Our expectation about Alert lifecycle is, "When a rule creates an alert for particular group, kibana creates a document in .internal-observability-* index with a status active. When this is recovered, kibana updates the document with status recovered and As long as there is an active alert for rule_id+group, Kibana will not create any new document but update the existing document"
As, Observability>Alerts UI is using these indices in the back end. One rule+group should not have more than 1 active alert.
But in our case, We could see multiple active alerts from same rule with same group id and we could also that recovered once are not getting updated in the same document instead creating a new document. This is misleading the analysis.
I have attached images showing same rule id with same group value has more than one active alert.
We were initially on 8.17.7 and saw one support article(Elastic Support Hub) related to this issue and article also says, this fixed in 8.19+ versions. We are not in 8.19.3 and we still see the issue
Can any one help here?
Thanks,
Hari
