According to your first search, whether an event is counted as error is solely determined by a field named level, and only when its value is "ERROR" do you consider the event an error.  Is this correct?  All you need to do is to literally combining this criterion and the filters in the second with OR logic.  Something like index="iss" Environment=PROD Appid IN ("APP-61", "APP-85", "APP-69", "APP-41", "APP-57", "APP-71", "APP-50", "APP-87") ( ("Invalid JS format" OR ":[down and unable to retrieve response" OR "[Unexpected error occurred" OR ": [An unknown error has occurred" OR "exception" OR "IN THE SERVICE" OR "emplateErrorHandler : handleError :" OR "j.SocketException: Connection reset]" OR "Power Error Code" OR "[Couldn't kickstart handshaking]" OR "[Remote host terminated the handshake]" OR "Caused by:[JNObject" OR "processor during S call" OR javx OR "Error while calling" OR level="ERROR" NOT "NOT MATCH THE CTRACT" NOT "prea_too_large" NOT g-500 NOT G-400 NOT "re-submit the request" NOT "yuu is null" NOT "igests data" NOT "characters" NOT "Asset type" NOT "Inputs U" NOT "[null" NOT "Invalid gii" ) OR level!=ERROR) | rex field=_raw " (?<service_name>\w+)-prod" | eval err_flag = if(level="ERROR", 1,0) | eval success_flag = if(level!="ERROR", 1,0) | stats sum(err_flag) as Total_Errors, sum(success_flag) as Total_Successes by service_name | eval Total_Transaction = (Total_Successes+Total_Errors) | fields service_name, Total_Transaction, Total_Errors, Total_Successes Note I removed the "| where" command in the first because it is more efficient to place the simple filter as a search filter.  I also corrected a syntax error in the second from OR OR IN THE SERVICE" to OR "IN THE SERVICE".  If any of these changes semantics, make adjustments.  Hope this helps. ... View more

i have used table instead of stats and now we are not seeing that issue as the events are not merging now ... View more