sourcetype=osx_secure | rex field=_raw "authinternal\sfaile\sto\sauthenticate\suser\s(?<user>\S+)" | stats count by user, host | sort - count
0 comments
[0]
[0]
[0]
[0]
sourcetype=osx_secure | rex field=_raw "authinternal\sauthenticated\suser\s(?<user>\S+)" | stats count by user, host | sort - count
0 comments
[0]
[0]
[0]
[0]