Hi @ktn01 ,

You could try something like this:

index=_audit TERM(action=search) TERM(info=completed)
| where search_et <= relative_time(now(), "-2y")
| table _time, user, search_et, search
| eval earliest=strftime(search_et, "%Y-%m-%dT%H:%M:%S")
| sort limit=0 search_et

Or if you want to be more precise you can use the difference between execution time and earliest time and return those greater than 2 years:

index=_audit TERM(action=search) TERM(info=completed)
| eval diffInYears = (exec_time-search_et)/(365*86400)
| where diffInYears > 2
| table _time, user, search_et, exec_time, diffInYears, search
| eval earliest=strftime(search_et, "%Y-%m-%dT%H:%M:%S")
| eval executionTime=strftime(exec_time, "%Y-%m-%dT%H:%M:%S")
| sort limit=0 search_et

Regards,

J