Hi @chrisboy68 ! Sorry for late replying on this one, and thanks for the mention, I am not monitoring actively Splunk community, we used to receive automatic messages with Splunk Answer but it is not happening anymore which I find a bit missing with the new site. So, to answer to your question, there are multiple ways to tackle this, very easily actually and builtin within the UI. The first answer is using Elastic Sources: https://trackme.readthedocs.io/en/latest/userguide.html#elastic-sources You basically can create a virtual data source (standard data sources represent the index + sourcetype) which match your need, for instance mydata_source:context1 which is underneath a tstats against index + sourcetype + host. And repeat the process up to your needs. As long as you are dealing with tstats searches, you can easily add these into the common "bucket" as shared elastic sources (which means handled via a single scheduled generating the SPL dynamically) For very large data sources, you could create dedicated trackers via the same UI. The second answer can be as well in the data host monitoring, there are two modes available (see the config UI), in the standard mode we monitor all sourcetype on a per host basis, and start alerting when none of the meet the monitoring rules (meaning none of these still come into Splunk) In the second mode (data host global alerting policy), TrackMe monitors sourcetypes individually per host, which means to be simple that the host would turn red if any of the sourcetypes monitored for that host is not meeting the monitoring conditions and rules. So, you have at least two builtin ways to address your needs, Elastic Sources which can be whatever you need, and data host monitoring with the proper level of configuration. (including what you include / exclude) Let me know if my explanation isn't clear enough 😉 Guilhm
... View more