In the Distributed Management Console, there is a pre-built alert called "DMC Alert - Missing forwarders", and inside the alert is the search string:
| inputlookup dmc_forwarder_assets | search status="missing" | rename hostname as Instance
I actually looked inside of the lookup table and it is empty. Does anyone know how Splunk populates this lookup table?
Or does anyone have a better solution using some other tools to send alerts/reports once there has been more than 24 hours since the forwarder last contacted/phoned home with Splunk?
There is a scheduled search called "DMC Forwarder - Build Asset Table" that populates that lookup table. You can manually build the forwarder assets table by going to the DMC App then the "Settings" > "Forwarder Monitoring Setup" page and clicking on the "Rebuild Forwarder Assets" button.
What is the name of the pre-built alert you were referring to in your post? You said:
pre-built alert called ""
but I'm not sure if you accidentally deleted what was inside the double quotes when you originally posted your question.
prtlin, I updated my answer to include a manual method for building the forwarder assets table. Were you able to get the lookup table populated?