Hi @Julia1231,

if in each event, you have all the fields, you have to run something like this:

<your-search>
| eval diff=strptime(start_time2,"%Y-%m-%dT%H:%M:%S")-strptime(end_time1,"%Y-%m-%dT%H:%M:%S")
| stats values(start_time1) AS start_time1 values(end_time1) AS end_time1 values(start_time2) AS start_time2 values(end_time2) AS end_time2 min(diff) AS min_diff BY id	
| sort -min_diff
| head 1

Ciao.

<your-search>
| eval diff=strptime(start_time2,"%Y-%m-%dT%H:%M:%S")-strptime(end_time1,"%Y-%m-%dT%H:%M:%S")
| stats values(start_time1) AS start_time1 values(end_time1) AS end_time1 values(start_time2) AS start_time2 values(end_time2) AS end_time2 min(diff) AS min_diff BY id	
| sort min_diff
| head 1

or

<your-search>
| eval diff=strptime(start_time2,"%Y-%m-%dT%H:%M:%S")-strptime(end_time1,"%Y-%m-%dT%H:%M:%S")
| sort diff
| head 1

Ciao.

Giuseppe