In X-Pack monitoring 6.0, we have added optional email actions to our cluster alerts. For those, we track transitions to try to email them and transitions depend on the alert, but generally speaking you need something akin to is_new and is_sesolved. If there are intermediate stages, then you will want something like is_modified. From there, you would just add an action condition that triggers only when is_new || is_modified || is_resolved. And voila, you get actions firing on a per-transition basis that can fire after delays too.
{
"actions": {
"trigger_alert": {
"index": {
"index": ".monitoring-alerts-6",
"doc_type": "doc",
"doc_id": "OjiYuMDJRSaONuhDec5NRg_elasticsearch_cluster_status"
}
},
"send_email": {
"condition": {
"script": {
"script": "return ctx.vars.is_new || ctx.vars.is_modified || ctx.vars.is_resolved",
"lang": "painless"
}
},
"email": {
"...": "..."
}
}
}
}
Hope that helps,
Chris