sourcetype=linux_secure "su: " OR "sudo: " | eval Date=strftime(_time, "%Y/%m/%d") | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | regex _raw="\suser\sroot\sby" | rex "\suser\sroot\sby\s(?<user>\w+)" | stats count by user, host
sourcetype=linux_secure "su: " OR "sudo: " | eval Date=strftime(_time, "%Y/%m/%d") | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | regex _raw="\suser\sroot\sby" | rex "\suser\sroot\sby\s(?<user>\w+)" | stats count by user, host