grouping in kibana does not work

[kklmm]

When creating an alert in kibana with "define using visual graph" the field "OVER ALL DOCUMENTS" should support aggregation but it currently does not. It always shows "over all documents" regardless of what settings are configured in other fields.

screenshot: https://i.imgur.com/4Iwf2zy.png

This is a very basic and highly used feature in other alerting tools (x-pack or elastalert) which allows use cases such as grouping on beat.name so one alert can cover multiple hosts. Right now separating alerts by host can only be implemented with "define using extraction query" (removes simplicity) or by implementing one alert for each host (creates a mess).

Using elasticsearch 7.1.1 with kibana 7.1.1 on linux kibana-alerting 1.1.0.0 and kibana-alerting-elasticsearch 1.1.0.0 built from github then installed into elasticsearch as a plugin.

also reported on opendistro forums: https://discuss.opendistrocommunity.dev/t/grouping-aggregation-does-not-work-when-using-visual-graph/1104

[dbbaughe]

https://discuss.opendistrocommunity.dev/t/grouping-aggregation-does-not-work-when-using-visual-graph/1104

OVER was limited to just ALL DOCUMENTS for initial release as we wanted to scope out the feature better and provide a better experience than current solutions. We can use this issue to track discussions/progress for it.

[crackthecodeabhi]

+1

[DotLauan]

+1 What is the progress?

[nachtfisch]

+1, i ready it can be achieved with a custom query but an example would be great if someone has one.