Not sure if I fully understand the requirements, but maybe something like this could get you started?  I can't really test so this could be all sorts of wrong - but I think it seems reasonable?

1.  Include all events in base search
2.  create some new vars based on the sourcetype (so kinda like the rename you want to do)
3. get the detection time and process time for each snsm id (use eventstats to keep the rest of the event)
4. get the step6 time for each prodnr  (think this should put it on the nau/nas events too)
5. Now just look at the NAS events as they should have the detection time, process time and step 6 time and the prod nr as well
6. check the timestamps to see which thing happened when and provide the relevant output

index=whatever sourcetype IN ("MP","NAS","NAU")
| eval step6_time = case(sourcetype="MP" AND meldepunkt="6",strptime(zeitstempeli,"%d.%m.%Y %H:%M"))
| eval detection_time = case(sourcetype="NAS",strptime(errfaast,"%d.%m.%Y %H:%M"))
| eval process_time = case(sourcetype="NAU",strptime(errfaast,"%d.%m.%Y %H:%M"))
| eventstats values(detection_time) as detection_time, values(process_time) as process_time by snsm
| eventstats values(step6_time) as step6_time by prodnr
| where sourcetype="NAS"
| eval result = case(isnotnull(process_time) AND process_time < step6_time,"fault processed before",isnotnull(process_time),"fault processed after step 6",isnull(process_time),"fault not processed")

Hey! seems to work. The key was the  sourcetype IN ("MP"...) and the extraction with eval case...
But my Problem now is i want to see all Production Numbers PRODNR wich passed the Step 6 today so earliest @d+6h is right... but the cause could be up to 2-3 days back! The NAS or NAU. 

How can i extract the MP PORDNR from today but search for all Causes in NAS and NAU wich are linkt to that PRODNR even if they are some days back?

Thank youo very much guys! 😁

You may be able to do a subsearch, but not sure if that's needed here.  If you simply search the past 3 days (or however long in the past you need to go), then you should be able to filter only those events where step 6 occurred today. 

Not looking to type it all out again, but something like this once you have all of the fields you need and are ready to actually check timestamps.

... | where step6_time > relative_time(now(),"@d")

 That should eliminate any events where  step 6 happened before today.  

Can you give a some scrambled sample data? That way it’s much easier to understand your challenge. I suppose that couple of events are enough.

hey thank you! yes here they are. It has to look like this. I Need all Source datas one next to the other and liks the NAU and NAS data by the SNSM as you see. at the end i want to show the 6.0 for every PRODNR in the data. and i need the empty fields, so i know if the issue is closed and if it is before or after the 6.0 point

Another answer to avoid join https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-joi...

There is also some conf prentations “Join datasets without join command” or something similar which could help you.