Im tring to come up with a way of listing all my forwarders (on or off) in a list and display whether they are active or inactive.
There is no guarentee that they will be turned on after a certain amount of time. I would prefer a solution where I don't have to search through all time just to get all the host names in a list.
I know that if I were to run the search over all time, I would do something with:
index=* host=* | dedup host
and then look for the last log instance and see if its discussing the shutdown procedure and status. - But this is very costly.
Surely Splunk has something built in that remembers what forwarders have connected in the past or something?