Awesome! but now crops up a new issue: my count of allowed/denied is busted.

 Going to keep messing with it, thank you for the prompt response!

Maybe you need a sum(count) rather than a list(count)?  I'm not sure what the overall goal is so sorry for the piece meal answers. 

No! thank for the responses! I'm making a search panel that we can input a website, from there the search tables the User, Action(allowed/denied), Count(of the action), and credentials entered.

My current revised script is:

<search>
| stats count by user, status, http_method
| eval action=if(match(status,"^(2)([0-9]*)$"),"Allowed","Denied")
| stats   values(action) as Action, sum(count) as "Count" by  user http_method
| eval "Creds Entered"=if(http_method="POST","Yes","No") 
| table user Action Count "Creds Entered"

Which outputs:

What I'm attempting to created is a table where all HTTP Status codes that = 2XX are "Allowed" while all others are "Denied", in the next column I want to have a count of "Allowed" and "Denied"

Excuse my crude example:

<search>
| eval Action=if(match(status,"^(2)([0-9]*)$"),"Allowed","Denied")
| stats count by user, Action, http_method
| eval tmp=if(http_method="POST","Yes","No") 
| stats list(Action) as Action list(count) as Count list(tmp) as "Creds Entered" by user

This is better than before.

Thanks for the input! We got Count to match up with Action but now we've split the Action

It looks as though the split it due to the http_method: