Take the time you connect away from the time you disconnect and that gives you how long you were connected. Do this for all the sessions to get the durations. Add these together and divide by the number of sessions. This gives you the average duration.

where i can find it??, i'm new in splunk so i don't know everything

Please share some of the events you have already in Splunk

index=_audit sourcetype=audittrail (action="login attempt" OR action="logout")
| stats values(_time) as action_time by user, action
| eventstats range(action_time) as range by user
| eventstats min(action_time) as min_time max(action_time) as max_time by user, range
| where action="login attempt" OR action="logout"
| stats values(action_time) as action_time by user
| eval login_time=mvindex(action_time, 0), logout_time=mvindex(action_time, -1)
| eval session_duration=logout_time - login_time
| eval session_duration_str=strftime(session_duration, "%H:%M:%S")
| table user session_duration_str

from this search I would need to know the duration of the individual days

I am not sure what you are trying to do with that search but I suspect it is not giving you the results you are after?

Supposed you have events which have a time field (_time), an action field ("login attempt" or "logout") and a user field

| sort 0 _time
| streamstats global=f last(action) as previous_action last(_time) as previous_time current=f by user
| where action="logout" and previous_action="login attempt"
| eval duration=_time-previous_time
| bin _time span=1d
| stats avg(duration) as average_duration by _time user

I thought of something like this :

index="_internal" | stats avg(_time) as avg_time by user | eval avg_day = strftime(avg_time, "%Y-%m-%d")

_time is the timestamp of the event. Taking an average of a timestamp will just give you a timestamp of a point in time between the first logon and the last log out.