I have a requirement to see which users have logged into multiple servers before logging out of the previous server.  

I currently have this Search Set up: 

index="fed-prod"   L_Action="New session"
| stats values(L_Server) as Linux_Server dc(L_Server) as host_count by L_user
|where host_count > 1

  This search finds all the users who have logged  to multiple servers but does tell me if they have logged out of the other server first or allow me to narrow the time down to within a certain window.  I currently do not have a active feed into splunk and upload data manually do to licensing restrictions  

The report would need to be ran weekly. I would like to do this one of two ways. First option would be add in a time premaster to the current above search that checks the time stamp of the log for it to be within a 15 minute window if the user logged into two. If the time stamps of the two logs are within 15 minutes it out puts a finding of the User and servers it logged into. 

The second option would be to to do some sort of sub search. that would check to see which users logged in to what servers. then check to see if they logged out before logging into another one.