I have a use case to alert when a host fails to send logs. There is a watcher configured here, which is similar to what I'm trying to achieve:
I like the logic, aggregate hosts on last 24 hours, then check for last 5 minutes.
However when trying to modify for filebeat-*, I am getting an error.
Is using watcher the best form of alerting, or is there a simpler/more elegant approach?
