MY SPL

(index=* source="/var/log/authlog" "sudo" AND ("tar -x*f" OR "pkg install" OR "pkg uninstall")) OR (index=* source="/var/log/authlog" "Accepted" "ssh*")

| regex _raw!= ".which."
| regex _raw!= ".man."
| regex _raw!= ".user NOT in sudoers."
| rex field=_raw ".(?<=])\s(?P[[:alnum:]]\S*[[:alnum:]])\s*(?=:).(?<=COMMAND=)(?P.)"
| rex field=_raw ".(?<=for)\s(?P[[:alnum:]]\S*[[:alnum:]])(?=\sfrom).(?<=from)\s(?[[:digit:]]+.[[:digit:]]+.[[:digit:]]+.[[:digit:]]+)(?=\sport)"

| eval "Command/Events" = replace(command,"^(\/usr\/bin\/|\/usr\/sbin\/)","")
| eval Time = case(match(_raw,".sudo.*COMMAND."),strftime(_time, "%Y-%d-%m %H:%M:%S"))
| eval Date=strftime(_time, "%Y-%d-%m")
| eval "Report ID" = "ABLR-028"

| stats values(Time) as Time list("Command/Events") as "Command/Events" values(ip_address) as ip by Users host index Date "Report ID"
| where Time !=""

Result...

Row 1

b_wayne, s11, storage_b, 2020-30-04, ABLR-028, 2020-30-04 14:50:17, pkg uninstall vsftpd (10.54.32.2,10.54.32.32)
Ip address as multivalue field

Row 2

b_wayne, s11, storage_b, 2020-30-04, ABLR-028, 2020-30-04 14:54:49, pkg uninstall rsyslog (10.54.32.2,10.54.32.32)
Ip address as multivalue field