Here is the sample event.

2017/04/26 22:43:29 operation_id="1493246609" unitid="123456" easid="AAAAAAAAAA" deviceid="11111@123456" firstSync="2017/03/21 23:53:41" lastSync="2017/03/22 08:54:04" status="Quarantined" type="" userAgent="sample.com" apiname="apitest" message="Matched_Standard_mail."

I want to calculate time difference between _time(2017/04/26 22:43:29 in this case) and lastSync(2017/03/22 08:54:04 in this case).
When I ran the query, the result came out to be like this. (See below)

_time lastSync diff
2017/04/26 22:43:29 2017/03/22 08:54:04

It seems like the eval calculation didn't work we,, so the "diff" field could't get a value.
In case, I changed "strptime" to "strftime", but I got the same result.
If there is other way to fix it, please let me know.

Thank you.

You don't need to convert _time field -

index=service | eval Time=_time | eval LastSync=strptime(lastSync, "%Y/%m/%d %H:%M:%S") | eval diff=LastSync-Time | table _time,lastSync,diff,| sort -_time

The L for LastSync was added to your table as lowercase. What was printed was lastSync(raw data field) instead of LastSync(new eval field)

The new eval "Time" is also not being used or sorted. Everything is going towards the original _time.
Im not sure if thats how it was meant to be or not.

Also, I added this comment to @dineshraj9 instead of the question creator. Sorry : )

Thank you for your reply.
It worked!

Thank you very much.