The time of the latest log record for a specific customer can be retrieved and used as the output from a subsearch with ...
..... [ search index=tlog | custid=1234 | head 1 | eval latest=_time | fields latest | format ] | ....
But depending on the volume of customer activity, this could result in up to xxx thousand records being streamed and then immediately dropped (by the head 1). Limiting the subsearch to a relative time period , e.g. earliest=-1d , is not possible.
Is there any way to have the indexer stream only one or a fixed number of records? i.e. the equivalent of doing head 1 on the indexer.
Using | metadata , it is easy to get the latest time for specific sourcetypes etc, but this does not help in this case.
... View more