Strangely, where doesn't work for me.

If you are using transaction, you will have to use mv functions for field1 & field 2. So try something like this

 your base search | where (eventcount>2 AND mvfind(field1, somevaluehere)>=0) OR (eventcount>5 AND mvfind(field2, anothervalue)>=0) ) OR NOT (mvcount(field2)>0)

I get the error below when I try to run where (eventcount>2 AND mvfind(field1, somevaluehere))

Error in 'where' command: Typechecking failed. 'AND' only takes boolean arguments.

This is the where segment

| where (eventcount>2 AND mvfind(field1, somevaluehere)>=0) OR (eventcount>5 AND mvfind(field2, anothervalue)>=0) ) OR NOT (mvcount(field2)>0)

I've got it to start working but, I'm having a peculiar issue. When I use where ((acduser!="user1" OR acduser!="user2") AND rules="After Office Hours") it's still showing events which are "After Office Hours" AND if user is user1 or user2. From the above where, shouldn't it show "After Office Hours" if user is NOT user1 or user2?

Your first solution doesn't work too.

Do you have a field called eventcount or is that field something you first need Splunk to calculate? The process both folks have provided (where or search) do work. The only difference might be

your base search | <your transforming & field extracting commands> | where blah blah blah

I believe one of my issue for where is that I have a concatenated field called rules. And the field doesn't use null() but instead, uses "" as when I use null(), the fields do not concatenate. So, where I try to use where rules!="", it doesn't work.

When you do a transaction, it becomes eventcount. I have no idea why neither works for me. Does where not work for fields extracted by rex? Also, I get this error when trying to run the suggestion after yours(see below comment.)

Error in 'where' command: Typechecking failed. 'AND' only takes boolean arguments.

Strangely, where doesn't work for me.