For various reasons, I want to get alerts when my servers aren't forwarding their event logs to Splunk. I can do this for one server at a time by scheduling a search like index=myindex host=myhost | head 1 for some time window and then alert if there are no results.
Of course, there are many hosts on the network for which this would need to be done. Is there any way I could do this with one scheduled alert using a lookup with a list of the hosts? I'd be ok with the output being a report of the hosts that haven't forwarded logs in the specified window.
I'm a bit of a Splunk novice, so I've searched and found similar questions posted before, but none of the proposed solutions I could find worked correctly.
Thanks in advance!
... View more