I am not sure I understand the question fully from your description, so maybe this answer is misleading.
First, whatever is returned as part of your input (be it a search or a HTTP request), can be used in the content when sending an email.
ctx.payload includes all your search results.
From what I read the best way forward would be to create a query that contains the proper data. In your case I assume you would like to know all the hosts within a timerange that have a
down event - this means, you need to write a query filtering by time range and down event and then aggregate on the hostname, so that you get a list of hosts as part of the aggregations.
You can then access
ctx.payload.aggregations fields and extract the hosts that were found to be down.
A good way to get started with these kind of things is to check out the examples repo
Also, in order to keep your development cycles as short as possible, you should definetely read this blog post about writing and debugging watches.
Hope this helps as a start. If not, please always provide the full watch and the output of the execute watch API, when asking questions.