Get list of concurrent users on a specific server

• First you must define the time span in which you consider "concurrent" this is defined in the "bucket" section below and the example uses a 30 minute range (widen or narrow to fit your needs).
• Secondly this query does NOT define a host, to define a specific host insert "host=yourhostname" at the beginning of the query.

sourcetype="WinEventLog:Security" EventCode=4624 (Logon_Type=10 OR Logon_Type=2) | bucket span=30m _time | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") | rex "New\sLogon:\s*Security\sID:\s+\S*\s+Account\sName:\s+(?<ACCT>\S+)"  | stats count by ACCT, _time, host | where count>1 | sort - count