Can anyone give me any hints as to what I might be doing wrong. I have this query in a scheduled real-time alert where I'm hoping to retain the lastupdated time and lastfault time in a kvstore. If I run the query interactively I get the results I expect, however, running the query as a scheduled real-time alert and nothing is updated in the kvstore. Any help would be appreciated. sourcetype="web-heartbeat" `website_monitoring_search_index` `filter_inoperable` | eval time=_time | eval response_time=total_time | convert ctime(time) | fillnull response_code value="Connection failed" | eval response=if(timed_out == "True", "Connection timed out", response_code) | eval response=if(response_code="", "Connection failed", response_code) | eval state=response | eval _key=title | eval lastupdated=time() | eval lastfault=time() | fields - _raw _time | fields _key time title host url response_code response state lastupdated lastfault | outputlookup website_monitoring_state append=false key_field=_key
... View more