I am creating a search that detects compliance received from palo alto signatures

we are receving 4 sets of dates:

app-release-date

av-release-date

wildfire-release-date

threat-release-date

one of these dates (app-release-date) does not get updated daily, meaning  if today's date is 5/20/2021 the last updated release for the app-release date could be 4/20/2021

Now creating a pie chart comparing today's date, it will show that the app-release-date is out of date by 30 days but that is not the case, it just means that the most recent date for app-release-date is dated 4/20/2021.

The question is how will I use the 4/20/2021 in an "eval=case" condition and using the 4/20/2021 as the most recent date instead of "now()" conditions

For your perspective this is what I've done if using the "now()" conditions as a variable:

| eval av-release-date=round(strptime('av-release-date', "%Y-%m-%d %H:%M:%S")), today=now(), timediff=today-'av-release-date', chart_date=strftime('av-release-date', "%Y-%m-%d")
| eval color=case(timediff<=86400, "within 24 hrs", timediff>86400 AND timediff<=259200, "within 72 hrs", timediff>259200 AND timediff<=604800, "within 168 hrs", timediff>604800, "over 168 hrs")
| stats count by color

this returns a chart that look like this:

The app-release-date conditions will be:

The most recent = Green -----> the most recent is not "now()" but it could be 4/20/2021

Most recent – 7 days = yellow

Most recent – 30 days = red

Most recent  > 30 days = black

Please advise, and thank you in advance.

Regards,