I have below Splunk setup for the various kind of servers events,
Main indexer: Linux Redhat installed with Splunk indexer, search head, (for UNIX UF, Linux UF, syslog, etc)
Domain joined Windows server with Splunk UF installed (for WMI pull events, shared files, etc)
Since I would like to monitor the missing status of the UNIX & Linux UF, the "missing forwarders search" in Splunk Deployment Monitor app is working fine for those hosts received from UF. It does a really great job at all.
But, since most of the Windows WMI events is pulled from the Windows Server (with UF), and that's mean the "missing forwarder search" isn't represent for the WMI host missing status.
Could anyone help that any hints to check the missing Windows host in this WMI inputs?
P.S. I am thinking that use "diff" to compare the list of hosts for WMI events in 2 period of time, and I think there should have a faster & elegant way for this. Thanks in advance.