# Normalized Event Filters

## Overview

You can use normalized event filters in Panther to filter out data after it has been classified—i.e., after it has been parsed according to a log schema.

Normalized event filters can be created as either inclusion or exclusion filters. Learn about the [difference between inclusion and exclusion filters here](https://docs.panther.com/data-onboarding/ingestion-filters/..#inclusion-vs.-exclusion-filters).

Once you have enabled a raw event filter, monitor its performance by [viewing filtered event metrics](#viewing-filtered-event-metrics).

{% hint style="info" %}
Normalized event filters rely on the schema of the associated log type. If you change the schema, the filter may no longer be applicable—be sure to also update related filters as needed.
{% endhint %}

{% hint style="warning" %}
If you create multiple (inclusion or exclusion) normalized event filters, there is no guarantee of the order they will run in. Because of this, if you are creating multiple `OR` expressions for inclusion, it's recommended to package them within the same filter. If you instead create multiple separate inclusion filters, events you intend to include could be dropped if another filter that is evaluated first does not include them.
{% endhint %}

## How to create a normalized event filter

To create a normalized event filter:

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click the name of the log source you'd like to add a filter to.
3. Click the **Filters** tab.
4. On the right-hand side of the **Normalized Events Filters** tile, click **Add Filter**.

   <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-f1211b6c8df7f5cdf29809d72c5cc29e01a632b1%2Fimage.png?alt=media" alt="Under a &#x22;TestSqs&#x22; header, an arrow is drawn from a Filters tab to an Add Filter button on a Normalized Events Filters tile." width="375"><figcaption></figcaption></figure>
5. A new filter form will be expanded. Configure the filter:
   1. (Optional) Click the pencil icon (<img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-c6bdd7f21ad5a1cd45edc84b22f568495de30bec%2FScreenshot%202024-02-09%20at%2012.04.14%20PM.png?alt=media" alt="pencil icon" data-size="line">) to edit the filter's name.
   2. In the **Log Type** dropdown, select the log type this filter should apply to.
   3. In the **Condition** dropdown, make a selection:
      * **Exclude if**: Choose this if you'd like to create an [exclusion filter](https://docs.panther.com/data-onboarding/ingestion-filters/..#inclusion-vs.-exclusion-filters).
      * **Include if**: Choose this if you'd like to create an [inclusion filter](https://docs.panther.com/data-onboarding/ingestion-filters/..#inclusion-vs.-exclusion-filters).
   4. Click **Add Filter**, then configure the filter:
      1. Select an event field from the dropdown. Only fields of the selected log type are shown.
      2. Select an operator (also known as a condition) from the dropdown menu.
         * The dropdown options will be limited to those applicable to the selected field's data type. See [Supported field types and operators](#supported-field-types-and-operators), below.
      3. Enter a value, if the selected operator requires one.
      4. If you would like to create another filter expression:

         * To create an `AND` filter, click outside the expression you just created (but within the same horizontal bar), or press `TAB`.
           * To create an `OR` filter, click **+ Add OR Condition**.

         <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-50c101a0e52db6a2f4b270284fe5c520247085d1%2FScreenshot%202024-02-27%20at%202.41.06%20PM.png?alt=media" alt="A &#x22;Normalized Event filters&#x22; expandable block is shown with fields including &#x22;Log Type,&#x22; &#x22;Exclusion Pattern,&#x22; and Quick Test." width="563"><figcaption></figcaption></figure>
   5. In the upper-right corner, click **Save**.

## Enabling or disabling a normalized event filter

After an ingestion filter has been created, you can enable or disable it:

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click the name of the log source you'd like to enable or disable a filter on.
3. Click the **Filters** tab.
4. Locate the filter you'd like to enable or disable, and set its toggle to **Enabled** or **Disabled**.\
   ![A log source titled "Dev account" is shown. An arrow is drawn from a tab called "Filters" to an "Enabled" toggle next to a filter in the "Normalized Events filters" section.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-fc2cd88025de20d4c17cbc48979984311410c686%2FScreenshot%202024-02-12%20at%204.58.34%20PM.png?alt=media)\\

## Viewing filtered event metrics

* See [Viewing filtered event volume](https://docs.panther.com/monitoring-log-sources#viewing-filtered-event-volume).

## Supported field types and operators

You can configure filters on event fields with data types in the "Field data type" column. The operators listed in the "Supported operators" column are a subset of the [Search tool's supported operators](https://docs.panther.com/search/search-tool/filter-operators#supported-operators).

<table><thead><tr><th width="205">Field data type</th><th width="263">Notes</th><th>Supported operators</th></tr></thead><tbody><tr><td><code>string</code></td><td></td><td><ul><li>is / is not</li><li>is / is not empty (not the same as "is /is not <code>null</code>")</li><li>is / not in list</li><li>has / does not have substring</li><li>is / is not <code>null</code></li><li>is within <a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing">CIDR</a></li></ul></td></tr><tr><td><code>boolean</code></td><td></td><td><ul><li>is true / is false</li><li>is / is not <code>null</code></li></ul></td></tr><tr><td><code>number</code><br>(<code>int</code>, <code>bigint</code>, <code>smallint</code>, <code>float</code>)</td><td></td><td><ul><li>equals / does not equal</li><li>is greater than / less than</li><li>is greater than or equal to</li><li>is less than or equal to</li><li>is / is not <code>null</code></li></ul></td></tr><tr><td><code>timestamp</code></td><td></td><td><ul><li>is before / is after</li><li>is / is not <code>null</code></li></ul></td></tr><tr><td><code>array</code></td><td>Filtering is supported only for arrays of primitive types</td><td><ul><li>has / does not have</li><li>is / is not <code>null</code></li></ul></td></tr><tr><td><code>object</code></td><td>Filtering on nested fields is supported</td><td><ul><li>contains / does not contain</li><li>is / is not <code>null</code></li></ul></td></tr><tr><td><code>json</code></td><td>Filtering on nested fields is not supported, but you can use the <code>contains</code> condition<br><br>JSON-type fields will display as <code>object</code> in the Normalized Filter UI.</td><td><ul><li>contains / does not contain</li><li>is / is not <code>null</code></li></ul></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/ingestion-filters/normalized-event.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.