Try this,


Basic Search AND body.response.failedUpcName=* OR body.failedUpcName=*
| rename body.response.failedUpcName as response_failedUpcName, body.failedUpcName as failedUpcName
| chart count by response_failedUpcName , failedUpcName

Not sure on the exact reason for this, however reporting commands don't seem to be able to handle nested fields very well.

If your goal is to get the fields separately


Basic Search AND body.response.failedUpcName=* OR body.failedUpcName=*
| rename body.response.failedUpcName as response_failedUpcName, body.failedUpcName as failedUpcName
|fields response_failedUpcName, failedUpcName
| chart count(*) as *


If your goal is to get count based on one or the other based on what is available

Basic Search AND body.response.failedUpcName=* OR body.failedUpcName=*
| rename body.response.failedUpcName as response_failedUpcName, body.failedUpcName as failedUpcName
| eval failedUpcName = coalesce(response_failedUpcName, failedUpcName)
| chart count by failedUpcName