Refine your search:

Hello everyone. I want to track in real-time the time since the last event occurred. When I do this currently the time starts out positive and correct then proceeds to become a progressively larger negative number. I know this is because now() refers to the time at which the search was started. So how do I get NOW now?

My current search is:

host="APP90*-TSDAL" FeedSource="*" 
| stats max(_time) As LatestTime
| eval Gap=round((now()-LatestTime),1)
| fields Gap

Thanks for your help.

asked 18 Jul '12, 02:29

matthewcanty's gravatar image

accept rate: 85%

One Answer:

You should use time() instead of now()


answered 18 Jul '12, 03:31

kallu's gravatar image

accept rate: 28%

Perfect. Thank you so much.

(18 Jul '12, 03:35) matthewcanty
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions



Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 18 Jul '12, 02:29

Seen: 924 times

Last updated: 18 Jul '12, 03:35

Copyright © 2005-2014 Splunk Inc. All rights reserved.