I am not sure why I am not getting results with this query, any suggestions?
index= ______
| stats max(_time) as last_event
| eval timenow=strftime(now(), "%Y-%m-%d %H:%M:%S.%3N")
| eval last_event=strftime('last_event', "%Y-%m-%d %H:%M:%S.%3N")
| eval diff = tostring((timenow - last_event), "duration")
| table diff
↧