Several problems with this search.
- Success is 0. You can verify this by removing everything after the first stats. (I will analyze this later.)
- You should not do stats by Percent_Failure because you will always get 1.
Why Success count is 0? You need to explain what is the output in index=john-doe-index. By explain, I mean illustrate some real events (anonymize as needed). Short of that, you need to explain whether you have a field named statusCode AND if yes, how this code is extracted. Second, you need to explain what "2**" signifies. Is this a wildcard expression, or does your event record success events as literal 2**? These details are necessary so volunteers do not have to read your mind. Here, I will speculate that your codes are like 200, 203, and so on. (Not "2**".)
I am not sure when can count(eval(statusCode="2**")) give non-zero count but I know in most cases it will end up with zero. If you really, really, really want to use eval, you can do something like
| stats count as Total count(eval(if(searchmatch("statusCode=2*"), "success", null()))) as Success
| eval Failure = Total - Success | eval Percent_Failure = round((Failure/Total)*100)."%"
| table Percent_Failure Total
(If you are using wildcard in search, there is no need for "2**".) This is a lot messier than simply
| eval success = if(searchmatch("statusCode=2*"), "success", null())
| stats count as Total count(success) as Success
| eval Failure = Total - Success | eval Percent_Failure = round((Failure/Total)*100)."%"
| table Percent_Failure Total
Here is a full emulation using _internal.
index="_internal"
| extract access-extractions
| rename status as statusCode
``` data emulation above ```
My result is
| Percent_Failure | Total |
| 98% | 257002 |
(Of course, in my emulation, most events do not have field status so they count as "failure" in this formula.) If you use | stats count by Percent_Failure instead of table, all you get is Total 1.
