By failed I assume the logs are not being sent to Splunk.
You can create an alert for the same considering the last time you received logs from that particular source type/host.
There is a command - metadata which can be used for this purpose.
Metadata gives you the first/last/recent events that were seen for the host/source/ source type that you specify.
It would look something like this:
| metadata type=sourcetypes index="xyz"
firstTime lastTime recentTime sourcetype
1561540299 1563419672 1563419673 ActiveD
1561544581 1563419705 1563419705 win
You can just convert the time and subtract it with the present time.
This works. You can refer: https://docs.splunk.com/Documentation/Splunk/7.1.7/SearchReference/Metadata for better understanding.