https://community.splunk.com/t5/Splunk-Search/coalesce-count/m-p/536518#M151699 <P>The goal is to get a count when a specific value exists 'by id'.&nbsp; This is not working on a&nbsp;coalesced search.<BR /><BR />The search below works, it looks at two source types with different field names that have the same type of values.&nbsp; I used this because appendcols is very computation costly and I try to avoid it as much as possible.&nbsp;</P><P>One alternative I tried was:</P><PRE>count(eval(if(isnotnull(calcValue),1,null())))</PRE><P>Lastly I tried, however that one gives an error:&nbsp;&nbsp;<SPAN>Error in 'stats' command: The eval expression for dynamic field 'if("total-calcValue"&gt;0,1,null())' is invalid. Error='Type checking failed. The '&gt;' operator received different types.'.</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">count(eval(if("total-calcValue"&gt;0,1,null())))</LI-CODE><P>&nbsp;</P><P>Below is the full search</P><P>&nbsp;</P><LI-CODE lang="markup">index=someindex (sourcetype1) OR (sourcetype2) | rex field="Some Amt" "-(?&lt;Amount&gt;[\d\.]+)" | convert num(Amount) | rename Amount as total-calcValue, total as total-charges, "Some ID" as miq, "Other Source Company Name" as "other_source_company_name" | eval mid=coalesce(mid,miq) | eval Company=coalesce(other_source_company_name,company_name) | stats count first(Company) AS "Company" sum(total-*) AS * count(eval(if(isnotnull("total-calcValue"),1,null()))) as "calcValue Count" by mid</LI-CODE><P>&nbsp;</P> Wed, 20 Jan 2021 15:03:58 GMT dpolochefm 2021-01-20T15:03:58Z https://community.splunk.com/t5/Splunk-Search/coalesce-count/m-p/536518#M151699 <P>The goal is to get a count when a specific value exists 'by id'.&nbsp; This is not working on a&nbsp;coalesced search.<BR /><BR />The search below works, it looks at two source types with different field names that have the same type of values.&nbsp; I used this because appendcols is very computation costly and I try to avoid it as much as possible.&nbsp;</P><P>One alternative I tried was:</P><PRE>count(eval(if(isnotnull(calcValue),1,null())))</PRE><P>Lastly I tried, however that one gives an error:&nbsp;&nbsp;<SPAN>Error in 'stats' command: The eval expression for dynamic field 'if("total-calcValue"&gt;0,1,null())' is invalid. Error='Type checking failed. The '&gt;' operator received different types.'.</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">count(eval(if("total-calcValue"&gt;0,1,null())))</LI-CODE><P>&nbsp;</P><P>Below is the full search</P><P>&nbsp;</P><LI-CODE lang="markup">index=someindex (sourcetype1) OR (sourcetype2) | rex field="Some Amt" "-(?&lt;Amount&gt;[\d\.]+)" | convert num(Amount) | rename Amount as total-calcValue, total as total-charges, "Some ID" as miq, "Other Source Company Name" as "other_source_company_name" | eval mid=coalesce(mid,miq) | eval Company=coalesce(other_source_company_name,company_name) | stats count first(Company) AS "Company" sum(total-*) AS * count(eval(if(isnotnull("total-calcValue"),1,null()))) as "calcValue Count" by mid</LI-CODE><P>&nbsp;</P> Wed, 20 Jan 2021 15:03:58 GMT https://community.splunk.com/t5/Splunk-Search/coalesce-count/m-p/536518#M151699 dpolochefm 2021-01-20T15:03:58Z https://community.splunk.com/t5/Splunk-Search/coalesce-count/m-p/536523#M151703 <P>Using hyphens in field names is not a great idea.&nbsp; Stick with underscores or use camelCase.&nbsp; Introducing other characters may be valid, but can lead to errors (as you've seen) or confusion (is&nbsp;"total-calcValue" a string, an expression, or something else?).&nbsp; Often, putting single quotes around the field will help, but not always.</P><P>Try this modification of your query.</P><LI-CODE lang="markup">index=someindex (sourcetype1) OR (sourcetype2) | rex field="Some Amt" "-(?&lt;Amount&gt;[\d\.]+)" | convert num(Amount) | rename Amount as total_calcValue, total as total_charges, "Some ID" as miq, "Other Source Company Name" as "other_source_company_name" | eval mid=coalesce(mid,miq) | eval Company=coalesce(other_source_company_name,company_name) | stats count first(Company) AS "Company" sum(total_*) AS * sum(eval(isnotnull(total_calcValue))) as "calcValue Count" by mid</LI-CODE><P>&nbsp;</P> Wed, 20 Jan 2021 15:17:12 GMT https://community.splunk.com/t5/Splunk-Search/coalesce-count/m-p/536523#M151703 richgalloway 2021-01-20T15:17:12Z https://community.splunk.com/t5/Splunk-Search/coalesce-count/m-p/536874#M151773 <P>The issue was that&nbsp;</P><LI-CODE lang="markup">"total-calcValue"</LI-CODE><P>needed to be changed to</P><LI-CODE lang="markup">'total-calcValue'</LI-CODE><P>&nbsp;It was taking the double quote version as a literal text value instead of the field..</P> Fri, 22 Jan 2021 18:00:31 GMT https://community.splunk.com/t5/Splunk-Search/coalesce-count/m-p/536874#M151773 dpolochefm 2021-01-22T18:00:31Z