Hello respected members of the prestigious forum of Splunk

I have been working with datetimes in splunk and it is making me insane... I am extracting the datetime of two separate events to later on subtract them, I have tried many ways to achieve this but I still dont have the results that I want... the format of datetime of the events look like this:  2020-07-28T09:42:33-06:00 I want to be able to have calculate difference in minutes between to events "join" by the field: error-code... Because of the way the system is configured the error "adult.mov" may appear twice or three times but I am only interested in the first time it appeared ... However, if this error has not appeared yet I want to record the current time instead... I am trying something like this:

| eval terrorXYU=if(match(_raw, "e_type_k"),datetime_c, null)
| eval terroradult.mov=if(match(_raw, "mov"),datetime_c, null)
| eval terroradult.mov= strptime(terroradult.mov,"%m/%d/%Y %H:%M:%S:%3N")
| eval terrorXYU= strptime(terrorXYU,"%m/%d/%Y %H:%M:%S:%3N")
| eval diff= terroradult.mov-terrorXYU

but I get nothing ins return I have tried a most of the codes in other posts but no luck at all.. thank you for helping me indeed