Something like this might work for you , it's a bit fuzzy , not based on actual bytes on disk , but gives an approximation of the percentage of the raw event data that is from exceptions.

Replace YOURINDEX and YOUREXCEPTIONPATTERN with relevant values for your environment.

index=YOURINDEX | eval event_length_all = len(_raw) |eventstats sum(event_length_all) as all_event_length | regex _raw="YOUREXCEPTIONPATTERN" | eval event_length = len(_raw) | eventstats sum(event_length) as exceptions_length | eval percentage_of_events_that_are_exceptions=exceptions_length/all_event_length*100 | table percentage_of_events_that_are_exceptions