I am trying to generate a list of the percentages of response codes by resultCode by app.   A simplified version of events are: appName=app1, resultCode=500 appName=app1, resultCode=500 appName=app1, resultCode=404 appName=app2, resultCode=404 ... If I do  <initial search that returns the above events>   |   stats count by appName resultCode it gets me very close to what I am trying to do and outputs something like this to the Statistics tab: appName resultCode count app1 500 25 app1 404 10 app1 200 100 app2 500 14 I need to take this one step further, and have an output that instead of showing the count by resultCode, will instead show the percentage each resultCode comprises by appName.   The ideal result is: appName 200 404 500 app1 90 2 8 app2 85 10 5 ...       This is ideal, but even if the result was  app1, 200, 90 app1, 404, 2 app1, 500, 8 ... (where the columns are appName, resultCode, and percentage (based on the count of events by code for an app over all events for the app) I can get a count of events by appName in a separate query to be able to get to the total, but I am just not finding how to use that specific appName's total used for each of the specific app error values all together.   I'm missing how to do  | stats count by appName as appTotal | stats count by appName resultCode as appResult | eval resultPerc=rount((appResult*100)/appTotal, 2) and have that show in a table in a way that can be clearly displayed.   Thanks for any ideas on what I might be missing here would be appreciated!      

Hi All, This may be a bit of a peculiar question, but I'm trying to figure out if there's a way to use a certain expression in a search query to pull a "maximum" value based upon a custom table (.csv import) that is pulled into the query via the "lookup" command. The table has 4 possible "Attribute" values which range from "level-1-access" to "level-4-access". In the stats table, a given UserID may have activity that reflect 1 or more of these (thus, a maximum of 4 per UserID). Below is a sample dataset. What I'm attempting to do is filter this data so that it's only showing the "maximum" (or, "highest") value for each UserID. The rows bolded in green is what I'd want to see, with everything else excluded; thus, there should only be 1 row per distinct UserID. One possible thought that comes to mind is adding an numeric field to the .csv lookup, though still not 100% certain how to go about rendering the stats table to only include the highest value per UserID.  Any help would be appreciated. Thanks!  UserID Attribute jdoe level-1-access jdoe level-3-access jdoe level-4-access asmith level-1-access asmith level-2-access ejones level-3-access ejones level-4-access pthomas level-1-access pthomas level-2-access pthomas level-3-access pthomas level-4-access