The following splunk query example will return a list of users who escalated privileges on any host in a given time range. The query will count by day, if you need to count in a shorter or longer time range modify the “Date=strftime” value below.

*NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of “host”

sourcetype=linux_secure source="/var/log/*" "su: ("  | eval Date=strftime(_time, "%Y/%m/%d") | rex ".*:\d{2}\s(?<hostname>\S+)" | rex "su:\s\Sto\sroot\S\s(?<SU>\S+)"  | stats  count by Date, hostname, SU  | rename  count as "Occurrences"  | rename  SU as "Account with Escalated Privileges" | sort - Date