I'm using a two step process to various ends. Step 1 is get the most recent timestamp for every host, sourcetype, and source - write that to a csv. Step 2 is evaluate that list to alert if a host or particular sourcetype or source hasn't been seen in X period of time.

Build Query

| metasearch | rex field=host "(?^[^0-9]\S[^.]+)|(^[0-9]\S+)" | eval host = lower(host) | dedup index host sourcetype source | rex field=source "(?.*?)(?:.[^./]+?)?$" | eval last_seen = _time | table index host sourcetype path last_seen | inputlookup append=t host_data_last_seen.csv | stats max(last_seen) AS last_seen by index host sourcetype path | eval right_now = now() | eval time_diff = right_now - last_seen | where time_diff < (86400 * 4) | table index host sourcetype path last_seen | outputlookup host_data_last_seen.csv

Couple notes:

I have some FQ host names and some that aren't. Am making them all short. I also have a lot of sources that have dates at the end for log rotation. The second rex command deals with that (gracefully for the most part). Adjust the where statement for the number of days you keep data from systems that stop sending logs. In this case I figure if data hasn't come in after 4 days then it is probably decommissioned. I used dedup as it was faster than using stats to the same ends (1,300 forwarders / 1.5TB)

Alert Query

| inputlookup host_data_last_seen.csv | stats max(last_seen) as last_seen by host | eval right_now = now() | eval time_diff = right_now - last_seen | eval hours = round(time_diff/3600) | where hours >= 8 | eval alert = "Hours since logs last seen - " .hours | table host alert hours | sort -hours | fields host alert