Condition

See table below for all possible combinations of operators available for specific types.

<parameter type="Condition">
	<negatePrimaryCondition>false</negatePrimaryCondition>
	<conditionRelation>All</conditionRelation>
	<conditionSpec> <!—0 or more of these -->
		<negate>false</negate>
		<fieldName>ev:msg</fieldName>
		<operator>containsString</operator>
		<valueType>string</valueType>
		<value>host</value>
	</conditionSpec>
</parameter>

default

<parameter type="Condition">
	<negatePrimaryCondition>false</negatePrimaryCondition>
	<conditionRelation>All</conditionRelation>
</parameter>

default <conditionSpec>

<conditionSpec> <!—0 or more of these -->
	<negate>false</negate>
	<fieldName>ev:msg</fieldName>
	<operator>containsString</operator>
	<valueType>string</valueType>
	<value>value</value>
</conditionSpec>

Details

A condition consists of the following elements:

negatePrimaryCondition = "true" or "false" (true negates result of entire condition)

conditionRelation = "Any" or "All" (allows OR or AND respectively of contained conditionSpec's).

Set of criteria (conditionSpec's), each of which is defined by:

EvField is any valid fieldname in an event or the word "Any", which attempts to test expression against every field in event, and returns TRUE if at least one expression evaluates to TRUE. If the fieldname does not exist in the event the comparison returns FALSE, which may be negated by the ConditionSpec negate flag.

Note: The operator "exists" returns TRUE if the EvField name exists in event.

Note: The operator "isEmpty" returns TRUE if the field does not contain a value. If the field doesn't exist, return TRUE.

Note: When Operator is matchesRegularExpression, the value may be any regular expression as defined in Java which includes support for "*" to match any zero or more characters, "." to match any single character, etc.

Valid Valuetype for operators:
string and number: equal, not equal, greater than, less than, less than or equal, greater than or equal, exists, is empty.
STRING ONLY: contains, isContainedinString, matchesRegularExpression, inList.

For more information on Regular Expressions, please see Sun's regular expression patterns summary.

Operator Table

Condition Phrase	<negate>	<operator>	<valueType>
numerically equal	false	eq	number
equal to string	false	eq	string
equal to case insensitive string	false	eq	stringIgnoreCase

numerically not equal	false	neq	number
not equal to string	false	neq	string
not equal to case insensitive string	false	neq	stringIgnoreCase

numerically greater than	false	gt	number
ASCII greater than	false	gt	string
ASCII case insensitive greater than	false	gt	stringIgnoreCase

numerically greater than or equal to	false	geq	number
ASCII greater than or equal to	false	geq	string
ASCII case insensitive greater than or equal to	false	geq	stringIgnoreCase

numerically less than	false	lt	number
ASCII less than	false	lt	string
ASCII case insensitive less than	false	lt	stringIgnoreCase

numerically less than or equal to	false	leq	number
ASCII less than or equal to	false	leq	string
ASCII case insensitive less than or equal to	false	leq	stringIgnoreCase

contains string	false	containsString	string
contains string case insensitive	false	containsString	stringIgnoreCase
does not contain string	true	containsString	string
does not contain string case insensitive string	true	containsString	stringIgnoreCase

is substring of	false	isContainedInString	string
is case insensitive substring of	false	isContainedInString	stringIgnoreCase
is not substring of	true	isContainedInString	string
is not case insensitive substring of	true	isContainedInString	stringIgnoreCase

matches regular expression	false	matchesRegExp	string
does not match regular expression	true	matchesRegExp	stringIgnoreCase

matches one of value list	false	isInList	string
matches one of value case insensitive list	false	isInList	stringIgnoreCase
does not match one of value list	true	isInList	string
does not match one of value case insensitive list	true	isInList	stringIgnoreCase

exists	false	exists	n/a
does not exist	true	exists	n/a

is empty	false	isEmpty	n/a
is not empty	true	isEmpty	n/a

Special Cases

If there is more than one fieldName in the event, only the first will be considered.

Number

An empty or missing comparison value (no value field exists) is treated as double NaN (Not a Number).
An empty or missing event field (no field name field exists) is treated as as double NaN (Not a Number).
The result of a comparison when either or both numbers is double NaN is always false.

String or StringIgnoreCase

An empty or missing comparison value (no value field exists) is treated as an empty string ("").
An empty or missing event field (no field name field exists) is treated as an empty string ("").
The result of comparing two empty strings for equality is true.
An empty string is always less in value than a non-empty string.
An empty string will never match a regular expression.
An empty string can never be contained in another string.
An empty string can be a member of a list. For example, "" isInList for the four value fields with values of "Joe", "Jim", "", "Jon" evaluates to true.