Take a look at the
transaction command. You select one or more fields to key on and your search merges the matching events into a single transaction and auto-calculates duration. There are a handful of optional arguments for tuning as well to do stuff like limit or capture gaps in events.
@bluemarvel, community members will be able to assist you with your query if you provide more details of what your VPN data looks like in case user logs in or logs out (this should include timestamp, unique ID for logged in user and field indicating Login and Logout).
below is the query
index=enterprise sourcetype="callzone:vpn" source="/var/log/vpn.log" "virtual IP" | streamstats current=f global=f window=1 last(time) as lastts | eval timesincelast = time - lastts | fieldformat timesincelast = tostring(timesincelast, "duration")
I would like to gage the duration of how long the user-VPN IP was online , this query is not working to the extent i would like