We have updated our Terms of Service, Code of Conduct, and Addendum.

Looking for help with Filters and Eval Functions

There's something about filters in an eval function (and probably other functions as well) that I either don't understand or that don't work as advertised. I have some events, all of them already have a field state. In some of these events, the value is a straight number. In some events, the field value contains an epoch time and a value, delimited by a pipe, e.g. 1696254765000|5.333333333333333. To get that value, I though I'd just use an eval and filter on events that have a pipe, like seen in the screenshot. However, that seems to remove the field for all events that do not match the filter (events that have just a number in state). I created a state_copy field to illustrate this: the top event only has state_copy, it does not have a pipe in the field value, and the second event has both state and state_copy.

I would have expected the filter on the eval function to leave the top event untouched.

I know I can solve it e.g. with a regex extraction instead of split() in eval, so I'm not looking for a different way to do it. Just trying to understand if I misunderstood something and if there's an explanation why the eval touches fields in events it's not supposed to be working on in the first place.


Best Answer


  • David Maislin
    David Maislin Posts: 228 mod
    Answer ✓

    Can you try:





  • Erin Sweeney
    Erin Sweeney Posts: 45 admin

    They all work. So it's something about match using a string that I was not aware of, and filters do work as I thought they would. Thanks!