I have a search that uses a subsearch to filter out certain kinds of logs. I'm using the format command to create the filter list for the base search, as so: <base search> | where NOT [<subsearch> | fields <field> | format] Everything works fine until there's a time period where there's nothing that needs filtering. Instead, format simply returns NOT () which causes the base search to fail with this message: Error in 'where' command: The 'not' function is unsupported or undefined. Is there a standard way to handle this situation? I've tried using fillnull with no success. Thanks in advance. ... View more