Hi @Julia1231,
if in each event, you have all the fields, you have to run something like this:
<your-search>
| eval diff=strptime(start_time2,"%Y-%m-%dT%H:%M:%S")-strptime(end_time1,"%Y-%m-%dT%H:%M:%S")
| stats values(start_time1) AS start_time1 values(end_time1) AS end_time1 values(start_time2) AS start_time2 values(end_time2) AS end_time2 min(diff) AS min_diff BY id
| sort -min_diff
| head 1
Ciao.
<your-search>
| eval diff=strptime(start_time2,"%Y-%m-%dT%H:%M:%S")-strptime(end_time1,"%Y-%m-%dT%H:%M:%S")
| stats values(start_time1) AS start_time1 values(end_time1) AS end_time1 values(start_time2) AS start_time2 values(end_time2) AS end_time2 min(diff) AS min_diff BY id
| sort min_diff
| head 1
or
<your-search>
| eval diff=strptime(start_time2,"%Y-%m-%dT%H:%M:%S")-strptime(end_time1,"%Y-%m-%dT%H:%M:%S")
| sort diff
| head 1
Ciao.
Giuseppe
