I just had to deal with this same 'deduping' crushing results as well.. Did it with if() statements for any fields that were NULL at times: <search> |eval os=if(ISNULL(os),"dummyValue",os)| eval department=if(ISNULL(department),"dummyValue",department) |dedup ip,hostname,status,department and could then change the dummyValue back after the dedup if needed
... View more