@vinod743374 

Can you please try this?

YOUR_SEARCH 
| rex field=_raw "=(?<a>Passed)" max_match=0 | eval count=mvcount(a) | fields - a

My Sample Search :

| makeresults | eval _raw="Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Don't Username=Passed, Service Password Encryption=Passed, Aaa Server-GE=Passed, Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed,Line Vty 0 4=Passed" 
|rename comment as "Upto Now is sample data only" 
| rex field=_raw "=(?<a>Passed)" max_match=0 | eval count=mvcount(a)  | fields - a

 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Thank you so much ,
its is working .
but if in the place of Passed,  i have some Failed message like :

Critical - Pattern 'disable-http yes' was not found Pattern 'https yes' was not found

Can we count these Error Failed messages also ???
kindly help me with this also.

@vinod743374 

Can you please try this?

YOUR_SEARCH
| rex field=_raw "=(?<a>Passed)" max_match=0 | eval passed_count=mvcount(a) | fields - a
| rex field=_raw "=(?<a>Failed)" max_match=0 | eval failed_count=mvcount(a) | fields - a

My Sample Search :

| makeresults | eval _raw="Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Don't Username=Passed, Service Password Encryption=Passed, Aaa Server-GE=Passed, Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed,Line Vty 0 4=Passed, xyz=Failed" 
|rename comment as "Upto Now is sample data only" 
| rex field=_raw "=(?<a>Passed)" max_match=0 | eval passed_count=mvcount(a) | fields - a
| rex field=_raw "=(?<a>Failed)" max_match=0 | eval failed_count=mvcount(a) | fields - a

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Its not gonna workout ,
because there is no such "Failed" in the _raw 

let me share you the _raw event of that .  i just bold the failed message.

Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed, Node Name="HUN-BUD-GE-COR-SW-01_stack.ROMA.AD", snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Node Ip Address="10.198.4.1", Don't Username=Passed, Service Password Encryption=Passed, AaaServer-GE="Critical - Pattern 'aaa new-model' was found On line 28 'aaa new-model' Pattern 'aaa authentication login default group tacacs' was not found Pattern 'aaa authorization exec default group tacacs' was not found Pattern 'aaa accounting exec default start-stop group tacacs' was not found Pattern 'tacacs-server host 10.198.60.40' was not found Pattern 'tacacs-server host 10.198.40.40' was not found Pattern 'tacacs-server directed-request' was not found Pattern 'aaa authentication enable default group tacacs' was not found Pattern 'aaa accounting commands 15 default start-stop group tacacs' was not found", Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed, Config Title="4/26/2021 01:03 PM - Running", Line Vty 0 4=Passed, Logging Rule=Passed, Banner Rule=Passed, Config Type=Running, Finger Rule=Passed, Http Server=Passed, Name Server=Passed, Pad Service=Passed,

@vinod743374 

Is that specific pattern that we can say Failed for this?

AaaServer-GE="Critical - Pattern 'aaa new-model' was found On line 28 'aaa new-model' Pattern 'aaa authentication login default group tacacs' was not found Pattern 'aaa authorization exec default group tacacs' was not found Pattern 'aaa accounting exec default start-stop group tacacs' was not found Pattern 'tacacs-server host 10.198.60.40' was not found Pattern 'tacacs-server host 10.198.40.40' was not found Pattern 'tacacs-server directed-request' was not found Pattern 'aaa authentication enable default group tacacs' was not found Pattern 'aaa accounting commands 15 default start-stop group tacacs' was not found"

Yes,
the Content may changes for different Events.

"Critical - "  is common in all the things the remaining  gets changed.

@vinod743374 

Can you please try this?

YOUR_SEARCH
| rex field=_raw "=(?<a>Passed)" max_match=0 
| rex field=_raw "=\"(?<b>Critical\s-) " max_match=0 
| eval passed_count=mvcount(a), failed_count=mvcount(b) | fields - a,b

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Thank you so much it is working.

Glad to help you @vinod743374 

But you supposed to accept my last answer  🙂