Adds findings in bucket level monitor

[eirsep]

This change surfaces out the list of documents that become a part of bucket level monitor aggregation buckets as findings for the monitor.

Signed-off-by: Surya Sashank Nistala [email protected]

CheckList:
[x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #636 (6b63fb7) into main (3491fb2) will decrease coverage by 0.22%.
The diff coverage is 83.90%.

@@             Coverage Diff              @@
##               main     #636      +/-   ##
============================================
- Coverage     76.35%   76.13%   -0.23%     
  Complexity      116      116              
============================================
  Files           124      124              
  Lines          6445     6569     +124     
  Branches        942      972      +30     
============================================
+ Hits           4921     5001      +80     
- Misses         1044     1070      +26     
- Partials        480      498      +18     

Impacted Files	Coverage Δ
...rg/opensearch/alerting/BucketLevelMonitorRunner.kt	79.62% <83.33%> (+2.18%)	⬆️
...ain/kotlin/org/opensearch/alerting/AlertService.kt	79.06% <100.00%> (+0.09%)	⬆️
.../alerting/transport/TransportIndexMonitorAction.kt	64.65% <0.00%> (-5.56%)	⬇️
...destinationmigration/DestinationConversionUtils.kt	70.00% <0.00%> (-1.12%)	⬇️
...nationmigration/DestinationMigrationUtilService.kt	81.45% <0.00%> (-0.81%)	⬇️
...ing/model/destination/DestinationContextFactory.kt	75.00% <0.00%> (ø)
...rch/alerting/resthandler/RestIndexMonitorAction.kt	81.03% <0.00%> (+0.33%)	⬆️
.../kotlin/org/opensearch/alerting/util/IndexUtils.kt	72.91% <0.00%> (+2.08%)	⬆️
...alerting/transport/TransportSearchMonitorAction.kt	75.00% <0.00%> (+2.50%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[getsaurabh02]

Thanks @eirsep . Overall approach looks good to me. Few comments/clarifications to consider.

[getsaurabh02]

Why do we need to return from here?

[eirsep]

If there are more groupby fields then aggregation buckets would become tuples. We can develop iteratively and first begin by supporting only for a single field(buckets with single field aggregated on) to filter on.

[getsaurabh02]

Are we indexing each finding document, one at a time? Wondering if we should use bulk request instead?

[getsaurabh02]

Do we need to return the findings from here, as indexing is already done?

[eirsep]

we are returning finding ids. finding ids list is populated in the alert.

[getsaurabh02]

Lets validate other scenarios as well:

1. Where findings will not be created - such as compound aggregation.
2. Findings index unavailable, or exception in index.