Hi @triest,
If I understand correctly, then try appending the following as I think this may do what you want:
| eval actual=if(searchmatch("expected=1"), filter, "")
Note the quotes inside the searchmatch() - without which you'd get "Error in 'eval' command."
I've appended it to your query, which gave the following output when I ran it, with the 'actual' column showing the filters that matched, or empty if they didn't:
filter index expected actual
index=foo foo 1 index=foo
index=foo bar 0
index=bar bar 1 index=bar
index=bar foo 0
index=foo OR index=bar foo 1 index=foo OR index=bar
index=foo OR index=bar bar 1 index=foo OR index=bar
Is this what you were trying to do?
... View more