Conditional Running

Processors support an optional if field that uses the expr expression language for conditional execution.

Basic Usage

If provided, the processor only runs when the condition evaluates to true. The condition has access to the current log entry context as service.

processors:
  - drop:
      if: "service.network.direction != 'local'"

Condition Types

Null Checks

Check for null/nil values safely using optional chaining with ?:

- set:
    if: "service._temp_?.timezone_offset != null && service._temp_?.timezone_offset != 'local'"
    field: timezone
    value: "{{service._temp_.timezone_offset}}"

- drop:
    if: "service.observer.egress.interface.name == nil && service.network.direction == 'outbound'"

Numeric Comparisons

Compare numeric values using standard operators:

- set:
    if: "service.source?.packets > 5 && service.destination?.packets < 30"
    field: traffic_status
    value: "normal"

Array Operations

Check array contents using contains and notcontains (or !contains):

- drop:
    if: "['Drop', 'Reject', 'Block', 'Prevent'].contains(service.checkpoint?.rule_action)"

- set:
    if: "['Reject', 'Block', 'Prevent'].notcontains(service.checkpoint?.rule_action)"
    field: allow_status
    value: true

String Operations

Work with strings using various methods:

# Case-insensitive contains
- set:
    if: "service.checkpoint.product.toLowerCase().contains('example')"
    field: is_example
    value: true

# Using lower() function
- set:
    if: "lower(checkpoint.product) contains 'example'"
    field: is_example
    value: true

Key Existence Checks

Check if fields or keys exist:

- set:
    if: "service.containsKey('network')"
    field: has_network
    value: true

- set:
    if: "service.network.containsKey('direction')"
    field: has_direction
    value: true

Complex Conditions

For better readability, complex conditions can be split across multiple lines using > in YML:

- set:
    if: >
      service?._temp_?.external_zones != null &&
      service?._temp_?.internal_zones != null &&
      service?.observer?.ingress?.zone != null &&
      service?.observer?.egress?.zone != null &&
      service._temp_.external_zones.contains(service.observer.egress.zone) &&
      service._temp_.external_zones.contains(service.observer.ingress.zone)
    field: zone_status
    value: "external"

Pipeline Branching

The if condition can be used to conditionally execute different pipelines:

processors:
  - pipeline:
      name: network_traffic
      if: "service?.source.packets != null && service.destination.packets != null"

  - pipeline:
      name: threat_detection
      if: "service.threat?.indicator?.confidence > 50"

  - fail:
      if: "service.network?.direction == nil"
      message: "Network direction must be specified"

note

Use optional chaining (?.) to safely access nested fields without causing null pointer exceptions.

tip

Keep conditions simple and focused for better performance and maintainability.

Basic Usage​

Condition Types​

Null Checks​

Numeric Comparisons​

Array Operations​

String Operations​

Key Existence Checks​

Complex Conditions​

Pipeline Branching​