Hi,

I'd like to count the number of HTTP 2xx and 4xx status codes in responses, group them into a single category and then display on a chart. The count itself works fine, and I'm able to see the number of counted responses. I'm basically counting the number of responses for each API that is read from a CSV file.

However, I'm struggling with the problem that I'd like to count the number 2xx and 4xx statuses, sum them and group under a common label named: "non5xx" that refers to non-server status codes and display on a chart.

So far, I've come up with the following search query, but it fails to meet my expectations:

[| inputlookup api_names_file.csv | rename AppName to app_name | table app_name ] | chart count(eval(like(status, "2%"))) AS successResponses, count(eval(like(status, "4%"))) AS clientErrorResponses, count(eval(like(status, "5%"))) AS 5xx BY status | eval total = (successResponses + clientErrorResponses) | eventstats sum(total) AS non5xx by status | fields non5xx, 5x

Ideally, I'd like to end up with the following chart:

• The non5xx group would refer to the summed number of all 2xx and 5xx status codes e.g. HTTP 200, 201 etc.
• The 5xx group would describe server error status codes such as 500, 501 etc.

Is it possible to display such a common label consisting of the sum of two responses on an arbitrary chart e.g. a pie chart?

Thanks in advance