sourcetype=linux_secure | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | rex "\suser\s(?<User>[^\s]+)\s" | search User="root" | stats count as "Root Activity Count" by hostname
0 comments
[0]
[0]
[0]
[0]