Looking for help with Filters and Eval Functions
There's something about filters in an eval function (and probably other functions as well) that I either don't understand or that don't work as advertised. I have some events, all of them already have a field
state. In some of these events, the value is a straight number. In some events, the field value contains an epoch time and a value, delimited by a pipe, e.g.
1696254765000|5.333333333333333. To get that value, I though I'd just use an eval and filter on events that have a pipe, like seen in the screenshot. However, that seems to remove the field for all events that do not match the filter (events that have just a number in
state). I created a state_copy field to illustrate this: the top event only has
state_copy, it does not have a pipe in the field value, and the second event has both
I would have expected the filter on the eval function to leave the top event untouched.
I know I can solve it e.g. with a regex extraction instead of
split() in eval, so I'm not looking for a different way to do it. Just trying to understand if I misunderstood something and if there's an explanation why the eval touches fields in events it's not supposed to be working on in the first place.