@jt1234567  I think the reason is the dedup command. | dedup All_Traffic.src_ip   After this you will have a single record of each All_Traffic.src_ip. Then eventstats command is there by All_Traffic.src_ip. The evntstats will not change your basic fields like _time, bcoz there is only one record for all All_Traffic.src_ip. So not sure but you can try below searches. | datamodel Network_Traffic All_Traffic search | search All_Traffic.src_ip="172.18.*" OR All_Traffic.src_ip="172.19.*" OR All_Traffic.src_ip="172.20.*" OR | eventstats earliest(_time) AS Earliest, latest(_time) as Latest by All_Traffic.src_ip | dedup All_Traffic.src_ip | eval Earliest = strftime(Earliest,"%m/%d/%Y:%H:%M:%S") | eval Latest = strftime(Latest, "%m/%d/%Y:%H:%M:%S") | table All_Traffic.src_ip Earliest Latest   I would also like to suggest you to go with tstats if possible. | tstats count from datamodel=Network_Traffic All_Traffic search | where (All_Traffic.src_ip="172.18.*" OR All_Traffic.src_ip="172.19.*" OR All_Traffic.src_ip="172.20.*") | stats earliest(_time) AS Earliest, latest(_time) as Latest by All_Traffic.src_ip | eval Earliest = strftime(Earliest,"%m/%d/%Y:%H:%M:%S") | eval Latest = strftime(Latest, "%m/%d/%Y:%H:%M:%S") | table All_Traffic.src_ip Earliest Latest   Note: These search are not accurate you have to do minor changes as per your requirement.   https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Tstats   KV ... View more