After some digging and banging, I have managed to get the search to work with the recommended MAP sub-search.

Below is the search string that I have ended up using:

index="genband-cdr" AM00SBC07 OR AM00SBC08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f | where percent >3| map search="search S3_call_error2=$S3_call_error2$ | top S3_call_error2 by S3_call_dest_custid |sort 3 -count |rename S3_call_dest_custid AS PTSID S3_call_error2 AS Error| table PTSID, Error"

This returns a table showing the top 3 customers (S3_call_dest_custid) reporting each of the errors (S3_call_error2) being reported.

Another issue - The above does work as an independent search item, however when I put it into a dashboard, I get a "Search is waiting for input... " message.

Any thoughts as to why?

As stated above, the resulting rows (S3_call_error2) are only about 4 normally, but likely less. The end result of what I want will result it the top 2 customers for each error, so we are looking at 8 max rows after my subsearch.

I am trying to play with the map and append commands, however so far no success.

Yes - all of the fields are in the same index.
I miss-typed something in the above question, so replace the 'ErrorType1' statement with S3_call_error2.

The events contain dozens of fields however the relevant ones are:

1. S3_call_error2 --This is the error type
2. S3_call_dest_regid --This is the customer name

count and percent are calculated.

There are only about 15 possible values for S3_call_error2, however in the above, the results are limited by the percent statement (3%) to about 4 or so.