Thanks for help Rich. First event shows userid, time session started, and srcip. Second event shows the same, except time session ended and session duration (4911 seconds). I want to generate a table of userid, srcip, time session started, time session ended, and duration. Here are the two searches that kind of get me what I'm looking for:
index=juniper-mag host=abc.defg.net _raw="Login succeeded" | eval fields=split(_raw, " ") | eval user=mvindex(fields,14) | eval srcip=mvindex(fields, 13) | table _time user srcip
index=juniper-mag host=abc.defg.net _raw="Closed connection" | eval fields=split(_raw, " ") | eval duration=mvindex(fields,23) | table _time user duration
... View more