Alert if index has 0 documents in last X minutes (Rules and connectors or Detection Rules)

Hello Guys,

I've been working around with "Rules and Connectors" and "Detection Rules" in order to get a notification when one of my beats stops sending data. Each beat has different indexes, so i would like to "know" if for any reason any of them stops sending data.

Ive created a Rule in "Rules and Connectors" that looks like this:

INDEX TRESHOLD

select an index

INDEX winlogbeat-*
WHEN count ()
OVER all documents

define the condition

IS BELOW OR EQUALS 1
FOR THE LAST 20 minutes

the problem with that is that it looks like the rule doesnt want to read "zero" documents.
If the rule was to trigger something Higher or equals to 1, it does trigger an alert.
To trigger those "zero documents", i dont have any kind of alert.

Is there any workaround about that?
Am i doing something wrong?
Is there an easier way to have alerts when indexes have 0 documents?

Thank you so much for your help.

Hello Gustavo!

I believe you've run into the issue reported here: index threshold rule does not work as expected with a threshold below a value · Issue #103922 · elastic/kibana · GitHub

We've fixed this in the master branch with this PR: [Alerting] Allow rule to execute if the value is 0 and that mets the condition by chrisronline · Pull Request #10

According to the labels in the PR, this fix will be available in Kibana 7.14.1 and 7.15.0, when released.

Thank you so much for your answer.

But, until it gets done, is there any way to do it without without this feature? Like, using a plugin, or something else?
Im not figuring it out any other way to do it

There's no workaround as far as I know, since the problem involves the LACK of data.

However, we fixed a similar bug in the ES Query alerting rule type, and if you're rule is as simple as what's shown above, that might work out fine for you.

Documentation for that rule type here: Elasticsearch query | Kibana Guide [7.14] | Elastic