I have created a report in Splunk Enterprise and I am trying to convert it into a Splunk ITSI Glass table ad hoc. The report query is:index=wineventlog sourcetype="WinEventLog:Security" host="HOST01" OR host="HOST02" "Message=An attempt was made to access an object" "Keywords=Audit Success" | fieldsummary | search field = Keywords | eval Up = if (count >= 1, "True", "False")| table Up.

Rewriting the query as index=wineventlog sourcetype="WinEventLog:Security" host="HOST01" OR host="HOST02" "Message=An attempt was made to access an object" "Keywords=Audit Success" | timechart count, produces N/A in the Glass table, but produces a timechart when I click on Run Search in the Ad hoc Configurations tab.
Rewriting the query to be similar to the example in the Using Splunk IT Service Intelligence course to be: index=wineventlog sourcetype="WinEventLog:Security" host="HOST01" OR host="HOST02" "Message=An attempt was made to access an object" "Keywords=Audit Success" | chart count by host, Keywords | eval Up = avg((Keywords) * 100) | eval Up = if (Up > 100, 100, Up). I get the error of The avg function is unsupported or undefined.
Changing that to be: ...| eval Up = count(Keywords)/count * 100 ... the error becomes The count function is unsupported or undefined.
I would like to know how can I rewrite the original query to produce a value in the ITSI Glass table.
The version of Splunk we are using is 6.6.2 and the version of Splunk ITSI is 3.0.1. I am a rookie with Splunk and I am not a member of the Splunk Admin team.