If you know the exact origin of the data (by example host, sourcetype, fields), then you can have a search that look for that data over a recent timerange, (stats count) and trigger if there are no results at all. But if you are actually searching dynamically over several origins (| stats count by host). Then you need to compare to a list, or older data to notice that once origin is missing. - It could be am hardcoded count, a lookup you maintain, it could be a meta data search, it could be a subsearch with a different timerange.... - or I could be a search that is looking back on a longer timerange, and do a ( | timechart count by host) Or ( | bucket _time span=1h | stats count by _time host), and has some logic to check if the recent intervals are zero). But this may require more longer/expensive searches each time, so it's not good for a frequent alert.
... View more