In the Distributed Management Console, there is a pre-built alert called "DMC Alert - Missing forwarders", and inside the alert is the search string:
| inputlookup dmc_forwarder_assets
| search status="missing"
| rename hostname as Instance
I actually looked inside of the lookup table and it is empty. Does anyone know how Splunk populates this lookup table?
Or does anyone have a better solution using some other tools to send alerts/reports once there has been more than 24 hours since the forwarder last contacted/phoned home with Splunk?
Thanks
... View more