Hi @Symon ,
don't use join because it's a very slow search, use stats in this way:
index=fortigate sourcetype IN (fgt_event, fgt_traffic )
| eval src=coalesce(src,assignip)
| stats
values(srcport) AS srcport
values(dest) AS dest
values(destport) AS destport
BY user src
If you want only the events present in both the sourcetypes, you have to add an additional condition:
index=fortigate sourcetype IN (fgt_event, fgt_traffic )
| eval src=coalesce(src,assignip)
| stats
values(srcport) AS srcport
values(dest) AS dest
values(destport) AS destport
dc(sourcetype) AS sourcetype_count
BY user src
| where sourcetype_count=2
| fields - sourcetype_count
Ciao.
Giuseppe
