A more useful strategy is to put the events in order, then copy the correct username forward from the most recent
event of type 2 to the type 1 events.
Assumptions for the following code: There are two types of events
type 1 => index="foo" source="bar" acct="*" NOTE "*" is often "root".
type 2 => index="foo" sourcetype="baz" username="*"
Here's some code that runs taht strategy, based on the above assumptions. We haven't actually done anything with the records that we passed through, we are just demonstrating the technique.
index="foo" (source="bar" AND acct="*" ) OR (sourcetype="baz" AND username="*" )
| sort 0 _time
| eval realacct=if(sourcetype="baz",username,null())
| streamstats last(realacct) as realacct
| where sourcetype!="baz"
| rename COMMENT as "Now you have only the source=bar records, and they each know what the immediately prior baz login was."
This version clears out the other name from the record if it has been more than 10 seconds.
index="foo" (source="bar" AND acct="*" ) OR (sourcetype="baz" AND username="*" )
| sort 0 _time
| eval realacct=if(sourcetype="baz",username,null())
| streamstats last(realacct) as realacct
| streamstats current=f last(_time) as baztime
| where sourcetype!="baz"
| eval realacct=if(_time-baztime>10,null(),realacct)
... View more