This should be pretty simple, but I seem to lack the right terms to find my answer:
We have several source types with a field "user". All I would like to return is a table where users are the rows, sourcetypes are the columns and the values are the number of events a user appears in that source type.
So if it were a CSV, it'd look like
A totals column at the end would be great, but I can live with out it.
@mpuckettsc... Please accept DalJeanis answer as that is the complete answer you were looking for, addtotals will add Total of numeric fields as final column.
| makeresults | eval mydata="Bob,firewall-logs,4 Bob,linux-logs,2 Bob,windows-logs,4 Nancy,firewall-logs,8 Nancy,linux-logs,1 Nancy,windows-logs,3 Eve,linux-logs,4 Eve,windows-logs,2" | makemv mydata | mvexpand mydata | rex field=mydata "(?[^,]+),(?[^,]+),(?.+)" | table user sourcetype thecount | rename COMMENT as "The above just produces test data as if you had done |stats count as thecount by user sourcetype" | chart sum(thecount) as count over user by sourcetype | addtotals