Actually, while your solution as such is OK, the underlying explanation is not. As I wrote in a feedback to the docs (which should have been included already, but for some reason still isn't), it works a bit different than just filtering. The expression provided in eval() statement is evaluated and - true/false in case of count() is treated the same way as not null/null. That's why count(eval(a>b)) works like filtering. But that's due to implicit operations performed on the eval result. But understanding stats with eval() as filtering leads to wrongly built searches and/or bad results. | stat agg(eval(expression)) is equivalent (remembering about the implicit conversion and the fact that you can't assign a boolean value to a field) to | eval b=expression | stat agg(b) Since stat with eval is often used with count as aggregation function, it might be indeed interpreted as filtering but it is not. Example: | makeresults count=10 | streamstats count | stats count(eval(count>4)) as c4 sum(eval(count>4)) as s4 sum(eval(if(count>4,count,null()))) as si4 sum(eval(count*count)) as cs4 As you can see from this run-anywhere example, the count will give you proper number of events which have the count number higher than 4. There are of course 6 such events. But you can't sum booleans so the s4 field will be null. But the si4 field will contain sum of all count fields with value bigger than 4 and cs4 will contain sum of squares of all values of field count. The reason for OP's error was lack of aggregation function, not eval as such.
... View more
