Hello we are trying to calculate the realtime elapsed time since the last event in splunk and setup an alert if this duration exceeds a threshold but are having issues. We current have this search
index=connectit | reverse | head 1 | eval Age=(time()-_time) | eval now=time() | convert ctime(now) | table _time, Age, now
to give us the difference between the current time and the last event but it is not calculating the duration. For example, if events stop flowing the "Age" field will not increase. Any ideas?
Thanks!