My log contain some events that we call 'bonus_events'. And 'bonus_events' happen once or twice a week.
I want to subtract the the current time from the time when the latest bonus_event happened.
For this I want to fetch the time of the latest event.
This is what I have written,
host="lak1200.ramana.com" source="/apps/games/prizes-*" bonus
| eval sub = now() - x
x indicates the time of the latest event of base_query result.
hello there,
the field _time
represents the timestamp on the event
try this:
host="lak1200.ramana.com" source="/apps/games/prizes-*" bonus
| eval sub = now() - _time
this will give you the gap in seconds between your event/s and the moment the search was executed
hope it helps
hello there,
the field _time
represents the timestamp on the event
try this:
host="lak1200.ramana.com" source="/apps/games/prizes-*" bonus
| eval sub = now() - _time
this will give you the gap in seconds between your event/s and the moment the search was executed
hope it helps
And to apply this only to the latest event, simply insert a | head 1
in between those 2 lines.
@FrankVl Thank you. The I head 1 did the trick.
host="lak1200.ramana.com" source="/apps/games/prizes-*" bonus
| head 1
| eval sub = now() - _time
if it solves it, please mark the question as answered and up vote any helpful comments
Just to be clear, _time indicates the time of the latest event that my base query produces, right?
My base query produces around 20 events in a month time frame and I would like the time of the latest event only.
Thank you.