I've got about 4-5 different use cases that all require the same type of search logic / correlation but are run against a single sourcetype.
One example is I'd like to search Windows security event logs to find all events where a single username was used to attempt to log in but the computer was different within a x period of time. Or, the reverse, to find events where a single computer was being used to attempt to authenticate at least 3 or more different usernames within a x period of time.
Try this base search:
sourcetype=WindowsSecurityEvents | streamstats last(host) AS prevHost BY username | streamstats last(username) AS prevUsername BY host
For the first example to show events where a single username was on multiple hosts yo tack on this:
| where prevHost!=host
For the first example to show events where a single username was on multiple hosts yo tack on this:
| where prevUsername!=username
What exactly is your question?
If you need help building such searches, do post sample data and describe what you'd need the results to look like.