Our users would like to run queries, on a regular basis, which would show them that their data keeps flowing in without issues. One user came up with the following -
index=xxxxxx earliest=-1m | stats latest(_time) as latestTime by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")
Is it reasonable? I think that tstats is better, right?