Which is more efficient, sequence or "or"?

 -
   drop_event:
     when:
       or: [{equals: {process.executable: /bin/date}}, {equals: {process.executable: /bin/df}}, {equals: {process.executable: /bin/dmesg}}]

or

-
  drop_event:
    equals: {process.executable: /bin/date}
-
  drop_event:
    equals: {process.executable: /bin/df}
-
  drop_event:
    equals: {process.executable: /bin/dmesg}

I have a large number of these kinds of contructs so would like them to be as efficient as possible.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.