I have a query I'm working on where not all the values I feed it are in the index I am querying against. For example suppose I have two emails, [email protected] and [email protected] index=windows sourcetype=ActiveDirectory [email protected] OR [email protected] | dedup name Currently only [email protected] is in the index. As a result I only return the Event for [email protected]. I'd like to have my query return two records for [email protected] and [email protected] even if there are no results for [email protected]. Something where the event is essentially blank except for the [email protected] value Any thoughts out there? ... View more