Example of normalization for multiple data sources

Example from the Sumo Training!

(_sourceCategory=O365SharePoint or _sourcecategory=F5-VPN or _sourcecategory=Zscaler or _sourcecategory=ActiveDirectory ) ("bob" or "9b38968f" or "267ff6b3" or "c4b9c671") 
| parse regex "\]: \d+:\d+:\s+.*?:(?.*?)from client IP" nodrop 
| parse "Access policy result: *" as action nodrop 
| parse "Following rule 'Full or Mobile Browser' from item 'Client Post-Check' to ending '*'" as action nodrop 
| parse "Session statistics - bytes in: *, bytes out: *" as bytes_in,action nodrop 
| parse "Username '*'" as userid nodrop 
| parse ": Session * due to user inactivity or errors." as action nodrop 
| parse ": Following rule 'fallback' from item 'SSO Credential Mapping' to terminalout '*'" as action nodrop 
| parse "Received client info - Type: * Version: * Platform: * CPU: * UI Mode: *" as Ctype,client_version,CPlatform,client_CPU,Client_UI nodrop 
| parse "InsertionStrings = {\"*\"," as userid nodrop 
| parse "Type = \"*\";" as action nodrop 
| parse "Logon Account:\t*\nSource Workstation:\t*\nError Code:\t*\";" as userid,system,errorcode nodrop 
| parse "TimeWritten = \"*." as time nodrop 
| parse "\"CreationTime\":\"*\"," as time nodrop 
| parse "Operation\":\"*\"," as action nodrop 
| parse "\"UserId\":\"*\"," as userid nodrop 
| parse "srcBytes=*\tdstBytes=*\t" as srcbytes,dstbytes nodrop 
| parse "usrName=*\t" as userid nodrop 
| parse "hostname=*\t" as action nodrop 
| extract "\]: \d+:\d+:\s+(?.*?):" 
| if (session_id matches "*","Bob","") as userid 
| where !(isBlank(action)) 
| where !(action matches "Audit Failure" or action matches "FileAccessed" or action matches "FileModified" or action matches "FileSync*" or action matches "FileUpload" or action matches "FileDeleted") 
| count by _messagetime, time, _sourcecategory, userid, action 
| sort by _messagetime asc