We clearly stated that the Count functions simply tally the number of documents per unit of time. But what if the data that you are using actually has a field value that contains a summarized count already? For example, in the following data, the events_per_min field represents a summarized number of occurrences of something (online purchases in this case) that occurred in the last minute:

{ 
    "metrictype": "kpi", 
    "@timestamp": "2016-02-12T23:11:09.000Z", 
    "events_per_min": 22, 
    "@version": "1", 
    "type": "it_ops_kpi", 
    "metricname": "online_purchases", 
    "metricvalue": "22", 
    "kpi_indicator": "online_purchases" 
  } 

To get the ML job to recognize that the events_per_min field is the thing that needs to be tallied (and not the documents themselves), we need to set a summary_count_field_name directive (which is only settable in the UI in Advanced jobs):

After specifying events_per_min as summary_count_field_name, then the appropriate detector configuration in this case simply employs the low_count function:

The results of running the job give exactly what we expect—a detection of some cases when my customer online purchases were lower than they should have been, including times when the orders dropped completely to zero, as well as a partial loss of orders on one midday: