Hello everyone. I want to track in real-time the time since the last event occurred. When I do this currently the time starts out positive and correct then proceeds to become a progressively larger negative number. I know this is because now() refers to the time at which the search was started. So how do I get NOW now?
My current search is:
host="APP90*-TSDAL" FeedSource="*" | stats max(_time) As LatestTime | eval Gap=round((now()-LatestTime),1) | fields Gap
Thanks for your help.
Trigger real time alert once 3 Answers
How do I run a real-time subsearch? 3 Answers