ElastAlert send an alert when no documents is received for an index

For that we could use cardinality, this is a good example -https://github.com/Yelp/elastalert/blob/master/example_rules/example_cardinality.yaml

Based on that , I wrote when there are no messages for 10 minutes send an alert. So first, it send s an alert, then it does not send an alert until new data is added to avoid sending the same alert over and over again. So if the newly added data don’t match the condition and don’t exceed the min_cardinality value, it will send an alert again.

SamCard.yaml: |-
    ---
    name: SamCard
    type: cardinality
    limit_execution: "0/10 * * * *"
    index: demopeer-*
 Alert when there less than 15 unique message
    min_cardinality: 15
 # Count the number of unique values for this field
    cardinality_field: "message"
 The cardinality is defined as the number of unique values for the most recent timeframe 10 minutes
    timeframe:
      minutes: 10
    alert:
    - "email"
    email:
    - "sadesilva@doe.com"
    from_addr: "hey@doe.com"
    alert_subject: "No data flowing to  index at {0} "
    alert_subject_args:
    - "@timestamp"
    alert_text: "check with network team if need be"
    alert_text_type: alert_text_only