I want to set up an alert to notify when the master license server (one search head) goes down. What should I query for finding this out from an indexer that is pointing to it?
The following search should work:
index="_internal" source="*splunkd.log" "failed to transfer rows"
Correction: Its
index="_internal" source="*splunkd.log" "failed to send rows"