I want to know if anyone can help me pull the first instance of a VPN Connection for each start and end session. Anyconnect is currently set up to refresh all VPN session every 30 minutes. The problem I have is that it continues to alert me ever time a session is refreshed and I don't need that. Ideally, I would only like to see the first session when an employee logs in and the terminated session. But it needs to do this each time the employee connects. Please see my notes below to assist with. I will place my current search string below that.

_time Group User LANIP IP Message My notes
4/4/2016 10:14 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Need
4/4/2016 10:02 SharePoint_Contractor terrence xxx.xx.xxx.xxx The user has requested to disconnect the connection Need
4/4/2016 9:47 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 9:44 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 9:17 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 9:14 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 8:47 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 8:44 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 8:14 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Need
4/4/2016 8:14 SharePoint_Contractor terrence xxx.xx.xxx.xxx The user has requested to disconnect the connection Need
4/4/2016 8:13 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Need

sourcetype="cisco:asa" host="xxx.xx.x.x" source="udp:514" message_id=722012 OR message_id=722051 | stats values(User) as Employee | mvexpand Employee | sort User