How about starting with the query first and then have a proper watch. I think searching for documents from the last n minutes, where the pct is greater than the threshold and then aggregating on the hostname field (maybe sub aggregating on the mount point to have more details) sounds like a good start.
From there on, once the query returns what you need, you can go and create a watch out of that.
Does that make sense to you?