Thanks for all the help in this. Ultimately, my data did not match your example well - so I made a couple more field extractions and it worked. Originally I created 59 field extractions for each audit policy subcategory. Then Account Lockout would have a value of Success and Failure, and so on and so on 58 more times.
In order to get my report in a manner that I like, I added an extraction for the Audit Policy Name (AuditPolicy_SubCategory in the code below), so that would equal Account Lockout, then I added an extraction for the Audit Policy Value (AuditPolicyValue below), so that would equal Success, Success and Failure, Failure or No Auditing. With these extractions in place, my final search looks like this:
index=idx sourcetype=auditpolicy
| dedup host, AuditPolicy_SubCategory
| table AuditPolicy_SubCategory, AuditPolicyValue
| stats count(eval(AuditPolicyValue="Success")) as Success, count(eval(AuditPolicyValue="Success and Failure)) as "Success and Failure", count(eval(AuditPolicyValue="Failure")) as Failure, count(eval(AuditPolicyValue="No Auditing")) as "No Auditing" by AuditPolicy_SubCategory
Thanks for the help to4kawa. Marking yours as the answer and awarded some points.
... View more