Here's one way. Put the category names and tests into the eval mytests statement, where the number is not 5. Ignore any where the number IS 5, because that will default after the join.
sourcetype=foo-bar category=foo | stats count by category
| join type=left category
[| makeresults | eval mytests="category1>7 category3>5 category6>9"
| makemv mytests | mvexpand mytests | makemv delim=">" mytests
| eval category=mvindex(mytests,0), limit=mvindex(mytests,1)
| table category, limit
]
| eval limit=coalesce(limit,5)
So now each category knows what its individual limit is.
| where count>limit
And there you go.
... View more