if you are sure that the event tag only have either Saved or Saved, Modified , then you can access the modified timestamp with %{event_tag[1]}. since they are on the same column, i imagine the eveng_tag will be in array.
then you could go with :
if “Modified” in [event_tag] {
filter {
#elapsed filter with %{event_tag[1]} as end value
}
}
else {
filter {
#elapsed filter with %{event_tag[0]} as end value
}
}
the best way will be using ruby filter to extract the time stamp from either Saved or Modified. Here’s an example