Hello @PiotrAp , You can try something like that : | makeresults
| eval event_id=1000, username="test", Computer="xx1", _time=strptime("2025-06-30 16:26:27.01", "%Y-%m-%d %H:%M:%S.%N"), resou...
See more...
Hello @PiotrAp , You can try something like that : | makeresults
| eval event_id=1000, username="test", Computer="xx1", _time=strptime("2025-06-30 16:26:27.01", "%Y-%m-%d %H:%M:%S.%N"), resource="example1"
| append
[| makeresults
| eval event_id=1000, username="test", Computer="xx2", _time=strptime("2025-06-30 16:26:27.02", "%Y-%m-%d %H:%M:%S.%N"), resource="example2"]
| append
[| makeresults
| eval event_id=1001, username="test", _time=strptime("2025-06-30 16:26:27.03", "%Y-%m-%d %H:%M:%S.%N"), resource="example3"]
| append
[| makeresults
| eval event_id=1000, username="truc", Computer="yyy", _time=strptime("2025-06-30 16:26:29", "%Y-%m-%d %H:%M:%S"), resource="example2"]
| append
[| makeresults
| eval event_id=1001, username="truc", Computer="yyy", _time=strptime("2025-06-30 16:26:32", "%Y-%m-%d %H:%M:%S"), resource="example3"]
| sort _time
| streamstats time_window=1s last(event_id) AS current_event_id, last(eval(if(event_id=1000,event_id,null()))) AS previous_event_id, last(eval(if(event_id=1000,_time,null()))) AS previous_time, last(eval(if(event_id=1000,Computer,null()))) as previous_computer, last(resource) AS current_resource by username
| eval status = if(current_event_id=1001 and previous_event_id=1000,"SUCCESS","FAILURE") (The makeresults lines are here to generate some data to test the query) In the results, you can see that the "success" status has the time & the computer of the previous event 1000 in the "previous_time" and "previous_computer" fields, and the resource of the event 1001 in the current_resource field. (I handled the case you have multiple 1000 event before the 1001, we want to keep only the fields of the last 1000 event) The user "truc" doesn't have a success event because the 2 events aren't in a 1s time window. If you run this query you will see the results like : Computer _time current_event_id current_resource event_id previous_computer previous_event_id previous_time resource status username xx1 2025-06-30 16:26:27.010 1000 example1 1000 xx1 1000 1751293587.010000 example1 FAILURE test xx2 2025-06-30 16:26:27.020 1000 example2 1000 xx2 1000 1751293587.020000 example2 FAILURE test 2025-06-30 16:26:27.030 1001 example3 1001 xx2 1000 1751293587.020000 example3 SUCCESS test yyy 2025-06-30 16:26:29.000 1000 example2 1000 yyy 1000 1751293589.000000 example2 FAILURE truc yyy 2025-06-30 16:26:32.000 1001 example3 1001 example3 FAILURE truc Does that answer your question?