ML can easily do this with a job that would use the
low_count detector. If the data source is a single index, then a Single Metric job will do the trick.
If there are multiple “types” in the index, then the Multi-metric Job is the right choice, splitting on the
type field (or whatever you want to split on)
Also, in v5.5, ML makes it easy to create Watches from the Single-Metric and Multi-metric jobs. See this blog: https://www.elastic.co/blog/alerting-on-machine-learning-jobs-in-elasticsearch-v55