Hi Mikael! If the question is somehow still relevant I’ll make a suggestion and hope it can(or at least could:) help.
Seems it was better to search by both eventtypes at once; events would be sorted by _time automatically at a search time and with assumption that there can be just one src during transaction for a user, transaction command could be used excluding src that exists just in one eventtype; then a transaction id field can be created, to distinguish transactions from one user, let it be just simple counter. The search can look like this:
eventtype=juniper_sa_authentication OR eventtype=xenapp:65:session
| transaction user mvlist=t startswith="eventtype=juniper_sa_authentication_success" endswith="eventtype=juniper_sa_authentication_logout" keepevicted=t
| eval TransactionId=1
| accum TransactionId
| eval State = if(closed_txn == 1, "Disconnected", "Connected")
| eval elapsed_secs = case(State == "Connected" AND NOT duration == 0, now()-starttime, State == "Connected" AND duration == 0, now()-_time, State == "Disconnected" AND NOT duration == 0, duration )
| eval ExternalIP = src
| stats latest latest(realm), latest(State), latest(elapsed_secs), list(BrowserName), list(ConnectTime), list(LogOnTie), list(SessionId), list(ServerName) BY user TransactionId
... View more