again do you really need the join command for this? you can still get this by sort, streamstats and eval functions to check the previous values....do not use a join unless absolutely necessary... @somesoni2 will agree. Now, I have not really tried this but if you don't get a solution I will try this out without joins, looks very much possible

Here the problem is I have the filter criteria as Organization OrgCode. If I give an Organization/OrgCode as input I should get the number of Security Breach events for the Organization/OrgCode. In that case will your method works? Please suggest

I believe you can achieve this without join. Extending solution from @Sukisen1981, you could do like this

your base search which includes events from both EventTypes
| sort 0 -User, _time
| streamstats current=f window=1 values(EventType) as prevEventType values(Organization) as prevOrg values(OrgCode) as prevOrgCode by User
| where EventType="Security Breach"
| rename prevOrg as Organization prevOrgCode as OrgCode
| table _time User EventType Organization OrgCode

Will this give accurate value. Because if the user is having more than one Security Breach Events after a login, keeping window=1 will not work. If I am not keeping window=1 argument, I am getting Organization and OrgCode mapped to all event. But I want to make sure it is mapping to the right events.

In case there are multiple security breach events, you want to list them all? OR just keep earliest/latest?

I need to list them all and map the Organization and OrgCode to it from the corresponding Login Event

Lets try this alternative

 your base search which includes events from both EventTypes
 | table _time User EventType Organization OrgCode
 | sort 0 -User, _time
 | eval prevUser=if(EventType="Login",User,null()
| filldown prevUser Organization OrgCode
 | where EventType="Security Breach" AND User=prevUser

Thank You. Very much appreciated. You made my work much easier. I have been testing it from yesterday. I have a small problem now. In the above scenario, some of my login events does not have Organization and OrgCode in it. I need to fill those fields with some static value and then map it to the SecBreach event. Can you help me?

Try this

your base search which includes events from both EventTypes
  | table _time User EventType Organization OrgCode
  | eval Organization=coalesce(Organization,"YourStaticValue")
  | eval OrgCode=coalesce(OrgCode,"YourStaticValue")
  | sort 0 -User, _time
  | eval prevUser=if(EventType="Login",User,null()
 | filldown prevUser Organization OrgCode
  | where EventType="Security Breach" AND User=prevUser

The coalesce is filling out my SecurityBreach events also with the Static Value.

I missed taking that into consideration. Try this

your base search which includes events from both EventTypes
   | table _time User EventType Organization OrgCode
   | eval Organization=if(EventType="Login" AND isnull(Organization),"YourStaticValue", Organization)
   | eval OrgCode=if(EventType="Login" AND isnull(OrgCode),"YourStaticValue", OrgCode)
   | sort 0 -User, _time
   | eval prevUser=if(EventType="Login",User,null())
  | filldown prevUser Organization OrgCode
  | where EventType="Security Breach" AND User=prevUser

Thank You so much. We were testing this for a week. Now we found another issue. If an user logins as 8:00 AM does some security breach events between 8:05 AM to 8:15 AM and when apply a time filter from 8:01 AM to 8:15 AM we will are not getting the correct data.

Or in other ways. If I want to search login alone 1 Hrs earlier than the time i selected for security breach events, how can i do it.

Above query should work for that case as well, just keep the timerange larger to include all required time ranges. E.g. If you're running this a report every hour, try to run with time range last 2 hours. You may have to add following to last where clause to avoid same breach reported twice, for same example.

.... | where EventType="Security Breach" AND User=prevUser AND _time>=relative_time(now(),"-1h")

Ok.. let me explain it much better way. I have few fields missing in Security Breach Event which is available in the login event. I need to join those fields to the Security event. Organization and OrgCode are the fields. Organization will be unique for an user but OrgCode may change .

Here is my Security Breach Event

_time User EventType
10:55 AM User1 Security Breach
10:53 AM User2 Security Breach
10:50 AM User1 Security Breach
10:48 AM User1 Security Breach

Here is my Login Event
_time User EventType Organization OrgCode
10:57 AM User1 Login CIA 12345
10:55 AM User2 Login HIS 765555
10:54 AM User1 Login CIA 53211
10:52 AM User2 Login HIS 12233
10:49 AM User1 Login CIA 765555
10:47 AM User1 Login CIA 234555

My output after joining should be
_time User EventType Organization OrgCode
10:55 AM User1 Security Breach CIA 53211
10:53 AM User2 Security Breach HIS 12233
10:50 AM User1 Security Breach CIA 765555
10:48 AM User1 Security Breach CIA 234555

Hope this clarifies.

I am guessing you want to find the time difference between login and security breach.
Do you really need a join for this?
What if I do this instead?
| sort - User, - _time , - EventType
that should give me for User1
_time User EventType
10:48 AM User1 SecBrch
10:49 AM User 1 Login
10:50 AM User1 SecBrch
10:54 AM User1 Login
10:55 AM User1 SecBrch

10:57 AM User1 Login

Now use streamstats to get the previous _time value , eval to check if current eventtype is secbrch if yes then subtract current _time-prev _time..This is better than using a join if that is what you want...

Ok.. let me explain it much better way. I have few fields missing in Security Breach Event which is available in the login event. I need to join those fields to the Security event. Organization and OrgCode are the fields. Organization will be unique for an user but OrgCode may change .

Here is my Security Breach Event

_time User EventType
10:55 AM User1 Security Breach
10:53 AM User2 Security Breach
10:50 AM User1 Security Breach
10:48 AM User1 Security Breach

Here is my Login Event
_time User EventType Organization OrgCode
10:57 AM User1 Login CIA 12345
10:55 AM User2 Login HIS 765555
10:54 AM User1 Login CIA 53211
10:52 AM User2 Login HIS 12233
10:49 AM User1 Login CIA 765555
10:47 AM User1 Login CIA 234555

My output after joining should be
_time User EventType Organization OrgCode
10:55 AM User1 Security Breach CIA 53211
10:53 AM User2 Security Breach HIS 12233
10:50 AM User1 Security Breach CIA 765555
10:48 AM User1 Security Breach CIA 234555

Hope this clarifies.