https://community.splunk.com/t5/Splunk-Search/stats-count-eval-match-issue/m-p/510497#M142876 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223981">@spitchika</a>&nbsp;- thx for the reply. With the help of a fellow Splunker the issue was I need single quotes and not double quotes for field name in the eval commands as such:</P><LI-CODE lang="markup">index="foo" host="bar" Application="app1" | dedup _time | eval time = _time | bin time span=15m | stats count("Activity Name") as Attempts, count(eval(match('Activity Name',"FAILED LOGIN"))) as Failed, count(eval(match('Activity Name',"AUTHENTICATION"))) as Success earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by Username time</LI-CODE><P>&nbsp;</P> Wed, 22 Jul 2020 17:24:40 GMT jwalzerpitt 2020-07-22T17:24:40Z https://community.splunk.com/t5/Splunk-Search/stats-count-eval-match-issue/m-p/510483#M142873 <P>I have a generic search that is looking for logins and there is a field that has two values – “authentication” for a successful login, and “failed login” for a failed login.</P><P>So I modified an existing search that looks for X amount &gt;=3 attempts with success &gt;0 and failed &gt;=3 within 15 mins like so:</P><LI-CODE lang="markup">index="foo" host="bar" Application="app1" | dedup _time | eval time = _time | bin time span=15m | stats count("Activity Name") as Attempts, count(eval(match("Activity Name","FAILED LOGIN"))) as Failed, count(eval(match("Activity Name","AUTHENTICATION"))) as Success earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by Username time | rename time as _time | search Attempts&gt;=3 AND Success&gt;0 AND Failed&gt;=3 | eval FirstAttempt=strftime(FirstAttempt,"%x %X") | eval LatestAttempt=strftime(LatestAttempt,"%x %X")</LI-CODE><P>&nbsp;</P><P>For some reason it is not liking the count(eval(match as if I shorten the search to the following,&nbsp;I see results for attempts, but nothing for success or failed</P><P>&nbsp;</P><LI-CODE lang="markup">index="foo" host="bar" Application="app1" | dedup _time | eval time = _time | bin time span=15m | stats count("Activity Name") as Attempts, count(eval(match("Activity Name","FAILED LOGIN"))) as Failed, count(eval(match("Activity Name","AUTHENTICATION"))) as Success</LI-CODE><P>&nbsp;</P><P>Any help would be greatly appreciated</P><P>&nbsp;</P><P>Thx</P> Wed, 22 Jul 2020 15:27:59 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-eval-match-issue/m-p/510483#M142873 jwalzerpitt 2020-07-22T15:27:59Z https://community.splunk.com/t5/Splunk-Search/stats-count-eval-match-issue/m-p/510485#M142874 <DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><P>Hi,</P><P>I am not able to try this as I am not having logs.</P><P>But did we miss "if" in it??</P><P>Can you try like below?</P><P>count(eval(<STRONG>if</STRONG>((match("Activity Name" == "FAILED LOGIN"</P> Wed, 22 Jul 2020 15:52:01 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-eval-match-issue/m-p/510485#M142874 spitchika 2020-07-22T15:52:01Z https://community.splunk.com/t5/Splunk-Search/stats-count-eval-match-issue/m-p/510497#M142876 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223981">@spitchika</a>&nbsp;- thx for the reply. With the help of a fellow Splunker the issue was I need single quotes and not double quotes for field name in the eval commands as such:</P><LI-CODE lang="markup">index="foo" host="bar" Application="app1" | dedup _time | eval time = _time | bin time span=15m | stats count("Activity Name") as Attempts, count(eval(match('Activity Name',"FAILED LOGIN"))) as Failed, count(eval(match('Activity Name',"AUTHENTICATION"))) as Success earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by Username time</LI-CODE><P>&nbsp;</P> Wed, 22 Jul 2020 17:24:40 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-eval-match-issue/m-p/510497#M142876 jwalzerpitt 2020-07-22T17:24:40Z https://community.splunk.com/t5/Splunk-Search/stats-count-eval-match-issue/m-p/510513#M142881 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/103102">@jwalzerpitt</a>&nbsp; Thank you for mentioning correct answer</P> Wed, 22 Jul 2020 18:54:19 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-eval-match-issue/m-p/510513#M142881 spitchika 2020-07-22T18:54:19Z