Something like 

index=sentinelone installedAt!="Null"
| eval duration=now()-strptime(installedAt,"%Y-%m-%dT%H:%M:%S.%6N")
| eval duration=if(duration < 7 * 86400, tostring(duration, "duration"), null())
| table _time installedAt agentDomain duration

Note your last search is based on a field that already exists in raw data.  Moving it to the base search is more efficient.