I use this search to check my forwarders every day.
index="summary_forwarders" NOT sourceHost="127.0.0.1" | stats count by sourceHost sourceIp connectionType version build lastConnected | eval lastConnected=strftime(lastConnected,"%m/%d/%Y %H:%M:%S") | fields sourceHost sourceIp connectionType version build lastConnected | dedup 1 sourceHost sortby -lastConnected | eval sourceHost=lower(sourceHost) | sort sourceHost
I always make a note of the count. If in a subsequent day I see a lower count, I know something has gone missing.
