Hey,
I just experienced a possible bug with timeline: I have found events in a timeline view.
All events in my timeline have the field "winlog.event_data.ShareName
"="\*\Archiv". So when I filter for this field, nothing should change.
This works when I add it as a normal filter in the non-drag-and-droppable filter:
.. But when I drag-and-drop the field to the interactive timeline filter area, it doesn't find the events anymore. I'm suspecting this is because of the double backslash in the field value. Other fields can be dragged-and-dropped as expected.
This is on Elastic Stack 8.6.2, but I can't find a change notice in 8.7 that would address this.