Good day all, This is my first post so please bear with me I am working on a search for the Netskope CASB product     index=test user=johndoe |stats count by app, activity, action, alert_name, alert_type, site, _time |sort _time     My search seems to contain incompatible fields, action=allow and fields alert_name, alert_type, for the "action" field the values will be either ( allow, block, alert ) the allow action will never have an "alert_name" or "alert_type" associated with it but I need to see those values for when the action is "alert" or "block" With my current search above I only see action=block & action=alert never any action=allow I want to be able to see action=allow and if action=block i want to see "alert_name", "alert_type", if action=allow then "alert_name", "alert_type" will have empty values I am really hoping I made sense here 🙂 Thanks and have a great day! 😉 ... View more