https://community.splunk.com/t5/Splunk-Search/Two-evals-in-one-query-query-not-returning-results/m-p/469863#M132221 <P>Hi All, I have the following query with 5 source types and 2 evals in one query, common field between source types is correlationid and elapsed time which may or may not exist and using coalesce since name formats can be different, I want to return unique correlation id in different sources and elapsedtime and return null if it does not exist, when I run the query below it is not returning any results,, what is wrong with the query below, is using 2 evals an issue ? </P> <P>(sourcetype=source1) OR (sourcetype=source2) OR (sourcetype=source3) OR (sourcetype=source4) OR (sourcetype=source5) <BR /> | eval CorrelationId=coalesce('Properties.CorrelationId',CorrelationId,x-correlation-id,x_correlation_id )<BR /> | eval ElapsedTime = coalesce('Properties.elapsedMs','Properties.ElapsedMs','Properties.ElapsedTime',elapsedMs,elapsed)<BR /> | stats values(ElapsedTime) as ElapsedTime by CorrelationId sourcetype<BR /> | xyseries CorrelationId sourcetype ElapsedTime<BR /> | fillnull source1 source2 source3 source4 source5 value="Not exists"<BR /> | table CorrelationId source1 source2 source3 source4 source5<BR /><BR /> | sort CorrelationId</P> Wed, 30 Sep 2020 05:36:22 GMT msrama5 2020-09-30T05:36:22Z https://community.splunk.com/t5/Splunk-Search/Two-evals-in-one-query-query-not-returning-results/m-p/469863#M132221 <P>Hi All, I have the following query with 5 source types and 2 evals in one query, common field between source types is correlationid and elapsed time which may or may not exist and using coalesce since name formats can be different, I want to return unique correlation id in different sources and elapsedtime and return null if it does not exist, when I run the query below it is not returning any results,, what is wrong with the query below, is using 2 evals an issue ? </P> <P>(sourcetype=source1) OR (sourcetype=source2) OR (sourcetype=source3) OR (sourcetype=source4) OR (sourcetype=source5) <BR /> | eval CorrelationId=coalesce('Properties.CorrelationId',CorrelationId,x-correlation-id,x_correlation_id )<BR /> | eval ElapsedTime = coalesce('Properties.elapsedMs','Properties.ElapsedMs','Properties.ElapsedTime',elapsedMs,elapsed)<BR /> | stats values(ElapsedTime) as ElapsedTime by CorrelationId sourcetype<BR /> | xyseries CorrelationId sourcetype ElapsedTime<BR /> | fillnull source1 source2 source3 source4 source5 value="Not exists"<BR /> | table CorrelationId source1 source2 source3 source4 source5<BR /><BR /> | sort CorrelationId</P> Wed, 30 Sep 2020 05:36:22 GMT https://community.splunk.com/t5/Splunk-Search/Two-evals-in-one-query-query-not-returning-results/m-p/469863#M132221 msrama5 2020-09-30T05:36:22Z https://community.splunk.com/t5/Splunk-Search/Two-evals-in-one-query-query-not-returning-results/m-p/469864#M132222 <P>Having more than one <CODE>eval</CODE> is not a problem. Why is a problem, however, is <CODE>stats</CODE> with a field (ElapsedTime) that may be null. That will give you no results. Avoid that by adding a constant to your <CODE>coalesce</CODE>.</P> <PRE><CODE>| eval ElapsedTime = coalesce('Properties.elapsedMs','Properties.ElapsedMs','Properties.ElapsedTime',elapsedMs,elapsed, 0) </CODE></PRE> Tue, 02 Jun 2020 12:48:21 GMT https://community.splunk.com/t5/Splunk-Search/Two-evals-in-one-query-query-not-returning-results/m-p/469864#M132222 richgalloway 2020-06-02T12:48:21Z