Thank you Rick, exactly what i was looking for..  can i give you another scenario - just guide please

i have a field in the same index i dont have to show it in the table but i have to use a case statement to sum or count the number of transactions

status_code this will have values like 200, 201, 300, 302, 400,401, 500,502

i only need the count of events for  all 200  all 400 all 500 only  (dont need the one for 300)

trying to get this into case statement

I'd use a separate field that contains the status codes of interest.  Something like this

| eval status=case(status_code<300 OR status_code>=400, status_code) ``` Other values of status_code set status to null```
| stats count by status

Hi Rich, since i am breaking them into separate columns - i used this using if condition

| eval TwoXXonly=if(status_code>=200 and status_code <300,1,0)
| eval FourXXonly=if(status_code>=400 and status_code <500,1,0)
| eval FiveXXonly=if(status_code>=500 and status_code <600,1,0)
| stats sum(TwoXXonly) as Total_2xx, sum(FourXXonly) as Total_4xx,sum(FiveXXonly) as Total_5xx

by date_only, org,cId,pPath, apie,apiPct,envnt

| table list of fieds

say for ex; in my data today i dont have 300 events but if they show up tomorrow - do i need to explicitly filter them out as i dont need them at all  - i have not used the status_code in by clause

just confused - should i use the filter to explicitly exclude 300 ?

That's a great solution.

If you know you don't need/want events with status_code=3xx then you can (but don't have to) filter them out in the base query.  Filtering out events and fields you know you don't need will help the search perform better.