How about you try this.

your base search | bucket span=2m _time | stats count by ARGS, host, _time | eval zebrapres=if(like(ARGS,"%zebra%"),"true","false") | stats values(zebrapres) as zebrapres by host,_time | eval zebrapres=if(isnotnull(mvfind(zebrapres,"true")),"true","false")

Dang! Still no joy. On a network with 128 hosts, the full search tells me that all of them are False for zebra. For "base search... |stats dc(host)", I get 128 hosts. For "base search... | eval zebrapres=if(like(ARGS,"%zebra%"),"true","false")| stats dc(host) by zebrapres", I get false:128 and true:58. By this point in the search string, I don't even understand how I am getting "false:128", when your eval seems like it should be enough to split my true/false zebrapres hosts on its own. I R CUNFZD

I made changes to line 1 (after my previous comment) earlier there was mismatch in the value set in zebrapress in line 1 and value being searched in mvfind command.

I may have submitted my comment before I was done, so give and take. Thanks for the continued tries, though!

I may have been so stupid doing silly mistake. I just updated second answer, give that a try.

somesoni2, I see your change. I tried the new search, and I still get only false results by the end.

For my hosts (130 hosts of varying zebrapres), the following nets me 130 false, and 58 True. The true count is correct.

your base search | eval zebrapres=if(like(ARGS,"%zebra%"),"True","False")|

can you give updated answer a try ?

somesoni, thanks for the try, but unfortunately, zebrapres only ever returns as false.