Hi @GaneshAryan , Based on what you provided, I came up with this: index=? sourcetype="sfdc:transaction_log__c"
| eval totalmessage="b2cforce-liveperson", errormessage="userId Retrieval Failure"
| eval total=if(like(_raw,"%".totalmessage."%"),1,total), errors=if(like(_raw,"%".errormessage."%"),1,errors)
| stats sum(total) as total, sum(errors) as errors After that you can do your math with "total" and "errors". Not sure I'd use the like() function to search something in _raw in general. But it works it seems. Maybe you can setup a field that indicates if the event is an error, instead of searching for a string in _raw all the time. Cheers Ralph
... View more