Eww. True time windowing is hard. Bucketing is easier, but loses potential matches across a minute boundary. And, if your logs are dense and full over overlapping events, this is hopeless.
Try something like this:
yoursearch | eval post_login=if(match(page_referer,"blah.com/sign_in "),user_id,null())
| pre_login=if(match(page_referer,"blah.com/before_sign_in "),user_id,null())
| stats values(pre_login) AS pre_login, values(post_login) AS post_login by _time
That makes a ton of assumptions about your data, but if your events are sparse it might be good enough.
Another approach, closer to what you are thinking, is to use localize & map . If you have lots of data, this won't scale. If you have lots of overlapping logins, this won't work.
This is a rough example of what to try, I don't use this command, so my syntax may be sketchy.
page_referer ="blah.com/sign_in" | localize timebefore=90s timeafter=0
| map search="search page_referer=* starttimeu=$starttime$ endtimeu=$endtime$ | eval post_login=if(match(page_referer,'blah.com/sign_in '),user_id,null()) | pre_login=if(match(page_referer,'blah.com/before_sign_in '),user_id,null()) | stats values(pre_login) AS pre_login, values(post_login) AS post_login"
That is a pretty ghetto example. Expect to do some debugging. I just hope it gives you some ideas.
... View more