Hello everyone,
I have around 20 forwarders (Universal) in my env and configued to forward data to Splunk Indexer. I would like to create a report which can show which all log sources have not reported for a specific time(say for last 3 days).
Please help me in this.
Run the Deployment Monitor App. It will a) tell you, and b) let you configure alerting quite easily.
Otherwise you can do something like this;
| metadata type=sourcetypes | append [|metadata type=sources] | append [|metadata type=hosts]
| eval name=coalesce(source, sourcetype, host)
| fields + recentTime name type
| where recentTime < now()-10*86400
| convert ctime(recentTime) |
Just substitute the 10*86400 to whatever timespan you like - in this case it's 10 days ago.
/K