Ah, so they already exist,
if you try this search string, what happens?:
index="wineventlog" sourcetype="wineventlog:security" "eventcode=4624" OR "eventcode=528" | eval host1_count=mvcount(split(host1,"<WHATEVER DELIMITS VALUES>"))-1 | eval host2_count=mvcount(split(host2,"<WHATEVER DELIMITS VALUES>"))-1| eval host3_count=mvcount(split(host3,"<WHATEVER DELIMITS VALUES>"))-1 | eval "Total Successes"=host1_count+host2_count+host3_count | sort +"Total Successes" | table User, "Total Successes", host1_count, host2_count, host3_count | head 5
It's just an idea at the moment
... View more