I'm running into an issue where I am receiving a flood of emails for an alert.

The alert works as expected when I alert on values greater than one; however, raising the value breaks the alert.

Search:
sourcetype="backend" | regex "User with email .* used an invalid password." | rex "User with email (?<email>.*) used an invalid password." | rex "client_ip=(?<client_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)" | transaction client_ip maxspan=1000s | search eventcount > 2 | stats values(email), count(eval(email)) as EmailCount by client_ip | where EmailCount > 1

Example email output (attached csv):
>>>> client_ip | values(emails) | EmailCount
123.123.123.123 | a@gmail.com b@gmail.com | 2

When I raise EmailCount > 2, I get about 50 emails in the span of 5 minutes with csvs that look like this:

_time | _raw | client_ip | values(email) | EmailCount | email | index | ...
... | ... | x.x.x.x | [BLANK] | [BLANK] | a@b.com | ... | ...

I get more information (like _raw and _time), but values(email) and EmailCount are left blank. A new email field appears and it only contains one email. Doing a plain realtime search, no stats are reported.

Why is this happening? Why does raising the value by one break the alerting, when keeping the value at 1 produces the expected result?

Notes:
- I am using 1000s temporarily. This will decrease to less than 5s after debugging this search
- I tried using dc() instead of count(), but that also didn't work