I am a new user to Splunk and working to create an alert that triggers if it has been more than 4 hours since the last alert. I am using the following query, which I have test and come back with a valid result: index=my_index | stats max(_time) as latest_event_time | eval time_difference_hours = (now() - latest_event_time) / 3600 | table time_difference_hours Result: 20.646666667 When I go in and enable the alert, I set the alert to run every every. Additional I choose a custom condition as the trigger and use the following: eval time_difference_hours > 4 But the alert does not trigger. As you can see based on the result, it has been 20 hours since the last event was received in Splunk. Not sure what I am missing. I have also modified the query to include a time span with earliest=-24H and latest=now, but that did work either.     ... View more

I am trying to get a understanding why I get a different count total for the number of events for the following searches 1. index=some_specific_index  (Returns the following  total for events 7,601,134) 2. | tstats count where index=some_specific_index (Returns 7,593,248)   I do have the same date and time range sent when I run the query. I understand why tstats and stats have different values.       ... View more