I have the below query to calculate events not reporting for last 24 hours. I want to calculate the difference between current time and Last event time and then display the difference in days. This is the query i have. Somehow it diff field is empty. Please help
| metadata type=sourcetypes index=*
| search sourcetype!=*too_small
| where lastTime < (now() - 86400)
| convert ctime(lastTime) as Last_Time timeformat="%Y/%m/%d %H:%M" | eval diff=tostring(now() - Last_Time,"duration")
| fields sourcetype Last_Time diff
| sort -Last_Time
| metadata type=sourcetypes index=*
| search sourcetype!=*too_small
| where lastTime < (now() - 86400)
| eval diff=tostring(now() - lastTime,"duration")
| fields sourcetype lastTime diff
| sort - lastTime
|eval lastTime = strftime(lastTime,"%Y/%m/%d %H:%M" )
you should change time format at last.
| metadata type=sourcetypes index=*
| search sourcetype!=*too_small
| where lastTime < (now() - 86400)
| eval diff=tostring(now() - lastTime,"duration")
| fields sourcetype lastTime diff
| sort - lastTime
|eval lastTime = strftime(lastTime,"%Y/%m/%d %H:%M" )
you should change time format at last.