[ | tstats count where index=* AND punct IN ("*${*","*$%*") earliest=-7d latest=now by index, sourcetype
| fields - count
| format ] AND (((punct=*$* AND punct=*:*) OR (punct=*%*)) AND ("*${*" OR "*%24{*" OR "$%7B*" OR "*%24%7B*"") AND ("//" OR "%2F%2F" OR "/%2F" OR "%2F/") )
| eval decoded_raw = urldecode(_raw)
| regex decoded_raw="\$\S*?{\S*?j[A-Za-z:\-\$[]]*?n[A-Za-z:\-\$[]]*?d[A-Za-z:\-\$[]]*?i[^\s\/]*//.*"
sourcetype=linux_secure "su: " OR "sudo: " | eval Date=strftime(_time, "%Y/%m/%d") | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | regex _raw="\suser\sroot\sby" | rex "\suser\sroot\sby\s(?<user>\w+)" | stats count by user, host