Hi @gcusello @to4kawa  the above solution didnt worked for me, am  using splunk7.0.1 and i just started learning splunk I need to filter the data based on printed timestamp where i need to find the difference of days with indexed timestamp of Xml file and display the columns as 0 if it falls on same day else 1 if it days difference is more than or equal to 1 so i provided the timestramp condtion as if(round(((indextime-SideA-printedtimestamp)/86400),0)=0),1,0) i need the output like this RollID customer-job-id start-range-Side-A-printed-timestamp start-range-Side-B-printed-timestamp end-range-Side-A-printed-timestamp end-range-Side-B-printed-timestamp RollId-1 Customer-1 based on FilterCondition it should be 1 or 0 based on FilterCondition it should be 1 or 0 based on FilterCondition it should be 1 or 0 based on FilterCondition it should be 1 or 0 RollId-1 Customer-2 0 1 1 1 the difference of epoc dates shows me blank even for converted timestamp eval  diff=(printedtimestrampB-printedtimestrampA) something am doing in wrong way     i tried the below query to find the result. (index=*) "jobs.job.job-manifest.start-range.side-a.printed-timestamp"="*" "jobs.job.job-manifest.start-range.side-b.printed-timestamp"="*" | rename jobs.job.job-manifest.start-range.side-a.printed-timestamp as "printedtimestrampA" ,jobs.job.job-manifest.start-range.side-b.printed-timestamp As "printedtimestrampB" | eval printedA_epoch=strptime(printedtimestrampA,"%Y-%m-%dT%H:%M:%S.%Q"),printedB_epoch=strptime(printedtimestrampB,"%Y-%m-%dT%H:%M:%S.%Q") | eval indextime =_indextime | eval diffA=indextime-printedA_epoch, diffB=indextime-printedB_epoch | eval daysA= round((diffA/86400),0) , daysB= round((diffB/86400),0) |eval  diff=(printedtimestrampB-printedtimestrampA) | table host as customer,printedA_epoch,printedB_epoch,indextime,diffA,diffB,daysA,daysB,diff below is the screen shot for reference, even i tried using rex but could get proper result.   ... View more

Hi @gcusello , This is my sample data there will be n number of jobs for each customer, i need to filter the Roll-Id,customer data and the different time stamp which falls under the indexed time  condition for timestamp for start range A & B and end range A & B if(round(((indextime-SideA-printedtimestamp)/86400),0)=0),1,0) Roll-Id Customer start-range- SideA timestamp start-range- SideB timestamp end-range-SideA timestamp end-range-SideB timestamp Roll-Id1 Customer1 1 1 0 1 Roll-Id2 Customer 2 1 1 0 0 So when i filter the data i get start range and end range of side A & B are multi-valued thanks, Karuna ... View more

Hi @bowesmana , really appreciate your multiple solution, after implementing am getting Aepoch vales as 0000 instead of its value..   Thanks, Karuna     ... View more

Hi @gcusello , When i try to find the difference i still get blank as difference, am not aware what mistake am doing Thanks, Karuna ... View more

Thanks for your valuable time | stats list(*) as * it displays all my field in the indexed data i have to display only limited columns CustomerjobId,printedA_epoch,printedB_epoch,indexdatetime as i have to do difference of A and B epoc with indexedtime epoc  ... View more

Thank you @bowesmana  but am using splunk 7.0.1 where  'mvmap'  function is not supported or undefined, could you please provide me an alternative command. ... View more

Hi @gcusello , thanks for your kind support,Please find the snap shot  Thanks  Karuna ... View more

Hi @gcusello ,   Yes i tried the same but i doesn't get any data apart from blank. even difference of this (indextime-printedA_epoch) also blank Thanks, Karunagaraprabhu ... View more

Hi @gcusello , Thanks for the reply, even i get blank data for the below query  eval fdata=round(((_indextime-printedA_epoch)/86400),0) ... View more