https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/555997#M9197 <P>We use a lookup of all hosts reporting to splunk, and do a join with metadata for current hosts and most recent event. It allows us to see the hosts that havent reported in a day.&nbsp;</P><LI-CODE lang="markup">| inputlookup your_host_lookup | eval host = lower(host) | join host type=outer [| metadata type=hosts index=_internal | eval host = lower(host) | sort - lastTime | dedup host | eval minutesSinceLastEvent = ( ( now() - recentTime ) / 60 ) | eval daysSinceLastEvent = ( minutesSinceLastEvent / 1440 )] | where daysSinceLastEvent &gt;= 1 | eval lastEventDays=round(daysSinceLastEvent,2) | eval lastEventMins=round(minutesSinceLastEvent,0)</LI-CODE><P>&nbsp;</P> Wed, 16 Jun 2021 13:59:08 GMT pbarbuto 2021-06-16T13:59:08Z https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/555861#M9190 <P>Please share SPL to help in Finding Forwarders that are Broken / Not calling home any more. Is it possible to view this in GUI? Thank u</P> Tue, 15 Jun 2021 20:52:52 GMT https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/555861#M9190 SamHTexas 2021-06-15T20:52:52Z https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/555997#M9197 <P>We use a lookup of all hosts reporting to splunk, and do a join with metadata for current hosts and most recent event. It allows us to see the hosts that havent reported in a day.&nbsp;</P><LI-CODE lang="markup">| inputlookup your_host_lookup | eval host = lower(host) | join host type=outer [| metadata type=hosts index=_internal | eval host = lower(host) | sort - lastTime | dedup host | eval minutesSinceLastEvent = ( ( now() - recentTime ) / 60 ) | eval daysSinceLastEvent = ( minutesSinceLastEvent / 1440 )] | where daysSinceLastEvent &gt;= 1 | eval lastEventDays=round(daysSinceLastEvent,2) | eval lastEventMins=round(minutesSinceLastEvent,0)</LI-CODE><P>&nbsp;</P> Wed, 16 Jun 2021 13:59:08 GMT https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/555997#M9197 pbarbuto 2021-06-16T13:59:08Z https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/556043#M9199 <P>Thank u for your response. So I need to have a complete list of all hosts in a .CSV file right? Where in Splunk do I place this file for the search to find it please? Thank u again</P> Wed, 16 Jun 2021 19:15:11 GMT https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/556043#M9199 SamHTexas 2021-06-16T19:15:11Z https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/556050#M9200 If/when you have MC on place, you could set up Forwarder monitoring there and even get automatic alerts. Of course this needs, that nobody will rebuild forwarders lookup before missing FWDs has fixed.<BR />Another option is use eg. meta woot app for this.<BR /><BR />On Splunk Usergroup Slack there is list of other options:<BR />There are a lot of options for finding hosts or sources that stop submitting events:<BR />Meta Woot! <A href="https://splunkbase.splunk.com/app/2949/" target="_blank">https://splunkbase.splunk.com/app/2949/</A><BR />TrackMe <A href="https://splunkbase.splunk.com/app/4621/" target="_blank">https://splunkbase.splunk.com/app/4621/</A><BR />Broken Hosts App for Splunk <A href="https://splunkbase.splunk.com/app/3247/" target="_blank">https://splunkbase.splunk.com/app/3247/</A><BR />Alerts for Splunk Admins ("ForwarderLevel" alerts) <A href="https://splunkbase.splunk.com/app/3796/" target="_blank">https://splunkbase.splunk.com/app/3796/</A><BR />Monitoring Console <A href="https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring</A><BR />Deployment Server <A href="https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings" target="_blank">https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings</A><BR />Some helpful posts:<BR /><A href="https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe" target="_blank">https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe</A><BR /><A href="https://www.duanewaddle.com/proving-a-negative/" target="_blank">https://www.duanewaddle.com/proving-a-negative/</A><BR />r. Ismo Wed, 16 Jun 2021 20:58:59 GMT https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/556050#M9200 isoutamo 2021-06-16T20:58:59Z https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/556064#M9202 <P>We use the Splunk kvstore. You can just have a search that runs daily to outputlookup your hosts list though. Something like this...</P><P>index=_internal | stats count by host | fields - count | outputlookup your_hosts.csv</P> Wed, 16 Jun 2021 23:34:29 GMT https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/556064#M9202 pbarbuto 2021-06-16T23:34:29Z https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/556076#M9203 <P>Thank u sir very much &amp; good to hear from you. I missed learning from you for a short while. Stay safe.</P> Thu, 17 Jun 2021 02:06:38 GMT https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/556076#M9203 SamHTexas 2021-06-17T02:06:38Z https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/556180#M9212 <P>Sir thank as always for your accurate responses. I have one question. Reg. Missing FWs , I have Apps Meta Woot &amp; Splunk Admins, I can get a list of missing FWs no problem. I have found that some of the missing are due to the server they reside on are decommissioned, find. But of the others I can not figure out if the FW is broken / needs updating to function. Please advise. Thank u as always.</P> Thu, 17 Jun 2021 14:05:58 GMT https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/556180#M9212 SamHTexas 2021-06-17T14:05:58Z https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/557678#M9250 <P>I’m afraid that there is not an easy solution for this. Probably best way is that you have boarding/integrating process where you are collecting the needed information from source systems. Or if you have any CMDB then you could utilize it to ask from owners of those systems what is the situation if you haven’t any other automated way to check those.</P> Tue, 29 Jun 2021 20:07:34 GMT https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/557678#M9250 isoutamo 2021-06-29T20:07:34Z https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/557681#M9251 <P>This is actually something I'm currently working on, and you're correct when you say it isnt easy. I had to create a custom alert action which when my missing forwarder alert is triggered, will execute a python script to first ping the host to see if its available, and then also checks the hosts operation status from our CMDB.&nbsp;</P> Tue, 29 Jun 2021 20:14:22 GMT https://community.splunk.com/t5/Reporting/Please-share-SPL-to-help-in-Finding-Forwarders-that-are-Broken/m-p/557681#M9251 pbarbuto 2021-06-29T20:14:22Z