You're getting this failure because you don't have a statistical function that you're charting.

It seems like what you really want to do is count total and failures on a per day per DeviceType basis, and then have a chart that shows the failure percentage per DeviceType per day. Without seeing your actual data, it's hard to say how to compute this.

However, here's an example you should be able to run locally, and then adapt to your own situation. It's something that computes the percentage of bytes retrieved by GET and POST every minute (so, per method per minute) within Splunk's internal index:

index=_internal | bucket _time span=1m | stats sum(bytes) as methodbytes by _time, method | eventstats sum(methodbytes) as totalbytes by _time | eval theperc=methodbytes/totalbytes*100 | timechart span=1m max(theperc) by method

So how this works is, the bucket command assigns a particular time to each event that is aligned with that time boundary. In your case, you'd want this to be span=1d.

The stats clause gives me the number of bytes retrieved by either GET or POST methods on a per-minute basis.

The eventstats clause creates a totalbytes column that has, for each minute, the sum of the methodbytes column for that minute. This sum goes into both the GET and POST rows for each minute.

We then use an eval to get us our percentage for each of the methods.

Finally, a timechart puts this data into our final format we want. The max command works here because there is only one percentage value per method. (In your case, this would be one percentage value per DeviceType.)

Hopefully you can use this as a starting point to get you to where you can build what you need. I would recommend building this clause by clause in your search box, just to see what kind of transformation happens at each step.