First of all, our use case.
We use Zabbix for monitoring our Windows servers. So, our template includes items like the following:

eventlog[Application,,"Warning|Error|Critical",,,100,skip]
eventlog[System,,"Warning|Error|Critical",,,100,skip]

The main idea is to inform the appropriate person about any significant messages in Windows Event Log.
The main problem is to define the term "significant message" technically, because:

• there are some messages with level=Error that could be safely ignored;
• there are some messages with level=Warning that really are very important (for example, messages from a RAID Controller about a failed disk).

So, in practice our trigger expressions are complex enough. Often they have logic like the following:

IF (
  (level=Error OR level=Critical)
  AND
    NOT (source='Source1' AND eventid='1111') //ignore errors with id=1111 from Source1
  AND
    NOT (source='Source2' AND eventid='2222') //ignore errors with id=2222 from Source2
  AND
    NOT (source='Source3' AND eventid='3333') //ignore errors with id=3333 from Source3
[...]
) OR (
  level=Warning
  AND (
    (source='SourceX' AND eventid='XXXX') //accept warnings with id=XXXX from SourceX
    OR
    (source='SourceY' AND eventid='YYYY') //accept warnings with id=YYYY from SourceY
  )
)

It could be great if some of this logic be available in preprocessing: for example, if (source='Source1' AND eventid='1111') then just discard a value. It could dramatically simplify our trigger expressions.

Unfortunately, at the moment all these Event Log's metadata (EventID, Source, Severity, original timestamp) could not be accessible during a preprocessing stage.

There could be different approaches to implement these checks, for example - make the system macros {ITEM.LOG.*<1-9>} ({ITEM.LOG.EVENTID}, {ITEM.LOG.NSEVERITY}, {ITEM.LOG.SOURCE}) available during preprocessing; or some functions like logeventid()/logseverity()/logsource() available in JavaScript.