I have a scenario that i have to trigger alert when splunk forwarder is not running i have query that working fine.in that query i have to add index in the table .now i cant able to view index name in the query
My query:
| metadata type=hosts index=XXX index=YYY index=ZZZ| eval age = now() - recentTime | eval status= case(age < 1800,"Running",age > 1800,"DOWN") | convert ctime(recentTime) AS LastActiveOn
| eval age=tostring(age,"duration") | eval host = upper(host)
| table host age LastActiveOn status
| rename host as "Forwarder Name", age as "Last Heartbeat(min)",LastActiveOn as "Last Active On",status as Status| where Status= "DOWN"
It can not be displayed directly. Please refer to the link below.
https://answers.splunk.com/answers/69704/how-can-i-list-all-indexes-and-sourcetypes.html