Hello,
I would like to create a new rule to detect if one of my beats stop sending data to my Cluster (one rule for each beat).
For example I have installed packetbeat in 5 machines, and then the rule will verify each 1 minutes the number of agent.host (by aggregation) and if it's less than 5, then it will send me an alert.
Could you please tell me how can I create this kind of alerts
Thanks in advance 
Which version of Elastic are you running?
You should use the latest version and using the threshold based rule.
thanks for your answer @Felix_Roessel ,
But if I understand well, in the threshold based rule I can only use greater than and there is no way to say less than !!
Oh yes, you are right.
In that case I would recommend choosing an ML based rule. The job will check for the normal amount of events / beats / hosts and inform you whenever there is a change.
Its the easiest way to do so.
Thanks @Felix_Roessel ,
I did as your suggested and now it's working 
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
