Click on Create New Watch and choose the Threshold Alert option. This brings up the Threshold Alert UI.

Specify the name of the alert; choose the index to be used to query against, the time field, and the trigger frequency in the Threshold Alert UI:

Then, specify the condition that will cause the alert to trigger. As the expressions/conditions are changed or modified, the visualization is updated automatically to show the threshold value and data as red and blue lines, respectively:

Finally, specify the action that needs to be triggered when the action is met by clicking on the Add new action button. It provides three types of actions, that is, email, slack, and logging actions. One or more actions can be configured:

Then, click on the Save button to create the watch.

Clicking on Save will save the watch in the watches index and can be validated using the following query:

curl -u elastic:elastic -XGET http://localhost:9200/.watches/_search?q=metadata.name:logs_watch