Instead of allOf/anyOf yaml, use a query expression language, e.g:

"SrcK8S_Namespace == netobserv AND DstK8S_Name == loki"

That manages AND, OR, parenthesis, and with matching operators ==, !=, =_{, !}

+ find a way / operator for presence and absence

+ optional, also accept <,>,>=,<=

We can use yacc/goyacc for that. E.g in loki operator: https://github.com/observatorium/api/blob/main/logql/v2/expr.y

I did a quick PoC for the filtering part (not parsing), which is pretty simple and easy: https://github.com/jotak/flowlogs-pipeline/commit/3860db1efff3d72137362ad68da0481e66d57532

But the bulk of the work is about parsing.

So the goal of parsing will be to transform the query string into this structure:

type Node struct {
    op        string // "and", "or", or unused in case of leaf node
    children  []*Node // operands of the and/or expression
    leaf      *api.KeepEntryRule // single match operation, such as {"srcnamespace", "equals", "foo"}
} 

Once we have that, it's pretty much done