I ended up using the following queries to get the desired results
sourcetype=linux_secure user=* ("Accepted Publickey" OR "session opened" OR "Accepted password")
| stats latest(eval(if(vendor_action="session opened",_time, null()))) as logon_time by host user
| eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time)
| sort –count
| stats list(user) as user, list(logon_time) as logon_time by host
OR
sourcetype=linux_secure source="/var/log/secure" (user=* OR ruser=*) ("Accepted Publickey" OR "session opened" OR "Accepted password") | eval logon_time =if(action="success",_time, null()) | stats latest(logon_time) as logon_time by host user | eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time) | stats list(*) as * by host | sort -logon_time
Both seemed to work.
... View more