That's because in the first case, there's an eval() function to evaluate the if() expression, while in the second case there isn't.

eval(if(method="GET", 0, 1)) evaluates to 0 if the method is GET, to 1 otherwise.

eval(ip) evaluates the expression ip, so it returns ip.

as you said "| stats dc(eval(ip)) is the same as | stats dc(ip)"

if(method="GET", 0 ,1) return 0 or 1

then dc(eval(0)) should be same as dc (0)

sourcetype=access_combined* |stats dc(eval(if(method="GET", 0 ,1))) as dc_method

should be same as sourcetype=access_combined* |stats dc(if(method="GET", 0 ,1)) as dc_method

but not showing 0 results (last one)

as you said "| stats dc(eval(ip)) is the same as | stats dc(ip)"

if(method="GET", 0 ,1) return 0 or 1

then dc(eval(0)) should be same as dc (0)

sourcetype=access_combined* |stats dc(eval(if(method="GET", 0 ,1))) as dc_method

giving 2 as count

should be same as sourcetype=access_combined* |stats dc(if(method="GET", 0 ,1)) as dc_method

0 as count
but showing 0 results (last one)

| stats dc(eval(ip)) is the same as | stats dc(ip).

what does eval(ip) return?

|eval newitem=if(status=404, ip, null)
it returns "ip"
then we can use | stats dc(newItem).

what does eval do after returning an argument (ip). like |stats dc(eval(ip))

meaning of eval(ip) ?