I am converting a Splunk Dasboard to a Kusto Dash board
Below is the Splubk Query that give me the minites since as 60
index=V source=c:\\files\\build\\* | head 1 | eval minutesSince=round((now() - _indextime)/60,0) | table minutesSince
I try to create the same in Kusto but the time is not matching gives me 0 minutesSince. But the Data is the same in Splunk and Kusto. Not sure what part of the Query should I correct. Thanks for the support.
| extend minutesSince = (now() - ingestion_time())/60
| project minutesSince,BuildId
| limit 1```
you could try something like the following:
for the entire table:
TableName
| summarize minutes_since_last_ingestion = (now() - max(ingestion_time())) / 1m
or, per record:
TableName
| extend minutes_since_ingestion = (now() - ingestion_time()) / 1m