I do not know if this is possible or not, but what I am looking to do is create a visualization/dashboard that displays the users currently logged into our Cisco VPN server. The ASA device is already sending data to our ELK stack and I know the event ID's for both a login and logout of the VPN server. I can list people who have logged in to our VPN server in any given time period, but I don't know how to remove them once they have logged out. They do fall out of the list normally once they are outside the time period specified, but I am looking for something more real time.
Since you are looking for the latest login (or logout) event for each subscriber, a relatively easy way to do this is to index all login and logout events in a separate index with the user id as key in addition to where they are currently indexed. This gives easy access to the latest status for every user through the new index as each new event for a user replaces the previous one. This makes it easy to list users currently logged in without any complex aggregation, and it will scale well, and you still have the current index for analysis of patterns or historical data.
Cheeky request can I ask how you are doing this. I have our asa sending logs but cannot work out how to show the vpn user information