I am researching task, below search is nice from other Splunk answer: index=_internal sourcetype=splunkd group=tcpin_connections NOT eventType=* | stats max(_time) as last_connected, sum(kb) as sum_kb by guid, hostname | addinfo | eval status = if(isnull(sum_kb) or (sum_kb <= 0) or (last_connected < (info_max_time - 900)), "missing", "active") | where status="missing" | convert ctime(info_max_time) ctime(info_min_time) ctime(info_search_time) ctime(last_connected) However, missing part for me still, how would i determine the state switches ? like passive to active vs active to passive, then to back to active. Currently, thinking of feeding a lookup table every 15 minutes and run my alert search against this new table. ... View more

Check that your ports are open and that splunk is listening for traffic on 9050. You can see an example described here for Splunk Storm (and Splunk Enterprise) http://docs.splunk.com/Documentation/Storm/Storm/User/Howtoforwarddatavianetcat ... View more