Correct formatting for using OR and WHEN condition in a processor

My filebeat config consists of the following relevant snippet-

Blockquote

• decode_json_fields:
  when:
  contains:
  docker.container.labels.com.docker.swarm.service.name: "name"
  fields: ["message"]
  process_array: false
  max_depth: 1
  target: ""
  overwrite_keys: false

Blockquote

I need to add two additional service names so that I am parsing the nested json only for those services.

The configuration above works correctly for a single service name, but I can't seem to figure out how to add the additional terms.

I have tried passing in an array of service names like this-

docker.container.labels.com.docker.swarm.service.name: "[service name1, service name 2, service name 3]"

but that didn't work.

I also tried adding an OR operator like this-

when:
or:
- contains:
docker.container.labels.com.docker.swarm.service.name: "<service name 1>"
- contains:
docker.container.labels.com.docker.swarm.service.name: "<service name 2>"
- contains:
docker.container.labels.com.docker.swarm.service.name: "<service name 3>"

but that didn't work either.

Can someone provide the correct syntax to accomplish this?

Thanks in advance!

OK, figured out the syntax, didn't have everything lined up properly.

- decode_json_fields:
when:
   or:
     - contains:
          docker.container.labels.com.docker.swarm.service.name: "a"
   or:
     - contains:
          docker.container.labels.com.docker.swarm.service.name: "b"
   or:
     - contains:
          docker.container.labels.com.docker.swarm.service.name: "c"

fields: ["message"]
process_array: false
max_depth: 1
target: ""
overwrite_keys: false

However, it appears that only the first condition is evaluated (service.name contains 'a') in terms of applying the decode actions.