Let me understand: do you want a search to have an alert when a forwarder is down or to debug this condition?
if you want an alert, you have to create a lookup (called e.g. perimeter.csv) containing all the hostnames to monitor in your perimeter, containing at least one column (host), and run a search like this:
| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0
if instead you want to debug a forwarder that isn't sending logs, you have to go in SSH on that machine and then: check the connection with telnet and see local Splunk logs to debug the problem.