Now, let's see how a watcher can be created in Kibana to configure a threshold alert. So, we need to do the following three things to configure a watch:

1. Schedule a watch on single or multiple fields.
2. Set a condition to match.
3. Configure the action to be performed.

In the first step, we have to select the Elasticsearch index and its fields on which we want to create the watch. Then, we need to set the condition to be checked in a periodic manner, and follow this up with the action that would be performed when the given condition is met.

In Kibana, we can create a watch in the following steps: 

1. On the Watcher listing page, click on the Create threshold alert button, which will open the Create a new threshold alert page.
2. On this page, add the name, select the indices, and set the time field. So, we are setting the name as cpu_usage_more_than_75_percent; and for the index, we are picking the Metricbeat index pattern; for the time field, we are picking @timestamp and duration is set as 10 seconds. Please refer to the following screenshot:

The preceding screenshot shows the Create new threshold alert page. Under the Matching the following condition section, set the condition that needs checking using the interactive interface.

3. So here, we need to add the condition on the system.process.cpu.total.pct field of the metricbeat* index pattern. To set this condition, we need to set the max() function for WHEN to check, with a max value of system.process.cpu.total.pct, by setting this field under OF.
4. Then, select all documents for OVER and set 0.75 for IS ABOVE to check whether the maximum value of the field goes beyond 0.75. Finally, set 1 minute, or any duration, for FOR THE LAST duration. See the following screenshot:

The preceding screenshot shows the condition section of the watch screen.

5. Now, set the action to be performed by selecting the action from the Add new action dropdown. We can send an email, log a message, or send a message to Slack using this option. So here, we can send an email to any email address, but before setting it up, we need to add the SMTP credential in the elasticsearch.yml file. I have configured the Gmail SMTP accounts to send emails and added the following configuration in my elasticsearch.yml file:

xpack.notification.email.account: 
  gmail_account: 
    profile: gmail 
    smtp: 
      auth: true 
      starttls.enable: true 
      host: smtp.gmail.com 
      port: 587 
      user: a******@gmail.com 
      password: w*****@****

6. Click on the E-mail option from the add New action dropdown. Add the email address under the To e-mail address text box.
7. Now, edit the Subject section as per the requirements and add the message in the Body section.
8. After adding these details, click on the Test fire an e-mail now button to test the email flow.
9. Afterward, click on the Save button to save the watch; refer to the following screenshot:

The preceding screenshot shows the action block of the alerting page. This way, we can create the condition and, using the email action, can notify to the provided email ID once the condition is met.