I was wondering how to implement some kind of alert inside Splunk to identify those devices that have stopped sending remote syslogs to Splunk platform.
I will have a more proactive alert than the one I have at this moment. I am checking, for example, every 24 hours that no alert was sent by the device. But my question is, is there is any solution, like hearbeat or Keep-alive solution, for checking to see if I have problems with communication between the device originating the log and the Splunk infrastructure? I will appreciate any idea on how to implement a solution for this problem.
Thanks a lot!
Take a look at this splunkanswers, this should be a good start to alert based on your use case...
https://answers.splunk.com/answers/449029/how-to-alert-when-a-forwarder-is-not-sending-logs.html
https://answers.splunk.com/answers/48252/alert-if-any-forwarder-stops-sending.html
try this Meta Woot app from splunkbase...
https://splunkbase.splunk.com/app/2949/