The answer to the question if it can be achieved _only_ using evals and ifs is almost definitely "no". It needs a bit more than that. While your question is a bit vague and it could use some literal examples (possibly anonymized), I assume that you need something like this: <your index> ((<conditions for error message1>) OR (<conditions for common message>)) | eval message1=if(searchmatch("<conditions for error message1>"),1,0) | eval commonmessage=if(searchmatch("<conditions for common message>"),1,0) | stats sum(message1) sum(commonmessage) Something like this will give you count of your respective messages over your search window. If those numbers differ, you'll know that you have more messages of one kind than the other. BTW, the searchmatch() is probably not the most efficient way to categorize those events so if you can specify the rules in a simpler way (for example, match a particular field's value) it will probably be beneficial for the search performance
... View more
