I do this with sparkline. It's not based on time but on log count in the _internal index. No logs being sent by host in _internal generally means something is wrong. This isn't the 15m solution you were looking for but wanted to share in case you wanted to implement something similar. You could use bin to create 15m buckets of _time. index=_internal sourcetype=splunkd destPort!="-"
| stats sparkline count by hostname, sourceHost, host, destPort, version
| rename destPort as "Destination Port", host as "Indexer", sourceHost as "Forwarder IP", version as "Splunk Forwarder Version", hostname as "Forwarder Host Name", sparkline as "Traffic Frequency"
| dedup "Forwarder Host Name"
| sort - count
| where count < 20 You can play around with the count as well. I try to look for forwarders that aren't just completely dead but aren't communicating as much as normal as well.
... View more