I believe the map command can help you here:
The map command is a looping operator that runs a search repeatedly for each input event or result.
So try replacing your join command with something like this:
| map search="search index=proxy src_host=$src_host$ | stats count by src_host,UserName"
... View more
I am assuming that the first Timestamp is being appended by Syslog? If yes, you can disable that using a syslog template and then the logs should parse correctly. Hope this works! 🙂
... View more