| makeresults
| eval _raw="userId=abc,session=123,time=12:00_IST"
| kv
| eval time=replace(time,"_"," ")
| append 
    [| makeresults 
    | eval _raw="foo-abc-12:00 IST-data" ]
`comment("this is sample data")`
| rex "(?<user>[^\-]+)-(?<userId>[^\-]+)-(?<time>[^\-]+)-(?<data>.+)"
| stats values(*) as * by userId 
| eval session="sessionid-".session
| table userId user session

I uased @richgalloway 's query, thanks.

 source=fuse.log OR source=access.log 
| rex "(?<user>[^\-]+)-(?<userId>[^\-]+)-(?<time>[^\-]+)-(?<data>.+)"
| stats values(*) as * by userid 
| eval session="sessionid-".session
| table userid user sessionid

How about this?