Where is the error?
(index=paloalto sourcetype="pan:threat" action=allowed severity=critical src_interface="ethernet1/2.110") OR (index=trend sourcetype="deepsecurity-intrusion_prevention") | eval cs23=replace(cs1, "\"", "") | eval match=case("threat:cve" == cs23,"Yes","threat:cve" != cs23,"No") | stats count by match
Nevermind my comment - I'm pretty sure I know what's wrong.
You're using "threat:cvs" which makes that a string, and you want to match two fields..
Try using single quotes instead to have Splunk grab the values of that field instead.
| eval match=case('threat:cve' = cs23,"Yes",'threat:cve' != cs23,"No")
what is the error you are getting?