Nice to hear this feature is going to be introduced.

We currently have Splunk version 4.1.5 deployed across 100+ windows servers and a few linux servers in production. One problem we have been having recently is that occasionally some data inputs stop showing up (stop being sent from the forwarder?). Restarting the forwarder fixes the problem, but data is lost from the time this happens. I have opened a case: https://www.splunk.com/page/issue_detail?case_id=5004000000DvUe6AAF

This might be something in configuration or something in the tool (we have noticed this on both Windows and Linux machines occasionally).

In any case, based on this experience here's what I would like (if you haven't considered this already): Some sort of heartbeat mechanism which has some predictive capabilities. i.e. say input X from forwarder Y stops for sometime, if we can get an alert or some other notification, we can use that to know (and eventually automate), the action to be taken - say restart the forwarder. If this can happen from within Splunk itself it would be great. I would prefer this over a dashboard type mechanism for a large number of machines (one more thing to monitor).

No such thing is of course required where there are no Splunk forwarders installed e.g. syslog, where we can check the syslog mechanism easily to know if something is being written to the UDP port. If forwarders dont work correctly, I would like to be able to known without running searches or after we lose events.