I will try my best to explain what I am trying to calculate the best that I can.

In this line:  eval Percentage=round((A/B)*100,2)

I want 'A' and 'B' to be the # of occurrences of "StringA" & "StringB" from X hours ago till now.

The attachment shows the graph for the first query, you can see the last timeslice percentage does not match up with the percentage on the right, which is the same percentage but a single calculation based upon the past 4 hours.

Then when shown in the timechart each to be shown in 10 minute intervals.

I am not familiar with timewrap or autoregress but will look into them.

Below are the two graphs I have being generated from each of the queries. If you notice on the right the percentage is 78% while on the left it is 97%.  I believe this is happening due to the right percentage calculation is using a  4 hour interval selection, while the right is making percentage calculation using 10 minute intervals.

So basically trying to represent the single calculation on the right into a timechart to graph the % over time.

Yes, that's exactly what it's doing. Timechart is dividing the total timespan into span-sized buckets and is counting the stats independently for each bucket, so you can have time series. In the right search you're simply calculating overall stats over the whole period. So it's only natural that they give two different results.

And you can simplify the second search. There's no need to use appendcols and engage another search when it's not needed. Just do your count with eval. For example:

| stats count(eval(like(_raw,"%StringA%"))) as A count(eval(like(_raw,"%StringB%"))) as 

If you have the events parsed and can compare the strings to a single field, that'd be even better.

Anyway - it's natural that you get two different results because you're doing two different things. If you want to have the gauge to show the exact same value that the last value on left timechart, you have do the same stats and simply align the time of the search so it is equal to the last bucket of the timechart.

Thanks for the confirmation on what I am seeing in the graphs.  The gauge is working as I expected.

Im trying to figure out how to get the graph to match what the gauge is showing (opposite of what in your last reply).

i.e. Calculating the % based upon previous 4 hours of data but showing the result (time-slice) in 5 minute intervals.

I'm sorry, but I still don't understand. You either have a timeseries of small-spanned aggregates (like in the timechart) or a cumulative stats value over whole period. I don't understand how possibly you could achieve "% based upon previous 4 hours of data" (which sounds like a cumulative single value) but showing the result in 5-minute intervals.

You want to have the same value scattered over all timechart buckets? Kinda pointless, but doable.

Maybe this will help show what I am trying to accomplish.  I have taken the original calculation and added earliest / latest to show the percentage over time.   I am trying to show change over time using a graph instead of individual components...  Make sense ?

But that's exactly what timechart is doing. (with the restriction to a constant span instead of variably placed indicators as you have here - if you want to have a timechart with variably "spaced" time points, you can't do it straightforward with timechart command; you'd have to iterate over a set of data points and calculate separate subsearches with earliest/latest values).