Hello,
I would like to be able to calculate the time difference between the last time parameter of the time range of the search and the _time value of the record.
If the query is run from the current time, I would do something like this:
eval runtime_raw=(now()-_time)
But if the search time range end time is not now(), I want to replace now() in the above expression with something representing the end of the search time range. Does such a function exist? Or is there a way to calculate this?
Thanks for your help,
Richard
You need to use addinfo
command like this
your base search
| addinfo
| eval runtime_latest=info_max_time-_time | fields - info_*
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Addinfo