Enhancement: More details for aggregated ECL searches

[sts]

When creating an ECL query in a alert search and making use of the aggregation filter, it will only display the aggregated field and the document count.

It would still be great to get some kind of reference to the original source documents and/or have the aggregation also append to chosen fields.

So given the following search:

es:applog event:login_error | agg:terms username | filter `_['count'] > 5` ;

Currently it returns:

┌─────────────────────────────────┬──────────┬────────┐
│ Time                            │ username │ count  │
│ Wed, 11 Oct 2017 09:13:30+00:00 │ mik      │     99 │
└─────────────────────────────────┴──────────┴────────┘

What would be great if it could return something like this:

┌─────────────────────────────────┬──────────┬───────────────────────┬───────┐
│ Time                            │ username │ ips                   │ count │
│ Wed, 11 Oct 2017 09:13:30+00:00 │ mik      │ 1.2.3.4, 4.3.2.1, ... │    99 │
└─────────────────────────────────┴──────────┴───────────────────────┴───────┘

What would also be great, to get clickable links to each ES document by clicking on eg. the ip address of an entry or a link to a search which returns the same results in Kibana.

[kiwiz]

Hey there! This is a good idea, but I think it'll require some infra changes. #154 and #153 are prereqs to getting this in.

[kiwiz]

@sts In the example you provided, where does IP address come from? Is it just a field in the documents being aggregated? You might be able to do this with agg:top_hits right now.