https://community.splunk.com/t5/Splunk-Search/about-date-and-time-form/m-p/23702#M177477 <P>The sample you provided has another date format than what you posted in earlier events, so if that's the format you're working with you should change the strptime format string to reflect that.</P> Fri, 03 Aug 2012 07:10:16 GMT Ayn 2012-08-03T07:10:16Z https://community.splunk.com/t5/Splunk-Search/about-date-and-time-form/m-p/23699#M177474 <P>There are "date-time" fields other than _time in events:<BR /> ...^2012/06/30 23:58:20^2012/06/30 23:58:20...<BR /> we pre extracted them as "firsttime","lasttime"<BR /> we want the results where (fisttime-lasttime)&lt;300s, how could we approach that?<BR /> I have tried search as:<BR /> | rex field=firsttime "(?<FDATE>\d{2}/\d{2}/\d{2})\s(?<FTIME>\d{2}:\d{2}:\d{2})" <BR /> | rex field=lasttime "(?<LDATE>\d{2}/\d{2}/\d{2})\s(?<LTIME>\d{2}:\d{2}:\d{2})"<BR /> | convert dur2sec(ftime), dur2sec(ltime)<BR /> | where fdate=ldate | eval duration=ltime-ftime |where duration&lt;300 | <BR /> but this is not impeccable.</LTIME></LDATE></FTIME></FDATE></P> <P>Edit:<BR /> Hi<BR /> This solution so cool<BR /> But it seems not willing to work, I dont know what I did wrong: </P> <P>sourcetype="..." | fields FirstOccurrence LastOccurrence <BR /> | eval firsttime_epoch=strptime(FirstOccurrence,"%Y/%m/%d %H:%M:%S")<BR /> | eval lasttime_epoch=strptime(LastOccurrence,"%Y/%m/%d %H:%M:%S")<BR /> | table FirstOccurrence firsttime_epoch There are values in FirstOccurrence but firsttime_epoch not<BR /> one of samples:<BR /> 1/10/11 12:08:58</P> <P>(just now)</P> Mon, 28 Sep 2020 12:11:06 GMT https://community.splunk.com/t5/Splunk-Search/about-date-and-time-form/m-p/23699#M177474 crazyeva 2020-09-28T12:11:06Z https://community.splunk.com/t5/Splunk-Search/about-date-and-time-form/m-p/23700#M177475 <P>A better way would probably be to use <CODE>eval</CODE>'s <CODE>strptime</CODE> function to convert the timestamp strings to epoch values and then use these in your comparison.</P> <PRE><CODE>... | eval firsttime_epoch=strptime(firsttime,"%Y/%m/%d %H:%M:%S") | eval lasttime_epoch=strptime(lasttime,"%Y/%m/%d %H:%M:%S") | where lasttime_epoch-firsttime_epoch&lt;300 </CODE></PRE> Thu, 02 Aug 2012 09:21:19 GMT https://community.splunk.com/t5/Splunk-Search/about-date-and-time-form/m-p/23700#M177475 Ayn 2012-08-02T09:21:19Z https://community.splunk.com/t5/Splunk-Search/about-date-and-time-form/m-p/23701#M177476 <P>Thank you very much !<BR /> That is professional</P> Thu, 02 Aug 2012 09:29:20 GMT https://community.splunk.com/t5/Splunk-Search/about-date-and-time-form/m-p/23701#M177476 crazyeva 2012-08-02T09:29:20Z https://community.splunk.com/t5/Splunk-Search/about-date-and-time-form/m-p/23702#M177477 <P>The sample you provided has another date format than what you posted in earlier events, so if that's the format you're working with you should change the strptime format string to reflect that.</P> Fri, 03 Aug 2012 07:10:16 GMT https://community.splunk.com/t5/Splunk-Search/about-date-and-time-form/m-p/23702#M177477 Ayn 2012-08-03T07:10:16Z https://community.splunk.com/t5/Splunk-Search/about-date-and-time-form/m-p/23703#M177478 <P>Thank you again<BR /> | eval firsttime_epoch=strptime(FirstOccurrence,"%Y-%m-%d %H:%M:%S")<BR /> | eval lasttime_epoch=strptime(LastOccurrence,"%Y-%m-%d %H:%M:%S")<BR /> | eval firsttime_epoch2=strptime(FirstOccurrence,"%m/%d/%y %H:%M:%S")<BR /> | eval lasttime_epoch2=strptime(LastOccurrence,"%m/%d/%y %H:%M:%S")<BR /> | where lasttime_epoch-firsttime_epoch&lt;300 OR lasttime_epoch2-firsttime_epoch2&lt;300<BR /> then it works</P> Mon, 28 Sep 2020 12:11:42 GMT https://community.splunk.com/t5/Splunk-Search/about-date-and-time-form/m-p/23703#M177478 crazyeva 2020-09-28T12:11:42Z