The reason you can’t correlate logon and logoff events in Windows is because all too often a logoff event does not exist.

However, even if they did, you would still have issues negotiating the logs to ferret out which “user accounts” and “logon types” you’re interested in.

There are ways to get profile information for users, but you need to be specific in your goals.
Let’s say for a particular day you want to know what the first and last time a user logged into a machine interactively, and the last time they logged out. You could run this search on a 24 hour day:

index=main EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=10
|eval Account_Name=mvindex(Account_Name,1) 
|eval Account_Name=coalesce(Account_Name,User_Name)
| search NOT Account_Name="*$" NOT Account_Name="anonymous logon" NOT Account_Name="system" 
| stats earliest(_time) as EarliestLogon latest(_time) as LatestLogon by Account_Name ComputerName 
|convert ctime(EarliestLogon) 
|convert ctime(LatestLogon)
|table EarliestLogon LatestLogon Account_Name ComputerName
| append 
[search index=main  EventCode=4647 OR (EventCode=4634 Logon_Type=10 OR Logon_Type=2) OR (EventCode=538 Logon_Type=10 OR Logon_Type=2) OR EventCode=551  
|eval Account_Name=mvindex(Account_Name,1) 
|eval Account_Name=coalesce(Account_Name,User_Name)
| search NOT Account_Name="*$" NOT Account_Name="anonymous logon" NOT Account_Name="system" 
| stats latest(_time) as LatestLogoff by Account_Name ComputerName 
|convert ctime(LatestLogoff)]
|table EarliestLogon LatestLogon LatestLogoff Account_Name ComputerName 
|sort - Account_Name ComputerName

You will see from the results that logoff times are probably missing – this can happen for any one of a number of reasons.