Splunk_deploy/deployment-apps/UFMA/default/savedsearches.conf

[UFMA - Complete Asset List]
alert.digest_mode = True
alert.suppress = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = */5 * * * *
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = 1
search = `forwarder_assets` \
| inputlookup append=true ufma_asset_list \
| stats values(forwarder_type) as forwarder_type, max(version) as version, values(arch) as arch, values(os) as os, max(last_connected) as last_connected, values(new_sum_kb) as sum_kb, values(new_avg_tcp_kbps_sparkline) as avg_tcp_kbps_sparkline, values(new_avg_tcp_kbps) as avg_tcp_kbps, values(new_avg_tcp_eps) as avg_tcp_eps by guid, hostname \
| addinfo \
| eval status = if(isnull(sum_kb) or (sum_kb <= 0) or (last_connected < (info_max_time - 900)), "missing", "active") \
| eval sum_kb = round(sum_kb, 2) \
| eval avg_tcp_kbps = round(avg_tcp_kbps, 2) \
| eval avg_tcp_eps = round(avg_tcp_eps, 2) \
| fields hostname, guid, forwarder_type, version, arch, os, status, last_connected, sum_kb, avg_tcp_kbps_sparkline, avg_tcp_kbps, avg_tcp_eps\
| eval hostname=upper(hostname) \
| join type=outer hostname \
    [`deployment_server_assets(*)`] \
| fillnull value="N/A" \
| sort 0 -hostname\
| outputlookup ufma_asset_list

[UFMA - ALERT - Missing Forwarders]
action.email.useNSSubject = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 1
auto_summarize.dispatch.earliest_time = -1d@h
dispatch.earliest_time = -5m
dispatch.latest_time = now
counttype = number of events
cron_schedule = */5 * * * *
enableSched = 1
quantity = 0
relation = greater than
search = | inputlookup ufma_asset_list | search status="missing" | eval last_connected = strftime(last_connected, "%m/%d/%Y %H:%M:%S %z") \
| fields hostname forwarder_type version last_connected deployment_server