A few things to note here:

1. When you configure the alert to trigger "when the result are greater than 0" this means that it will trigger as long as there is at least one result returned from the search. This is NOT looking at your field called "count". In your example, the alert fires and has 6 results, and hence the condition for "when the results are greater than 0" will be triggered.
2. Unfortunately, if you are suppressing based on the workflowname, then you cannot have 3 separate emails triggered the way you want, using only 1 alert. Because as soon as Splunk sees a THE FIRST result for WorkFlow1, then it will only trigger an email for that result, before checking for other values for workflowname. 

You have two options in this situation:

1. Create 3 different alerts. Each one will look for a specific workflowname and trigger an alert for the entire alert result set. 

2. Adjust the search to collect all of the "records" for EACH workflowname into a single "event", and then run your alert the same way you are doing it. You can do this by running a search like the following (ignore the first part, which is just creating some data for me to work with)

| makeresults count=6 | streamstats count | eval workflowname=case(count<=3,"workflow1",count=4,"workflow3",count>=5,"workflow2"), runid=case(count<=3,123,count=4,555,count>=5,678), count_field=case(count=1,3,count=2,8,count=3,2,count=4,10,count=5,12,count=6,4), status=case(count=1,"completed",count=2,"paused",count=3,"completed",count=4,"running",count=5,"running",count=6,"completed")
```IGNORE EVERYTHING ABOVE THIS LINE. THIS IS JUST CREATING SOME SAMPLE DATA TO WORK WITH```

| table workflowname count_field runid status
| eval concat_field="workflow=".workflowname." ::: runid=".runid." ::: count=".count_field." ::: status=".status
| stats values(concat_field) as concat_field by workflowname