Hello @fer.mt
It seems the alert does not trigger as there are no records to group by , if the record exists & condition meets than it uses group by so say the usecase will be hostname is sending up/down messages & if down, group by hostname in this scenario it will create trigger for different hostnames. In your case since the record is not received say for 4/5 hostname it will not be able to throw alert for 4 hostnames.
One way is using Watcher similar usecase :
You will have to add all the hostnames in an array for which you expect a record [ ] & if count is 0 for any of the host it will add that in the list for missing hostnames.
Example in case of kibana data : kibana_sample_data_ecommerce
Output when it checks for last 15 minutes record received has count < 1 group by Gender :
"missing_gender": [
"FEMALE"
],
"seen_gender": [
"MALE"
]
}
Thanks!!