You could win up to $50,000 building Splunk apps in the Splunk>Apptitude contest. Learn more »
Hello everyone. I want to track in real-time the time since the last event occurred. When I do this currently the time starts out positive and correct then proceeds to become a progressively larger negative number. I know this is because now() refers to the time at which the search was started. So how do I get NOW now?
My current search is:
host="APP90*-TSDAL" FeedSource="*" | stats max(_time) As LatestTime | eval Gap=round((now()-LatestTime),1) | fields Gap
Thanks for your help.
Real-time searches not keeping up 2 Answers
Real time event tracing 2 Answers