Hello Splunkers,  I'm looking for a logic suggestion for building SPL query. Scenario: Alert/report when data feed stopped reporting to splunk. Data feed is based on frequency (example: one app data is sending feed once in every 10 mins and few of them are once in a day and few of them are once in 7 days). so based on the frequency, logic has to be built.  Focusing on using tstats as it gives faster response and limit the resource utilization. However, using tstats, I don't get a latest event time for the indexes if when log stopped reporting previous week or 2 days, so when I run last 1 day. Metadata gives the lastTime though timeperiod is last 5 min but it will be slower than tstats.  My logic is  |inputlooup frequency_data.csv |fields index sourcetype frequency |join type=left index sourcetype |[tstats latest(_time) as latest_event WHERE index=* by index sourcetype ] |eval latest_event=coalesce(latest_event,"0") |eval current_time =now() |eval buffer = if(latest_event="0", "current_time", current_time-latest_event)  |eval feed_status= case(latest_event=0, "Feed Stopped", buffer> frequency, "Feed delayed", buffer<frequency, "Feed Healthy") Looks like the logic is not returning correct results. Kindly provide some assistance.  Data Onboarding  ... View more