I have two query
1: sourcetype=A error=499
2: sourcetype=A X=*
2nd query is almost equal to total transactions.
I would like to make timechart of % of error count on X events.
Basically I want to make timechart that will tell if error code increase is because of volume increase etc,
This should get you started.
index=foo sourcetype=A (error=499 OR X=*) | bin span=1d _time | stats count(eval(isnotnull(X)) as Total, count(eval(error=499)) as Error by _time | eval Pct = (Error * 100) / Total | timechart span=1d max(Pct)
index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="A" AND (error="499" OR X="*") | timechart count(eval(error="499")) AS error499count BY X
index=foo sourcetype=A (error="*" X="*") | eval error=case(error="499",1,true(),0) | timechart count as total sum(error) as error | eval perc=round(error / total * 100,2)