...
The THEN expression consists of a nested sub-policy or of a single action statement. The action statement is an AND-separated list of set or capture action statements:
set.propertyname(value) sets the named property to the static value. No quoting of the value
...
- is required, but ")" cannot be part of the value.
capture(propname1,propname2,...) saves the respective captures from the regex in the named properties. The captures are assigned in their order in the regular expression; if you want grouping but not capturing, use(?:....)in your regex. Note that you cannot use multiple capture statements in one THEN.- in opEVents versions newer than 2.0 there is the additional action
ignore. This aborts parsing of this input altogether and no event is created for it.
Normally the generic parser is expected to extract suitable information for an event from every single input line, which might not work well if your log data is coming from multiple sources or can't be suitably prefiltered.
Rules are applied in the order defined by their numeric key, and nesting is fully supported.