Thank you. Unfortunately the search keeps timing out. I'm not finding anything at 30 min, trying up to 4 hrs, but the customer needs it to look over the space of 30 days.

Actually, I got it. Had to tweak a few things. Thank you for the help!

The argument 'earliest_time(eval(if(EventCode==4624,_time,NULL)))' is invalid.

thats's right.
| stats earliest(eval(if(EventCode==4624,_time,NULL))) as user_login_time, latest(eval(if(EventCode==4634,_time,NULL))) as user_logout_time, earliest(VPN_login) as VPN_start, latestVPN_logout) as VPN_end by user, src_ip

if this helped accept the answer please or comment if you have any questions.

It has helped, but i'm not sure if it will do exactly what I need to. I'm having some troubles getting the user login and logout to work in the search.

Is there an event that is getting generated, when a user does login and logout?

There is, if you look at the 2nd comment, i'm using events generated from logons and logoffs

index="wineventlog" source="wineventlog:security" (EventCode=4624 OR EventCode=4634)

source="wineventlog:security" action=success Logon_Type=2 (EventCode=4624 OR EventCode=4634 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 OR EventCode=4802 OR EventCode=4803 OR EventCode=4804 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)
| convert timeformat="%a %B %d %Y" ctime(_time) AS Date 
| streamstats earliest(_time) AS login, latest(_time) AS logout by Date, host
| eval session_duration=logout-login 
| eval h=floor(session_duration/3600) 
| eval m=floor((session_duration-(h*3600))/60) 
| eval SessionDuration=h."h ".m."m " 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout 
| stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user

Try this and see.

Did you try the other query in the comment section?

I did. with some modification it gives me the duration and users etc but it doesn't give me the 80% part

Are you getting the percentage?

I'm not getting any percentage off of the other query

Still working on this, the last one you posted gives results and logon logoff duration etc. Trying to combine the one above with the previous one and I keep running into errors so can we combine the one above with

index=* sourcetype="cisco:asa" (eventtype="cisco_vpn_start" OR eventtype="cisco_vpn_end") src_ip=* user=*
| eval user_login = if(EventCode=4624,1,0)
| eval user_logout = if(EventCode=4634,1,0)
| stats earliest_time(user_login) as user_login_time, latest_time(user_logout) as user_logout_time, earliest_time(VPN_login) as VPN_start, latest_time(VPN_logout) as VPN_end by user, src_ip
| eval User_On_VPN_minutes = (VPN_end-VPN_start)/60
| eval User_On_Network_minutes = (user_logout_time-user_login_time)/60
| eval perc_On_VPN = (User_On_Network_minutes/User_On_VPN_minutes) * 100."%"
| where perc_On_VPN > 80%

I was able to put the first callouts with the one above to narrow it down to the source and index.

But getting the rest of the stats out is erroring out. Especially at this line:

| stats earliest_time(user_login) as user_login_time, latest_time(user_logout) as user_logout_time, earliest_time(VPN_login) as VPN_start, latest_time(VPN_logout) as VPN_end by user, src_ip

I'm thinking if this stats line worked, the rest would fall into place.

The error i'm getting is:

Error in 'stats' command: The argument 'earliest_time(user_login)' is invalid.

earliest_time() should work with stats. I use it all the time, I am not sure why it's giving you an error.

| transaction command will take more resources, try to avoid it. It will work well with small data as the data gets big it'll slow down.