Hello,
We want to set up an alert using opendistro for indices not receiving any docs for the past 5 mins. I used the must_not exist field "@timestamp" since it always exists in all documents but i get no results.. Does anyone have any workaround? I intentionally stopped logstash to stop sending events to the indices but im getting 0 hits for the below query. Any help would be greatly appreciated!
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-5m",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
}
],
"must_not": [
{
"exists": {
"field": "@timestamp",
"boost": 1
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {}
}