Thanks for swift reply @yuanliu . Here is the sample table I am looking for

A & B coulmns should come together as one and based on their values it should add to the count. More detailed way

A & B coulmns should come together as one and based on their values it should add to the count.

---

This is clearer than the original description.  If A and B should come together, they have to be combined before groupby, and used as a single groupby.  The reason why your first attempt did produce results is because as two separate groupby terms, both must exist in the same events.

The solution will depend on whether A and B are mutually exclusive.  From your original result, it seems that they are exclusive.  So,

index="XYZ"  (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200
| eval "A OR B" = coalesce(A, B)
| stats count by "A OR B" StatusCode

When I am trying your query, it is showing that number events on the top. But not displayin the results in the statistics. Like below

This only means that your data set is not as you described.  Alternatively, there was some mistake in your search as @ITWhisperer speculated.  For example, maybe you misspelled A or B (these are not real field names I am certain).

I can run my code with this mock dataset:

If you manually count, this dataset should give your mock result and it does.  Here is full emulation that you can run an compare with real data:

| makeresults format=csv data="StatusCode, A, B
200, Upgrade,
200, , Downgrade
200, , Upgrade
200, Retain,
200, , Cancel
200,Cancel,
200, , Cancel
200,Cancel,
200, , Cancel
200,Cancel,
200, , Cancel
200,Cancel,
200, , Retain
200, Retain,
200, Retain,
200, , Retain
200, Retain,
200, Retain,
200, , Retain
200, Retain,
200, Retain,
200, New Customer,
200, , New Customer
200, , New Customer
200, New Customer,
200, , New Customer"
``` the above emulates
index="XYZ"  (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200
```
| eval "A OR B" = coalesce(A, B)
| stats count by "A OR B" StatusCode

The output is exactly like your mock result:

@yuanliu this is the query which I am using to filter the data

index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce(BackendResponse.content.reasonCode, ConsumerResponse.content.reasonCode) | stats count by "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" StatusCode

It is showing the event count, but it is not generating the results. Highlited the same.

When field names have special characters in, they often need single quotes around them (double if they are on the left of the assignment). Try this

| eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce('BackendResponse.content.reasonCode', 'ConsumerResponse.content.reasonCode')
| stats count by 'BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode' StatusCode

@ITWhisperer , I tried but no luck 😞 . It is displaying the count but not displaying the stats

Try without StatusCode on the stats

index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce('BackendResponse.content.reasonCode', 'ConsumerResponse.content.reasonCode') | stats count by 'BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode'

No luck 😞 

Please try it exactly as I showed you - I have already explained that you need double quotes to the left of the assignment and single quotes to the right - if you do not follow simple instructions like this, you will struggle to get a working solution!

@ITWhispererthanks for being patient with me. I have copied the same query which you have mentioned and this is the result

index="apigee" sourcetype!="apigee:nginx" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce('BackendResponse.content.reasonCode', 'ConsumerResponse.content.reasonCode')
| stats count by 'BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode'

Finally it is working now 🙂 Thank you so much. You made my day.

Please share the search which is giving this result.

this is the query which I am using to filter the data

index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce(BackendResponse.content.reasonCode, ConsumerResponse.content.reasonCode)
| stats count by "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" StatusCode