Hello, 

i have a question regarding the usage of the results of a join within an eval if. I have a couple of responses, to which I am joining their preceeding requests (written in another source)

index="index1" sourcetype="sourcetype1" Response... |table rcvTime Command 
|join type=left left=response right=request usetime=true earlier=true where response.ID=request.ID [search index="index2" sourcetype="sourcetype2" Request ....|table rcvTime Command|sort _time-]

The issue is, that sometimes I get a wrong match, hence a request, that is not connected to the response and was a few days ago. The reason, why they are matched, is because it is the same device ID. 
Thats why I am trying to have an eval for the timediff. If I am using the variable request.command within the if, I will receive empty results:

index="index1" sourcetype="sourcetype1" Response... |table rcvTime Command 
|join type=left left=response right=request usetime=true earlier=true where response.ID=request.ID [search index="index2" sourcetype="sourcetype2" Request ....|table rcvTime  Command|sort _time-]
|....(commands calculating timediff)
| request.command=if(timediff<300,request.command,"")

If I am saving the value within a field that contains no point in the name, it works properly:

index="index1" sourcetype="sourcetype1" Response... |table rcvTime Command 
|join type=left left=response right=request usetime=true earlier=true where response.ID=request.ID [search index="index2" sourcetype="sourcetype2" Request ....|table rcvTime Command|sort _time-]
|....(commands calculating timediff)
|rename requestCommand as request.command
| requestCommand=if(timediff<300,requestCommand,"")

Does someone have an idea, why I cannot use request.command within the eval (but on other commands I can use it)?

Thanks and best Regards