[Alerting V2] [UI] Query Testing in Dedicated Rule Creation

[dominiqueclarke]

Summary

Add query testing capabilities to the dedicated rule creation UI, allowing users to preview and validate their ES|QL queries before saving the rule. This ensures users can verify their queries return expected results and understand how alerts will be grouped.

🎯 Target Milestone: 9.4

Note: Query testing is essential for the dedicated rule creation flow because, unlike Discover, users cannot easily view query results inline. This capability is required for MVP.

Components

1. Query Preview Panel

• "Test Query" button - Execute the current ES|QL query against live data
• Results preview - Display query results in a table/grid format
• Result count indicator - Show total number of matching documents
• Time range selector - Choose the time window for the test query

2. Alert Grouping Preview

• Grouping visualization - Show how results would be grouped into alerts based on selected group-by fields
• Group count indicator - Display number of alert groups that would be created
• Sample alert preview - Show example alert payload for each group

3. Query Validation Feedback

• Syntax validation - Real-time ES|QL syntax checking
• Performance indicators - Warn if query may be expensive/slow
• Field validation - Verify referenced fields exist in selected index

Behavior

┌─────────────────────────────────────────────────────────┐
│ ES|QL Query Editor                                      │
│ ┌─────────────────────────────────────────────────────┐│
│ │ FROM logs-*                                        ││
│ │ | WHERE log.level == "error"                       ││
│ │ | STATS count = COUNT(*) BY host.name             ││
│ └─────────────────────────────────────────────────────┘│
│                                                         │
│ [Test Query]  Time range: [Last 15 minutes ▼]          │
└─────────────────────────────────────────────────────────┘
                    │
                    ▼
┌─────────────────────────────────────────────────────────┐
│ Query Results                              Found: 1,234 │
│ ┌─────────────────────────────────────────────────────┐│
│ │ host.name        │ count   │ @timestamp           ││
│ │──────────────────│─────────│──────────────────────││
│ │ server-01        │ 45      │ 2024-01-15T10:30:00  ││
│ │ server-02        │ 23      │ 2024-01-15T10:30:00  ││
│ │ server-03        │ 12      │ 2024-01-15T10:30:00  ││
│ └─────────────────────────────────────────────────────┘│
│                                                         │
│ Alert Groups Preview (3 groups)                        │
│ ┌─────────────────────────────────────────────────────┐│
│ │ Group: host.name=server-01  │  45 matching docs    ││
│ │ Group: host.name=server-02  │  23 matching docs    ││
│ │ Group: host.name=server-03  │  12 matching docs    ││
│ └─────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────┘

Acceptance Criteria

• "Test Query" button executes current ES|QL query
• Results displayed in readable table format
• Time range selector for test queries
• Alert grouping preview based on group-by configuration
• Clear indication of how many alert groups would be created
• Loading state while query executes
• Error handling for failed queries
• Results panel is collapsible/expandable

Design

Link to designs when available

Dependencies

• ES|QL execution API
• Query result formatting utilities
• MVP Dedicated Rule Creation UI (kibana#251333)

Related Issues

• Parent meta: elastic/rna-program#110 (Rule Authoring from Rule Management)
• Prerequisite: #251333 (MVP Dedicated Rule Creation UI)
• Sibling: #251317 (Query Testing in Discover Rule Creation)

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[elasticmachine]

Pinging @elastic/actionable-obs-team (Team:actionable-obs)

[dominiqueclarke]

Closed by #256818