The following splunk query example will return the total number of hosts the Root account was detected on  in a given time range

*NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of “host”

sourcetype=linux_secure |rex ".*:\d{2}\s(?<hostname>\S+)" | rex "\suser[^'](?<User>\S+\w+)" | search User="root" | stats dc(hostname)