Hi there,
Maybe this logic will be of assistance?
This logic is designed to create an alert for investigation where Splunk has detected no events within a given sourcetype within the past 2 hours. It does not address your concern of log files not being created, but would be a good indicator that this has not happened.
| tstats count dc(host) AS distinct_hosts latest(_time) AS latest_time WHERE index=* BY sourcetype
| where latest_time<=relative_time(now(), "-2h")
| sort -latest_time
| convert timeformat="%H:%M:%S %d/%m/%Y" ctime(latest_time)
| where count=0
... View more