https://community.splunk.com/t5/Splunk-Search/How-to-fix-column-name-and-evaluate-times/m-p/624609#M217140 <P>Use rex to extract the two timestamps then use strptime to convert them into epoch (integer) form.&nbsp; Then you can compare then to see how far apart they are.</P><LI-CODE lang="markup">| makeresults | eval _raw="2022-12-16 21:30:17.689, TO_CHAR(schema.function(MAX(columnA)),'MM-DD-YYHH24:MI')=\"12-16-22 16:29\"" ```Above creates demo data. Delete IRL``` | rex "(?&lt;time1&gt;^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d)" | rex "(?&lt;time2&gt;\d\d-\d\d-\d\d \d\d:\d\d\\\")" | eval diffsecs = strptime(time1, "%Y-%m-%d %H:%M:%S.%3N") - strptime(time2, "%m-%d-%y %H:%M") | eval old=if(abs(diffsecs) &gt; (15*60),1 ,0)</LI-CODE> Fri, 16 Dec 2022 22:03:46 GMT richgalloway 2022-12-16T22:03:46Z https://community.splunk.com/t5/Splunk-Search/How-to-fix-column-name-and-evaluate-times/m-p/624608#M217139 <P>I have a dbquery ouput that looks like the below, unfortunately i cant update the actual database query to make it more readable...&nbsp;</P> <P>&nbsp;</P> <P><SPAN class="">2022-12-16</SPAN> <SPAN class="">21:30:17.689</SPAN><SPAN>, </SPAN><SPAN class="">TO_CHAR</SPAN><SPAN>(schema.function</SPAN><SPAN>(</SPAN><SPAN class="">MAX</SPAN><SPAN>(</SPAN><SPAN class="">columnA</SPAN><SPAN>)),'</SPAN><SPAN class="">MM-DD-YYHH24:MI</SPAN><SPAN>')</SPAN><SPAN class="">=</SPAN><SPAN>"</SPAN><SPAN class="">12-16-22</SPAN> <SPAN class="">16:29"</SPAN></P> <P>&nbsp;</P> <P><SPAN class="">I am trying to whether time the 2 times&nbsp; at the begining and end of the results are within 15 mins of each other. I have tried renaming the column from the long stupid string but i cant get that working using the rename function.&nbsp; does anyone have any ideas how to rename (or if i even need to) and then evaluate whether the times are within 15 mins of each other?</SPAN></P> <P><SPAN class="">the query i ran to get the above is just &lt;index="abc"&gt;</SPAN></P> <P>&nbsp;</P> Fri, 16 Dec 2022 23:00:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fix-column-name-and-evaluate-times/m-p/624608#M217139 HelloItsMe76 2022-12-16T23:00:30Z https://community.splunk.com/t5/Splunk-Search/How-to-fix-column-name-and-evaluate-times/m-p/624609#M217140 <P>Use rex to extract the two timestamps then use strptime to convert them into epoch (integer) form.&nbsp; Then you can compare then to see how far apart they are.</P><LI-CODE lang="markup">| makeresults | eval _raw="2022-12-16 21:30:17.689, TO_CHAR(schema.function(MAX(columnA)),'MM-DD-YYHH24:MI')=\"12-16-22 16:29\"" ```Above creates demo data. Delete IRL``` | rex "(?&lt;time1&gt;^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d)" | rex "(?&lt;time2&gt;\d\d-\d\d-\d\d \d\d:\d\d\\\")" | eval diffsecs = strptime(time1, "%Y-%m-%d %H:%M:%S.%3N") - strptime(time2, "%m-%d-%y %H:%M") | eval old=if(abs(diffsecs) &gt; (15*60),1 ,0)</LI-CODE> Fri, 16 Dec 2022 22:03:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fix-column-name-and-evaluate-times/m-p/624609#M217140 richgalloway 2022-12-16T22:03:46Z https://community.splunk.com/t5/Splunk-Search/How-to-fix-column-name-and-evaluate-times/m-p/624738#M217178 <P>this is beautiful. thanks so much. it works perfectly.</P> Mon, 19 Dec 2022 15:53:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fix-column-name-and-evaluate-times/m-p/624738#M217178 HelloItsMe76 2022-12-19T15:53:23Z