(I'm nearly certain this had been answered before.) In order to know how long ago the last events occurred, I cope with this stats:
| stats max(_time) as latest
| eval hours_ago=(now() - latest)/3600
This won't work if the search period ends before now(), as is the case in alerts. If I research a fired alert, hours_ago
will be way off. Is there a function/method to use the time range values specified/implied for the search (not earliest()
and latest()
of events)? While we are at it, is there a way to use span
specified/implied in the last stats (or within a stats
)?
You can add the time range to your search using addinfo
:
... | addinfo | eval hours_ago = (now() - info_max_time) / 3600
You can add the time range to your search using addinfo
:
... | addinfo | eval hours_ago = (now() - info_max_time) / 3600
Thanks, @martin_mueller. For my purposes, it translates into
... | addinfo
| stats max(_time) as latest by info_max_time
| eval hours_ago = (info_max_time - latest)/3600