[Metrics UI] Metric threshold rule type: fix group by + 0 check

[jasonrhodes]

Related: #76511

Summary

When a Metric Threshold rule makes a comparison of "less than" / "less than or equal to" along with setting the "Alert per" setting, it creates a broken rule that will miss real alert scenarios. The reason for this is that when the number is actually 0 because there are no documents for a given group, we no longer have that group in the data, so we can't schedule actions for that alert.

AC: We either need to disable the ability to create this kind of alert and document why it's not allowed, or determine a way we can support this functionality in a reliable and performant way.

Notes

One option considered is to store the groups that the rule sees in the persisted rule state and use that state when considering which groups should have alerts triggered. If a previously seen group no longer appears in the data, we can trigger either a 0 doc alert or a "no data" alert, depending on how we choose to handle it. Complications with this approach include:

• When a group is intentionally removed, the user will need a way to silence further alerts based on that value.
• How does "no data" relate to a 0 document count query? Should these be the same in ways that the other aggregations aren't the same? (No data is usually not the same as an average of 0, for example.)

POC PR that assumes these are "no data" alerts:

• [Metrics UI] Fix No Data alerts on Metric Threshold with groupBy #111465

[elasticmachine]

Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui)