We have many indexes, and are consistently adding more to our cluster. We need to know when an index doesn't receive any documents in X number of minutes. For instance, if logs-foo hasn't received any documents in 1 hour, we want an alert to fire. Or if logs-bar hasn't received a document in 1 hour, fire an alert. The issue is we can set a watcher for this for each individual index, but not a generic catch-all. This is not scalable if we have to create a watcher for each index. Is there no way to create a watcher rule that looks at all indexes, and if there has been 0 documents ingested in X minutes in any one index, fire an alert specifying which index has not received documents?
Hi @SomeRobot ,
Are you using the Logs Threshold Rule to setup alerts? It, in its default configuration covers the whole logs-* pattern while also allowing you to change it to your own defined data view.