You can get close to this with some heuristics and use of the transaction command - specifically through the use of maxpause . The theory is that when a user is active, the result of that activity creates log entries. But, if they stop being active for the application's idle timeout (which you have to know), then they have in effect "logged out by inactivity".
The "logout time" can be loosely defined as "the last event + idle timeout"
So, a search something like:
sourcetype=webseal source=*/request.log
| transaction maxpause=30m userid
| eval logout_time=_time + duration + (30 * 60)
| table userid, logout_time
would at least get you in the neighborhood.
... View more