Thanks, I currently use this app for other searches, but I wasn't sure if it would be efficient to use in this case since there would be many queries against the db. Perhaps this isn't an issue and this is the best way to handle this situation. Thoughts?

It's a bit hard to say without knowing more about what you want to do. From what you're saying you have millions of users. As such I am guessing that you have hundreds of millions, possibly billions, of events.

If you want to run millions of db lookups then yes it will be slow. I think you would be better off extrapolating the data another way - for instance, if a user can login then they are registered? As I said its hard to say without knowing what your data looks like.

You're correct that it's probably better off to extrapolate the data in a different way, which is what I've ended up doing for now. However, I'm not really satisfied with this solution. Perhaps doing this in Splunk is not the best approach and maybe I should combine this with an ETL process to another database for this type of analysis. Determining registration was just one example, there is a variety of additional business data that I would like to combine as well.

In terms of efficiency if you construct your search in a clever way db look ups should be fine.

For example, say you want search user sessions for your top ten users. You then run a db query lookup against your registration database for those ten users. Ten queries should be trivial.

Have a look at the db connect app: https://splunkbase.splunk.com/app/2686/

I thought joins were to be avoided in Splunk? Also, wouldn't that require a subsearch which has a result limit?
Do you have an example?