[RAC] Lifecycle rule type: fix the way we write RAC documents

[dgieselaar]

Currently, the lifecycle rule type appends alert events only. To confirm to the proposed indexing strategy , alert documents should be written (and updated) to alerts-observability-*.alerts, and metric documents should be written to alerts-observability-*.events. We should consider the following questions:

• Do we always update the alert document, or only when it activates/recovers? The former will have a bigger performance impact than the latter, but will allow us to record severity/duration etc on the alert document.
• Do we use index with a predetermined id to update documents, or do we fetch the alert document first when we want to update it? The former would be better for performance, but we have to fetch the alert document anyway when it recovers.

cc @tsg @jasonrhodes @spong @smith

[jasonrhodes]

I think we should always update the document, for the severity/duration reasons you describe and because the alert document should be an updated source of truth so that we only need the evaluation event documents if we really need them for deeper analysis. If it becomes a performance problem, we can address it then.

As for ID-based update, I'm not familiar with the difference there. I'd lean toward doing what's simpler now and adjusting if performance becomes a problem, but perhaps this one is harder to change later.

[weltenwort]

I'm just now trying to read up on all things RAC and was wondering if anyone could clarify the index names to me. The description here contains some that look very different from those convention-compliant ones mentioned in #98912. What am I missing here?

[pmuellr]

I would think you would want to update the alert doc whenever the alerting rule runs, to note the last date of when the rule ran, and it's current "status".

I'm not sure if the second question is "can we do an update, or do we need to overwrite the doc". We actually do a mix of both for alerts. "Updates" are problematic in that they are "partial" updates, so that it's impossible to "delete" a field value by "not passing it in" or passing in undefined as the value (same thing as "not passing it in", once it gets JSON.stringify()'d) - you would instead need to update it to a null. This has forced us to type (in TS) a lot of the fields in rules (and connectors!) to take null values, specifically to accommodate this.