MY SPL
(index=* source="/var/log/authlog" "sudo" AND ("tar -x*f" OR "pkg install" OR "pkg uninstall")) OR (index=* source="/var/log/authlog" "Accepted" "ssh*")
| regex _raw!= ".which."
| regex _raw!= ".man."
| regex _raw!= ".user NOT in sudoers."
| rex field=_raw ".(?<=])\s(?P[[:alnum:]]\S*[[:alnum:]])\s*(?=:).(?<=COMMAND=)(?P.)"
| rex field=_raw ".(?<=for)\s(?P[[:alnum:]]\S*[[:alnum:]])(?=\sfrom).(?<=from)\s(?[[:digit:]]+.[[:digit:]]+.[[:digit:]]+.[[:digit:]]+)(?=\sport)"
| eval "Command/Events" = replace(command,"^(\/usr\/bin\/|\/usr\/sbin\/)","")
| eval Time = case(match(_raw,".sudo.*COMMAND."),strftime(_time, "%Y-%d-%m %H:%M:%S"))
| eval Date=strftime(_time, "%Y-%d-%m")
| eval "Report ID" = "ABLR-028"
| stats values(Time) as Time list("Command/Events") as "Command/Events" values(ip_address) as ip by Users host index Date "Report ID"
| where Time !=""
Result...
Row 1
b_wayne, s11, storage_b, 2020-30-04, ABLR-028, 2020-30-04 14:50:17, pkg uninstall vsftpd (10.54.32.2,10.54.32.32)
Ip address as multivalue field
Row 2
b_wayne, s11, storage_b, 2020-30-04, ABLR-028, 2020-30-04 14:54:49, pkg uninstall rsyslog (10.54.32.2,10.54.32.32)
Ip address as multivalue field
...
| eval "Report ID" = "ABLR-028"
| stats values(Time) as Time list("Command/Events") as "CE" list(ip_address) as ip by Users host index Date "Report ID"
| where Time !=""
| rename "Report ID" as Rid
| eval counter=mvrange(0,mvcount(Time))
| streamstats count as sessions
| stats list(*) as * by sessions counter
| foreach Time CE ip [ eval <<FIELD>> = mvindex('<<FIELD>>', counter)]
| rename Rid as "Report ID" ,CE as "Command/Events"
| fields - counter sessions
...
| eval "Report ID" = "ABLR-028"
| stats values(Time) as Time list("Command/Events") as "CE" list(ip_address) as ip by Users host index Date "Report ID"
| where Time !=""
| rename "Report ID" as Rid
| eval counter=mvrange(0,mvcount(Time))
| streamstats count as sessions
| stats list(*) as * by sessions counter
| foreach Time CE ip [ eval <<FIELD>> = mvindex('<<FIELD>>', counter)]
| rename Rid as "Report ID" ,CE as "Command/Events"
| fields - counter sessions
Thank you so much 😃 got the results I wanted