I am trying to compare the current date with the lastInformTime I have tried | eval but nothing seems to work.  index="device_list" pppUsername=* provRecordStatus=Succeeded | eval timenow=now() | spath lastInformTime | search lastInformTime>=timenow | dedup macAddress, serialNumber | table ipAddress, serialNumber, lastInformTime, pppUsername, macAddress The _time that is brought in during the import does not compare with any date in the export. I am not sure where Splunk is getting it from. Is there a way to set the _time to the lastInformTime? TIA ... View more