Thanks Ayn

That make sense, about the quotes I mean. So I tried this;

tag=audit OR tag=cleared ""

This search generated events with;
tag::eventtype, value=audit
tag::eventtype, value=cleared

but when I do this;

tag=audit OR tag=cleared "" | stats count by tag

I get zero results. I guess I am confused about tag relationships.

The quotes are only supposed to be around the VALUE, not the field name as well. So tag == "audit". Otherwise you're just giving case a string and don't tell it what to actually do with it.

Oh Sorry i misunderstood the question.

WhenI do this

tag=audit OR tag=cleared "" | eval Event=case( "tag == audit", "Logging Stoped", "tag == cleared", "Logs Cleared" )

I get this error

Error in 'eval' command: The arguments to the 'case' function are invalid

Yes, you're using it without quotes. That is wrong. You just said you got a syntax error with quotes. What was it?

I do not get any errors the search runs as expected and generates events as expected but the eval command does not generate the field named "Event" using the case function.

Yup. So what does it look like in your case? What error are you getting?

I tried with the added quotes and the case function throws a syntax error.

The example on Splunk docs is like this;
... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")