the event log, or maybe even an SQL call? It seems a shame to build a purpose-built API just for that function, better to add some kind of structured query, a client can build themselves.

Then will need to be exposed up to the alert level as well.

[pmuellr]

Note that beyond issue #64144 mentioned above, issue #70169 also requires a multi-alert API (probably simpler), but seems like if we do provide a bit of a structured query over the event log as suggested in the previous comment, we might be able to use that API to provide the solution required for #70169 as well.

[mikecote]

Moving from 7.12 - Candidates to 7.x - Candidates.