Yes, in the first part you can only do a search. You can't do any operations on fields. Ok, my mistake. I assumed you had two completely separate searches (from two different sets of data) returning some fields. In your case, you could (and that's the simplest solution probably) just do one search, flag it (with some | eval selector=1), append another search (again, flagging it with |eval selector=2) and then do "stats count(eval(selector=1)) as s1 count(eval(selector=2)) as s2 by common_field" and you're good to go. Subsearches however should be avoided so it's better to find all events (in your case it would be something like: common_field=* (success OR error) and do some clever trick to clasify the event to one class of another. If it was based on a field, it would be better, because you could just do a conditional eval based on a simple key=value if. If it's a free-text based however you'd need to use like(_raw,"error") to match events containing the word "error". So your search would end up something like that: common_field=* (success OR error) | stats count as total count(eval(_raw,"%error%")) as errors by common_field
... View more
