Thank you Adonio for your quick response and you are absolutely correct from single index it is not possible so i have checked both _internal and _audit and I have prepared below query . Somehow this is not working any help here please
index=_audit sourcetype=audittrail user=admin action=log* |dedup action, user|append [|search index=_internal sourcetype=splunk_web_service user=admin action=log* | stats count by user action status] |transaction user startswith=eval(action="login attempt") endswith=eval(action="logout") | table user action status info duration
i can help you with the query, but i suspect it wont be useful as splunk captures a "logout" event only when you click logout. if you close your tab, or let the session timeout, i suspect splunk will not record it.
another reason it will be tough to sum up the duration of session is that you dont have a unique session / transaction id to group by. so for every user that logs in more then one time, it gets pretty challenging