So i have this:

(index=* OR index=_*) (index="GA2014" EventCode=4625)
| dedup RecordNumber
| rename Account_Name AS EventObject.Account_Name  EventCode AS EventObject.EventCode 
| stats dedup_splitvals=t count AS "Count of Event Object"  by "EventObject.Account_Name" 
| sort limit=100000 "EventObject.Account_Name" 
| fields - _span  
| rename "EventObject.Account_Name" AS Account_Name  
| fillnull "Count of Event Object" 
| fields Account_Name, "Count of Event Object"
| search NOT Account_Name="-"

Resulting into this:

+--------------+-----------------------+
| Account_Name | Count of Event Object |
+--------------+-----------------------+
| SQLSERVICE   |                     1 |
+--------------+-----------------------+
| STAFF        |                     1 |
+--------------+-----------------------+
| STUDENT      |                     1 |
+--------------+-----------------------+
| SUPORTE      |                     1 |
+--------------+-----------------------+
| SUPPORT      |                     2 |
+--------------+-----------------------+
| SYMANTEC     |                     1 |
+--------------+-----------------------+

!!!!WITH!!!!

These 3 over here:

+---------------+-----------------------+
| Account_Name  | Count of Event Object |
+---------------+-----------------------+
| АДМИН         |                     8 |
+---------------+-----------------------+
| АДМИНИСТРАТОР |                     8 |
+---------------+-----------------------+
| ПОЛЬЗОВАТЕЛЬ  |                     8 |
+---------------+-----------------------+

!!BUT!!
When i do a search like this:

(index=* OR index=_*) (index="GA2014" EventCode=4625)
| dedup RecordNumber
| rename Account_Name AS EventObject.Account_Name EventCode AS EventObject.EventCode Workstation_Name AS EventObject.Workstation_Name
| bucket _time  span=1s 
| stats dedup_splitvals=t values("EventObject.EventCode") AS "Distinct Values of EventCode"  by _time, "EventObject.Account_Name", "EventObject.Workstation_Name", "EventObject.EventCode" 
| sort limit=10000000 _time 
| rename "EventObject.Account_Name" AS Account_Name "EventObject.EventCode" AS EventCode "EventObject.Workstation_Name" AS Workstation_Name
| fields _time, Account_Name, Workstation_Name, "Distinct Values of EventCode"
| search NOT Account_Name="-"

I get this:

+---------------------+--------------+------------------+------------------------------+
| _time               | Account_Name | Workstation_Name | Distinct Values of EventCode |
+---------------------+--------------+------------------+------------------------------+
| 2020-02-21 01:03:48 | Demo         | workstation      |                         4625 |
+---------------------+--------------+------------------+------------------------------+
| 2020-02-21 01:05:57 | Reception    | workstation      |                         4625 |
+---------------------+--------------+------------------+------------------------------+
| 2020-02-21 01:09:06 | User11       | workstation      |                         4625 |
+---------------------+--------------+------------------+------------------------------+
| 2020-02-21 01:10:34 | Ieuser       | workstation      |                         4625 |
+---------------------+--------------+------------------+------------------------------+

!!Without!!

АДМИН
АДМИНИСТРАТОР
ПОЛЬЗОВАТЕЛЬ

Nowhere to be seen in sight. Don't know right now if it applies only to these 3 or not, but i searched it with ctrl+f in browser and found nothing ....

Honestly, i don't know what name to give to this thread/question. Maybe i can get some advice on this too, if i will be able to rename my thread/question ....

P.S.: It's 2 in the mornin' over here, so if i have any typos, it must be the late hour ...