Thanks @MaverickT. We came to know about this later and asked our admins to upgrade. ... View more

Hi @bowesmana, Passing blank values in the response action and adding scores to the eval helped me a lot. Thanks for your quick help. Search example I used: | makeresults | eval field_user="noob", field_ip="8.8.8.8", field_host="machine" | eval risk_object=if(isnotnull(field_host),field_host,null()),risk_object_type=if(isnotnull(field_host),"system",null()) | appendpipe [| eval risk_object=if(isnotnull(field_user),field_user,null()),risk_object_type=if(isnotnull(field_user),"user",null())] | appendpipe [| eval risk_object=if(isnotnull(field_ip),field_ip,null()),risk_object_type=if(isnotnull(field_ip),"system",null())] | eval risk_score=20 | fields - _time field_user field_ip field_host ... View more