Simplicity is derived from reducing the two searches to a single searches. There are often several ways to get the same result in Splunk - some more performant than others - which is useful in large data sets.

Here's a variant that uses eventstats to get the unique count of tx ids which before the where clause. It then uses values() to pass that total through to the final eval - it could also be done with 'by TotalTxIds' as there's only one value.  As you have already split by txn_id, then count will give you the effective result of dc()

baseSearch 
| stats latest(status) as lastTxnStatus by txn_id 
| eventstats count as TotalTxIds
| where lastTxnStatus>=500
| stats values(TotalTxIds) as TotalTxIds count as TxEndingInError
| eval failureRate = round(TxEndingInError / TotalTxIds * 100)

This is a very clever use of stats values()!

I can see that both responses are functionally equivalent and are way better than my original query. I've accepted the first reply. For the record, I also found another efficient way of expressing the query using "top":

basesearch | stats latest(status) as lastStatus by lastTxnStatus
| top lastStatus limit=0
| search lastStatus >= 500
| stats sum(percent) as BadPercentage

@splunkuserCA1  Haha, yes, you've discovered the beauty of Splunk, in that there is always more than one way of doing a task. At some point in your Splunk journey, you may well start to think about which one performs better than the other and that you can get by looking at the job inspector.

There are definitely performance differences between different techniques and if you have large data sets, you'll start to hit Splunk limits with some techniques.

Happy Splunking!

Hi

can you post sample data as I suppose that there could be easier solution than those two queries....

r. Ismo

While I can't post the exact data, this table should contain enough. As you see, there are multiple entries for some transactions (like txn1), while other transactions have just 1 entry: