Hi,
Maybe you can try using the query below as base for your need:
...
| eval expected_date = strftime(now(), "%m-%d-%Y 7:15")
| eval expected_timestamp= strptime(expected_date, "%m-%d-%Y %H:%M")
| eval event_date = strftime(_time, "%m-%d-%Y %H:%M")
| eval event_timestamp = strptime(event_date, "%m-%d-%Y %H:%M")
| eval diff = event_timestamp - expected_timestamp
| eval result = case(diff = 0, "1", diff >= 1800, "3", 1=1, "2")
| table _time, expected_date, event_date, diff, result
The output result was:
| _time | expected_date | event_date | diff | result |
| 2020-06-11 07:45:00 | 06-11-2020 7:15 | 06-11-2020 07:45 | 1800.000000 | 3 |
| 2020-06-11 07:50:00 | 06-11-2020 7:15 | 06-11-2020 07:50 | 2100.000000 | 3 |
| 2020-06-11 07:00:00 | 06-11-2020 7:15 | 06-11-2020 07:00 | -900.000000 | 2 |
| 2020-06-11 07:20:00 | 06-11-2020 7:15 | 06-11-2020 07:20 | 300.000000 | 2 |
| 2020-06-11 07:15:00 | 06-11-2020 7:15 | 06-11-2020 07:15 | 0.000000 | 1 |
