...
The IF expression is basically any arbitrary Perl expression, but tokens of the form event
.name or node
.name are substituted with the respective event or node property value. ( The special wildcards event.any
and node.any
are replaced by a logical true value.). Furthermore, tokens that match extdb.queryname.column
will be substituted with the result of an external enrichment query.
The THEN clause is executed if and only if the IF expression evaluates as true (ie. non-zero, non-blank, defined). The THEN clause contains either a nested sub-policy, or a single string that specifies any number of action invocations separated by the token " AND ". The order of action invocations is relevant, but the token " AND
" is just a separator: all given actions in a THEN
will be executed regardless of success or failure of prior ones. All action invocations follow the same patterns: actionname(argument)
, actionname.subtype()
or actionname.subtype(argument)
. The empty set of parentheses must not be omitted.
...