Hey,
this sounds possible to me. The important part here is to write a proper search query (independent from the watch). The search query needs to do the following
- have a
rangefilter in your query that filters from the first of the month untilnow - have a
termfilter in your query (or amatchquery), that filters for the host you are interested in - have a
sumaggregation in your request, that counts up your bytes (use the sum aggregation
Now you got the correct data (a single aggregation response returning a number), which you can use in the watcher condition to check if it exceeds a threshold.
If it does, send an email - where you can include this exact data.
One last thing: If the IP is dynamic, you could just have an aggregation for the ip address, and then calculate the sum for each IP.
Hope this helps.
--Alex