Hello! 

Is it possible to implement something like this?
I have 300+ devices that send logs to one index. I want to check if there are no logs from the device for more than one minute then execute an alert. When the device resumed logs then also a warning. And immediately after the warning update the csv file.

My search now looks like this:

| tstats latest(_time) as lastSeen where index IN("my_devs") earliest=-2m latest=now by host
| lookup devs_hosts_names.csv host OUTPUT dev_name
| eval dev_name = if(isnotnull(dev_name),dev_name,"unknow host")
| eval status = if((now() - lastSeen<=60),"up","down")
| eval status = if(isnotnull(lastSeen),status,"unknow")
| search NOT
[| inputlookup devs_status.csv
| fields host dev_name status]
| convert ctime(*Seen)
| table host dev_name status lastSeen

| - At this time of search I would like to trigger an alert for each dev_name and then rewrite (update)  devs_status.csv 

But I don't find how it can be realized, I ask for your help. I'm new to splunk and don't understand how much this kind of request is normal for splunk?

Thanks.