I might have the wrong end of the stick (apologies)... We collect Cloudtrail (and others) from a number (120+) of accounts into a single index and extract the account id at index time. You can then use tstats to quickly look when an account was last seen... something like this might do it: #props.conf
[set_aws_account_id]
SOURCE_KEY = _raw
REGEX = \"accountId\": \"([0-9]{12})\"
FORMAT = aws_account_id::$1
#transforms.conf
[aws:cloudtrail]
TRANSFORMS-get_aws_account_id=set_aws_account_id Then search: | tstats latest(_time) as latest where index=<your_aws_index> earliest=-24h by aws_account_id
| eval recent = if(latest > relative_time(now(),"-5m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0
... View more