Scenario: Silent Data Source

**Scenario:** Your SOC manager notices that no firewall events have appeared in the Network Traffic dashboard for the past 3 hours, but the firewall vendor confirms the device is operational.

You must diagnose the data pipeline: Is the forwarder down? Is the TA misconfigured? Has the sourcetype changed? Is the CIM mapping broken?

Use the Data Audit dashboard, check `index=_internal` for forwarder heartbeats, verify `props.conf` sourcetype assignment, and validate CIM field mappings.

index=_internal sourcetype=splunkd component=Metrics group=tcpin_connections | stats latest(_time) as last_seen by hostname