https://community.splunk.com/t5/Splunk-Search/Coalesce-function-not-working-with-extracted-fields/m-p/476368#M133771 <P>Thanks it worked. What I observed is due to . in my field name it is not working with coalesce function if I use same name replacing . with _ it is working like below</P> <P>index=fios 110788439127166000 <BR /> |rename DELPHI_REQUEST.REQUEST.COMMAND as "DELPHI_REQUEST_REQUEST_COMMAND"<BR /> | eval check=coalesce(SVC_ID,DELPHI_REQUEST_REQUEST_COMMAND)<BR /> | table DELPHI_REQUEST_REQUEST_COMMAND,host,SVC_ID,check</P> Wed, 30 Sep 2020 04:17:55 GMT poddraj 2020-09-30T04:17:55Z https://community.splunk.com/t5/Splunk-Search/Coalesce-function-not-working-with-extracted-fields/m-p/476366#M133769 <P>Hi,</P> <P>I am using below simple search where I am using coalesce to test.</P> <PRE><CODE>index=fios 110788439127166000 | eval check=coalesce(SVC_ID,DELPHI_REQUEST.REQUEST.COMMAND) | table DELPHI_REQUEST.REQUEST.COMMAND ,host,SVC_ID,check |rename DELPHI_REQUEST.REQUEST.COMMAND as "COMMAND" </CODE></PRE> <P>I am getting below output where coalesce is not printing the value of field DELPHI_REQUEST.REQUEST.COMMAND instead it is printing null value.</P> <PRE><CODE> COMMAND host SVC_ID check ------------------------------------------------------------------------------------------ GET_TOPOLOGY dlfdam1 GET_TOPOLOGY dlfdam1 </CODE></PRE> <P>However, if I use below query coalesce is working fine.</P> <PRE><CODE>index=fios 110788439127166000 | eval check=coalesce(SVC_ID,host) | table DELPHI_REQUEST.REQUEST.COMMAND ,host,SVC_ID,check |rename DELPHI_REQUEST.REQUEST.COMMAND as "COMMAND" COMMAND host SVC_ID check ---------------------------------------------------------------------------------------- GET_TOPOLOGY dlfdam1 dlfdam1 GET_TOPOLOGY dlfdam1 dlfdam1 </CODE></PRE> <P>Can someone let me understand why it is not working with extracted fields and working with host field</P> Wed, 19 Feb 2020 12:20:07 GMT https://community.splunk.com/t5/Splunk-Search/Coalesce-function-not-working-with-extracted-fields/m-p/476366#M133769 poddraj 2020-02-19T12:20:07Z https://community.splunk.com/t5/Splunk-Search/Coalesce-function-not-working-with-extracted-fields/m-p/476367#M133770 <P>try to first rename then coalesce</P> <PRE><CODE> index=fios 110788439127166000 |rename DELPHI_REQUEST.REQUEST.COMMAND as "COMMAND" | eval check=coalesce(SVC_ID,COMMAND) | table COMMAND ,host,SVC_ID,check </CODE></PRE> Wed, 19 Feb 2020 16:51:03 GMT https://community.splunk.com/t5/Splunk-Search/Coalesce-function-not-working-with-extracted-fields/m-p/476367#M133770 PavelP 2020-02-19T16:51:03Z https://community.splunk.com/t5/Splunk-Search/Coalesce-function-not-working-with-extracted-fields/m-p/476368#M133771 <P>Thanks it worked. What I observed is due to . in my field name it is not working with coalesce function if I use same name replacing . with _ it is working like below</P> <P>index=fios 110788439127166000 <BR /> |rename DELPHI_REQUEST.REQUEST.COMMAND as "DELPHI_REQUEST_REQUEST_COMMAND"<BR /> | eval check=coalesce(SVC_ID,DELPHI_REQUEST_REQUEST_COMMAND)<BR /> | table DELPHI_REQUEST_REQUEST_COMMAND,host,SVC_ID,check</P> Wed, 30 Sep 2020 04:17:55 GMT https://community.splunk.com/t5/Splunk-Search/Coalesce-function-not-working-with-extracted-fields/m-p/476368#M133771 poddraj 2020-09-30T04:17:55Z https://community.splunk.com/t5/Splunk-Search/Coalesce-function-not-working-with-extracted-fields/m-p/476369#M133772 <P>Or you can try to use ‘FIELD.NAME’ instead of FIELD.NAME.</P> Thu, 20 Feb 2020 17:25:39 GMT https://community.splunk.com/t5/Splunk-Search/Coalesce-function-not-working-with-extracted-fields/m-p/476369#M133772 isoutamo 2020-02-20T17:25:39Z