...
The IF expression is basically any arbitrary Perl expression, but tokens of the form event.name or node.name are substituted with the respective event or node property value. The special wildcards event.any and node.any are replaced by a logical true value. Furthermore, tokens that match extdb.queryname.column will be substituted with the result of an external enrichment query.
If your IF expression does require text that could be misinterpreted as a substitution token (e.g. the "Nr.1" in IF => 'event.details eq "NTP Server Nr.1"'), then you should escape the dotted expression with a backslash (e.g. "NTP Server Nr\.1"). Please note that in versions before 2.2.2, any misidentified unparseable tokens were flagged as errors and were not included in the final expression to be tested.
In version 2.2 and newer, tokens of the form macro.macroname are also substituted by the value of the named macro (which can be defined in the configuration file opCommon.nmis in the section macro).
...