I'm using this command to search for hosts that have stopped sending data within the last 24 hours.Using this,any host that has stopped sending logs to splunk will be listed in a table with the last received time.
| metadata type=hosts | tags host | eval age = now() - lastTime | search (age > 86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime
However,I realized there will be a problem when I have a host that is sending data by 2 different sourcetypes. For example only,hostA could be sending OS level logs via UDP and application log file by secure transfer(SSH).In this scenario if hostA continues to send OS logs via UDP but failed to send application log file by SSH,the search command above would not detect the failure.
Is there any other solution?I've tried to create a search where type=sources or sourcetypes but it does not work.