I'm trying to show the relative time for the last time data was refreshed successfully. I search for all success text strings in the log file and then I need to get that time and do a reltime. I tried:
searchstring | stats last() as _time | reltime
But of course "stats last()" isn't a time and putting it into _time doesn't work. I tried extracting the fields from last(), concatenating them and then strptime'ing then assigning it to _time:
searchstring | stats last(date_hour) as HOUR, last(date_minute) as MINUTE, last(date_year) as YEAR, last(date_month) as MONTH, last(date_second) as SECOND, last(date_mday) as DAYN | eval _time=strptime(YEAR . "-" . MONTH . "-" . DAYN . " " . HOUR . ":" . MINUTE . " " . SECOND,"%Y-%B-%d %H:%M:%S") | reltime
But it only added a reltime column to the result and put in unknown for the value, so I'm still doing something wrong. Besides, I really hope there's an easier way to do this than that last query (yuck!)
... View more