X_wan-network` sourcetype=wan_syslog EventType=local6.warning "Login" | rex field=_raw “(?\w+;(?\w+)”
| table _time,host, user, Source, WAN_site_name, EventMessage  | rename host as Node, WAN_site_name as Site_Name, user as User, EventMessage as Message | chart count over User , Source by Site_Name useother=f usenull=f 
| sort - _time