Can anyone give me any hints as to what I might be doing wrong.
I have this query in a scheduled real-time alert where I'm hoping to retain the lastupdated time and lastfault time in a kvstore. If I run the query interactively I get the results I expect, however, running the query as a scheduled real-time alert and nothing is updated in the kvstore.
Any help would be appreciated.

sourcetype="web-heartbeat" `website_monitoring_search_index` `filter_inoperable`
| eval time=_time | eval response_time=total_time | convert ctime(time)
| fillnull response_code value="Connection failed"
| eval response=if(timed_out == "True", "Connection timed out", response_code)
| eval response=if(response_code="", "Connection failed", response_code) | eval state=response
| eval _key=title | eval lastupdated=time() | eval lastfault=time()
| fields - _raw _time | fields _key time title host url response_code response state lastupdated lastfault
| outputlookup website_monitoring_state append=false key_field=_key