Actually I want to calculate the  friction rate   of all the status which I am getting from query You can see all below status with queries Manual Review - Splunk Query ------------------------------------------------------ index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | search msg="*Manual Review*" | eval _raw = msg | rex "(?<CRE_Creation_Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)" | rex "Request\#\:\s*(?<Manual_CRE_ID>\d+)" | rex "with(?<Manual_Review>\s\w+\s\w+)" | rex "(?<Failed_Reason>Rule.*)$" | eval Failed_Reason=trim(Failed_Reason, "Rule ") | stats count by CRE_Creation_Date Manual_CRE_ID Manual_Review Failed_Reason ------------------------------------------------------ status Approved - Splunk Query ------------------------------------------------------ index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | search msg = "*status Approved*" | eval _raw = msg | rex "INFO\s\|\s(?<CRE_Creation_Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)" | rex "Request\#\:\s*(?<Approved_CRE_ID>\d+)" | rex "status(?<Approved>\s........)" | stats count by CRE_Creation_Date Approved_CRE_ID Approved ------------------------------------------------------ status Rejected - Splunk Query ------------------------------------------------------ index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | search msg="*Rejected*" | eval _raw = msg | rex "(?<CRE_Creation_Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)" | rex "Request\#\:\s*(?<Rejected_CRE_ID>\d+)" | rex status(?<Rejected>\s\w+) | rex (?<Failed_Reason>Rule.*)$ | eval Failed_Reason=trim(Failed_Reason, "Rule ") | stats count by CRE_Creation_Date Rejected_CRE_ID Rejected Failed_Reason ... View more