Hi Team, I was trying to find out the workstations clock out of sync logs in splunk by using the below query. but I can not getting the expected logs.  Also, could not able to see the previous time field in interesting fields but it was existing in raw message field. can someone help me out how to make this query efficient...?  index=*_win sourcetype=wineventlog EventCode=4616 category="Security State Change" | stats max(Previous Time) by asset_id | where isnull(lastTime) | addinfo | eval hourDiff=floor((info_max_time-info_min_time)/3600) | fields dest,should_timesync,hourDiff Thanks in advance Previous Time: ‎2023‎-‎08‎-‎09T09:18:00.490316500Z  ... View more