try this:
Example raw log:
type=USER_TTY msg=audit(1573643958.798:1973): pid=2964 uid=0 auid=1000 ses=22 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 data=636174202F7661722F6C6F672F61756469742F61756469742E6C6F67207C206772657020555345525F545459UID="root" AUID="rdevega"
splunk code:
your search here
| eval keystrokes = urldecode(replace(data,"([0-9A-F]{2})","%\1"))
| table data keystrokes
results:
... View more