# Ingestion Filters

## Overview

Ingestion filters let you define conditions under which incoming data should be dropped—i.e., not ingested into Panther. This dropped data will not contribute to your ingestion quota. These filters can be useful, then, to partially ingest high-volume logs that may have previously been cost-prohibitive when connected with Panther.

Filtered-out events will not pass through detections, nor be stored in the data lake for later querying. After your filters have been configured, you can [monitor filtered event volume](https://docs.panther.com/monitoring-log-sources#viewing-filtered-event-volume).

## Types of ingestion filters

### Raw vs. normalized event filters

There are two types of ingestion filters in Panther:

* **Raw event filters**: Applied on data before it is parsed by a log schema
  * Learn more on [Raw Event Filters](https://docs.panther.com/data-onboarding/ingestion-filters/raw-event).
* **Normalized event filters**: Applied on data after it has been parsed by a log schema
  * Learn more on [Normalized Event Filters](https://docs.panther.com/data-onboarding/ingestion-filters/normalized-event).

{% hint style="info" %}
If multiple raw or normalized filters are defined for a log source, there is no guarantee of the order they will run in.
{% endhint %}

### Inclusion vs. exclusion filters

Both raw and normalized event filters can be created as inclusion or exclusion filters.

* **Inclusion filters:** Events that match the filter will be ingested (so long as they are not dropped by another filter). Events that do not match the filter will be dropped.
* **Exclusion filters:** Events that match the filter will be dropped. Events that do not match the filter will be ingested (so long as they are not dropped by another filter).