Logstash duration quastion

I write some logstash filter the count the user online period.
but i got something wrong in my filter. And i don't know how to filter this by different users.
log format is
"|2017-09-28-09:49:18|INFO|JupyterHub|User logged in: jupyter|
......
|2017-09-28-09:49:24|INFO|JupyterHub|User logged out: jupyter|"

i write the filter like:
date {
match => ["[action_start_time]", "yyyy-MM-dd-HH:mm:ss"]
target => "[action_start_timed]"
}
date {
match => ["[action_end_time]", "yyyy-MM-dd-HH:mm:ss"]
target => "[action_end_timed]"
}
ruby {
code => "event['action_duration'] = (event['action_end_timed'] - event['action_start_timed'])"
}

Logstash acts on one event at a time so you will never have one event with both action_start_time and action_end_time. Perhaps the aggregate filter can help in this case.

So , how can i count about user log in times like this?
|2017-09-28-09:49:18|INFO|JupyterHub|User logged in: user1|
|2017-09-28-09:49:24|INFO|JupyterHub|User logged out: user1|
|2017-09-28-09:49:42|INFO|JupyterHub|User logged in: user2|
|2017-09-28-09:49:55|INFO|JupyterHub|User logged out: user2|

As I said, perhaps the aggregate filter can help in this case.