I want to trigger an email alert when the document.field.status = fail reaches the defined threshold level. This email alert should be sent only once. How can I do this?
take a look at time and ack based throttling, see https://www.elastic.co/guide/en/elastic-stack-overview/7.3/actions.html#actions-ack-throttle
note that each throttle is reset, once the condition becomes false again.