ElastAlert flatline alert when data/ documents received more than the threshold value for an index.

Flatline

flatline: This rule matches when the total number of events is under a given threshold for a time period.

This rule requires two additional options:

threshold: The minimum number of events for an alert not to be triggered.

timeframe: The time period that must contain less than threshold events.

NoData.yaml: |-
    ---
    name: NoData
    type: flatline
    limit_execution: "0/10 * * * *"
    index: demo-*
    threshold: 1
    use_count_query: true
    doc_type: doc
    timeframe:
      minutes: 10
    filter:
    - query:
        match_all : {}
    alert:
    - "email"
    email:
    - "saiva@alan.com"
    from_addr: "johnt@alan.com"
    alert_subject: "NoData - No data flowing to  index at {0} "
    alert_subject_args:
    - "@timestamp"
    alert_text: "Check this"
    alert_text_type: alert_text_only