1. Your problem is not clearly specified. You might want to find out how many users are logged in at some given point in time or which ones are logged in (also possibly counting or not duplicate logins).
2. Do you have a separate login and logout events?
3. Remember that as you're logging only login and logout events you won't find sessions which "overlap" your search time range. For example - if your user logged in at 9am and logged out at 12pm you won't find this session if you only search through 10am-11am because you have no events regarding this session during that time range. (this problem can be alleviated for specific use cases by using summary indexing).
Hi @purcell12491 ,
could you beter describe your requirement: operative systems, fields used, etc...?
Ciao.
Giuseppe
Hi @purcell12491, check if this answers your question: https://community.splunk.com/t5/Splunk-Enterprise/How-to-distinctively-count-concurrent-users-when-e...