...
The IF expression is basically any arbitrary Perl expression, but tokens of the form event.name or node.name are substituted with the respective event or node property value. The special wildcards event.any and node.any are replaced by a logical true value. Furthermore, tokens that match extdb.queryname.column will be substituted with the result of an external enrichment query. The IF expression can include "AND" as well as "and" but does not support "OR" or "or".
If your IF expression does require text that could be misinterpreted as a substitution token (e.g. the "Nr.1" in "IF" : "event.details eq "NTP Server Nr.1""), then you should escape the dotted expression with a backslash (e.g. "NTP Server Nr\.1"). Please note that in versions before 2.2.2, any misidentified unparseable tokens were flagged as errors and were not included in the final expression to be tested.
...