I have a scenario that i have to trigger alert when splunk forwarder is not running i have query that working fine.in that query i have to add index in the table .now i cant able to view index name in the query
| metadata type=hosts index=XXX index=YYY index=ZZZ| eval age = now() - recentTime | eval status= case(age < 1800,"Running",age > 1800,"DOWN") | convert ctime(recentTime) AS LastActiveOn
| eval age=tostring(age,"duration") | eval host = upper(host)
| table host age LastActiveOn status
| rename host as "Forwarder Name", age as "Last Heartbeat(min)",LastActiveOn as "Last Active On",status as Status| where Status= "DOWN"