So I have it now, but it is VERY ugly and takes quite a while to load because the 90 day data is cold. `sourcetype=mysourcedata | eval DEVICE_NAME=coalesce(tag,DEVICE_NAME) | stats count BY DEVICE_NAME, date_month, date_mday | stats avg(count) AS "Average_Alert_Count" BY DEVICE_NAME | inputlookup append=t DEVICE_NAME.csv | fillnull value=0 "Recent_Event_Count" | dedup DEVICE_NAME | eval Average_Alert_Count=round(Average_Alert_Count,2) | join DEVICE_NAME append [search sourcetype=mysourcedata earliest=-24h latest=now | eval DEVICE_NAME=coalesce(tag,DEVICE_NAME) | stats count as Recent_Event_Count by DEVICE_NAME | inputlookup append=t DEVICE_NAME.csv | fillnull value=0 "Recent_Event_Count" | dedup DEVICE_NAME]` Using the lookup table in the subsearch first I was able to get all of the 0 count for last 24h devices but I was still missing a few where the 90 day average was 0 also so I added it to the main search as well and now I am getting everything even where the average and count are 0. Thanks for all the help! This is a mess though. I'd welcome any recommendations on how to clean this up and make to cold data return faster. ... View more

Why not this ? eval DEVICE_NAME=coalesce(tag,DEVICE_NAME) I moved your comment to the answer section so i can vote it up because it worked. With my fresher mind this morning I realized I was doing the evaluation (including this one) after the aggregation functions which I changed and it worked! Thank you ... View more