...
The IF expression is basically any arbitrary Perl expression, but tokens of the form event
.name or node
.name are substituted with the respective event or node property value. The special wildcards event.any
and node.any
are replaced by a logical true value. Furthermore, tokens that match extdb.queryname.column
will be substituted with the result of an external enrichment query.
In version 2.2 and newer, tokens of the form macro.macroname
are also substituted by the value of the named macro (which can be defined in the configuration file opCommon.nmis
in the section macro
).
Please note that for maximum robustness you should express any regular expression in IFs as /regexp contents/
or qr{regexp contents
}, NOT as "regexp contents": the doublequoted variant only works for very simple patterns.
...