Thanks @ITWhisperer I do have index. index="my_index"
| stats count as total, count(eval(logType="Incoming Request")) as incoming, count(eval(logType="Outgoing Response")) as outgoing by url
| eval failure = incoming - outgoing
| eval errorrate = failure / total
| table url, total, incoming, outgoing, errorrate
| sort -errorrate I came up with this, however, this not consider "give time range" yet, but I got the idea. My incoming and outgoing columns in the table are 0, will further dig in and report back.
... View more