For your example in comments of

12/7/15 5:30:11.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:11 user=JSF eventa=A
12/7/15 5:30:13.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:13 user=JSF eventa=B
12/7/15 5:30:16.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:16 user=TEST eventa=A
12/7/15 5:30:24.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:24 user=JSF eventa=C
12/7/15 5:30:30.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:30 user=TEST eventa=C

Where you want to find all users who have eventa=A and eventa=B. In your example, JSF would fit that criteria but TEST would not.

index=<myindex> <my other root search stuff>  | stats list(eventa) AS Events, count BY user | search Events=A AND Events=B

So, after building your initial search that returns the above data, we'll push it through stats to group things together by user. There are quite a few more options possible if you want different values or types of fields to be available. Once you have them grouped, the next command runs a search against that result and finds only those records where it now contains BOTH an A and a B.

user    Events  count
JSF         C    3
           B    
           A

Lol, I have no idea if that will end up aligned right. Here, try this "pseudo-output"

user     Events     count
 JSF      C, B, A      3

The 3 is the count of the number of original events that "make up" the new grouped event.

Show a minimal set of raw event data with fields indicated and a mockup of your desired output with a bit of description about any trickiness (logic/math) in getting from start to finish.

Could you provide more details with sample data and corresponding expected output?