It would not be users of the windows, but some high-platform systems that saves the access events in a text file.
Still I appreciate the attention.

Hm, you might be able to modify this section of the query and alter other bits to fit your data:

| bucket span=30m _time | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") | rex "New\sLogon:\s*Security\sID:\s+\S*\s+Account\sName:\s+(?<ACCT>\S+)" | stats count by ACCT, _time, host | where count>1 | sort - count

The regex (rex) part will have to change. But a similar query would work. Can you provide a sample of your data? Someone might be able to write the appropriate query for you.

I did a search like this:

index = * sourcetype=logs_accesso | stats count (USER) AS count by USER, TERMINAL, sys1, sys2, _time | where count> = 1 | _time table, USER, TERMINAL, sys1, SYS2

And returned this:

_time USER TERMINAL Sys1 Sys2
12/15/2015 13:56:26 ABDON DOS SANTOS MAIA A1240A06 S6 AA
12/15/2015 17:19:35 ABDON DOS SANTOS MAIA A1240A23 S6 AA
12/15/2015 19:01:10 ABDON DOS SANTOS MAIA A1240A25 J2 AA
12/15/2015 19:57:44 ABDON DOS SANTOS MAIA B1240A23 H3 A3
12/15/2015 19:58:49 ABDON DOS SANTOS MAIA B1240A23 H3 A3
12/15/2015 20:14:22 ABDON DOS SANTOS MAIA B1240A23 H3 A3
12/15/2015 20:14:53 ABDON DOS SANTOS MAIA B1240A23 H3 A3
12/15/2015 17:00:17 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 17:00:17 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 19:53:38 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 19:53:38 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 19:57:25 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 19:57:57 ABDON DOS SANTOS MAIA B1240A23 H3 AE

But I wanted to collect events in the same User accessed sys1 and / or Sys2 in 3 second intervals in different terminals.

How could this search? Please!
Tks!