Hi, I'm using an "eval myvar=case(...)" like the one in the splunk documentation: ... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK") If 'case' encounters a value for 'error' that is not identified in the mapping then it converts it to the default string "NULL". Is there some trick I can use to have it simply leave it alone and return the raw value itself? For example using the above fragment, I'd like to have the pseudo-input of "404 ; 200 ; 600" map to Not Found ; OK ; 600 rather than Not Found ; OK ; NULL I understand that 'case' doesn't do this [Splunk guys: enhancement request!], but are there any pre-processing tricks I can use retain the values that 'case' would obscure? thanks. ... View more