I need to drop computer account name ending with $ sign

You're aware that the Drop function drops the whole event?

Yes, i want to drop such whole event meeting filter as shown in screenshot

Try to wrap the $ in double quotes

the problem is that the filter is not meeting ---i need to match with all Account_Name fields which ends with $ i.e. all computer account

i did the "$" did not work

Oh wait, Account_Name is not a string but a list

another observation is that Acccount_Name field has 2 values as shown in the first screenshot

Add a [0] after Account_Name

can you show me that with screenshot of the exact syntax

No, I'm on mobile phone

Do you want to remove the values that contain a $ at the end of the array element? What if the second value contains the $? Or are you looking to drop the entire event if any of the values in the array end with a $?

The Account_Name.includes('$') will simply check if $ exists anywhere in only the first item in the array, i.e. Account_Name[0]. What if it is Account_Name[1], etc.?

My understanding was that if the Account Name has a $, all values have it

Thought I would get fancy...

ChatGPT FTW!

TIL about bind and !!

Here Account_Name would have a `-` and `SETEST$`

I've checked some Windows events now. We see array with 2 Values on Specific events like 4703 where there is Account Name under 'Subject' and Under 'Target Account

the pack that transforms classic to JSON, puts both value under Account_Name

Yes, those are sample events I include with the pack, but some real events show that Account_Name can have two different values, and they are not always the same, sometimes one value is `-` and another ends with `$`, etc.

Yes