Hello,

I have a small dilema around AND OR boolean operators. I dont want null time logs for event=timeOut, but at the same time I also want the null values for event=timeOut because I need that info too. Would like to know if using OR instead of AND in the where clause would do that for me?

index="mvp.sl.idx"

| eval DeliverToService=case(event="timeOut", logTime)
| eval NullDeliverToService=case(event,"timeOut", logTime)

| stats values(DeliverToService) as  DeliverToService values(NullDeliverToService) as NullDeliverToService

| where isNotNull(DeliverToService) OR isNull(NullDeliverToService)