Hello everyone. I want to track in real-time the time since the last event occurred. When I do this currently the time starts out positive and correct then proceeds to become a progressively larger negative number. I know this is because now() refers to the time at which the search was started. So how do I get NOW now?
My current search is:
host="APP90*-TSDAL" FeedSource="*" | stats max(_time) As LatestTime | eval Gap=round((now()-LatestTime),1) | fields Gap
Thanks for your help.
reading from a repsitory 1 Answer
# of RT Search Increase 1 Answer
tags and real time monitoring 0 Answers
real-time search/alerting 1 Answer