try this search anywhere:

| makeresults count=1
| eval online_time = "01:16,04:17,18:02,00:43,12:12,110:00"
| makemv delim="," online_time
| mvexpand online_time
| eval logout_time = _time - random()%500
| eval logout_time_human = strftime(logout_time, "%c")
| rename COMMENT as "the above generates data below is a step by step solution, some steps can be combined"
| rex field=online_time "(?<hours>\d+)\:(?<minutes>\d+)"
| eval hours_in_sec = hours * 3600
| eval minutes_in_sec = minutes * 60
| eval online_time_in_sec = hours_in_sec + minutes_in_sec
| eval logon_epoch_time = logout_time - online_time_in_sec
| eval logon_human_time = strftime(logon_epoch_time, "%c")
| table logout_time_human logout_time logon_human_time logon_epoch_time online_time online_time_in_sec hours minutes

note, there are other ways to accomplish, the above is a step by step. you can build the query line by line and see how it works

hope it helps