I have two query
1: sourcetype=A error=499
2: sourcetype=A X=*
2nd query is almost equal to total transactions.
I would like to make timechart of % of error count on X events.
Basically I want to make timechart that will tell if error code increase is because of volume increase etc,
This should get you started.
index=foo sourcetype=A (error=499 OR X=*) | bin span=1d _time | stats count(eval(isnotnull(X)) as Total, count(eval(error=499)) as Error by _time | eval Pct = (Error * 100) / Total | timechart span=1d max(Pct)