# Raw Event Filters
## Overview
Raw event filters let you define conditions under which to filter out ingested events. They act on raw data *before* it is parsed by a log schema, and can be defined using regex expressions or substrings patterns.
Raw event filters can be created as either inclusion or exclusion filters. Learn about the [difference between inclusion and exclusion filters here](https://docs.panther.com/data-onboarding/ingestion-filters/..#inclusion-vs.-exclusion-filters).
Once you have enabled a raw event filter, monitor its performance by [viewing filtered event metrics](#viewing-filtered-event-metrics).
{% hint style="warning" %}
If you create multiple (inclusion or exclusion) raw event filters, there is no guarantee of the order they will run in. Take special note of this when creating multiple inclusion filters. Due to filters running in a random order, events you intend to include could be dropped if another filter that is evaluated first does not include them.
{% endhint %}
### Types of raw event filters
There are currently two types of filters:
* Regex filters**:** Events that match the regex expression will be dropped.
* Regex filters use [Google's RE2 engine](https://github.com/google/re2/wiki/Syntax).
* Substring filters**:** Events that include the pattern at least once will be dropped.
## How to create a raw event filter
{% hint style="warning" %}
Raw event filters are applied on unparsed events—*not* normalized events, like those visible in the data lake. Ensure you are constructing filters based on raw data. Basing a raw data filter on normalized data could cause false positives and unintentionally dropped data.
To create a filter for parsed events instead, see [Normalized Event Filters](https://docs.panther.com/data-onboarding/ingestion-filters/normalized-event).
{% endhint %}
To create a raw event filter:
1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click the name of the log source you'd like to add a filter to.
3. Click the **Filters** tab.
4. On the right-hand side of the **Raw Event Filters** tile, click **Add Filter**.\
5. In the new filter form that is expanded, configure the filter:
1. (Optional) Click the pencil icon () to edit the filter's name.
2. In the **Condition** dropdown, make a selection:
* **Exclude if**: Choose this if you'd like to create an [exclusion filter](https://docs.panther.com/data-onboarding/ingestion-filters/..#inclusion-vs.-exclusion-filters).
* **Include if**: Choose this if you'd like to create an [inclusion filter](https://docs.panther.com/data-onboarding/ingestion-filters/..#inclusion-vs.-exclusion-filters).
3. Click **+** to add a condition.\
4. Click **Condition**, and select one of the options below. Learn more about the different ways to construct conditions in [Types of raw event filters](#types-of-raw-event-filters).
* **Matches Regex**
* **Contains**\
5. If you selected the **Matches Regex** condition, enter a regular expression. If you selected the **Contains** condition, enter a string value.
6. In the **Quick Test** section, enter a raw event to test against the filter you just created.
* You can click **View raw data** to see raw events received by the source. To the right of an event, click **Test event** to populate the **Raw Event** field in **Quick Test** with the event.\
7. Click **Run Test**.
* Notice whether the test event matches the pattern.
8. The filter is enabled by default. If you would like to disable it, click the **Enabled** toggle.
6. In the upper-right corner, click **Save**.
## Enabling or disabling a raw event filter
After an ingestion filter has been created, you can enable or disable it:
1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click the name of the log source you'd like to enable or disable a filter on.
3. Click the **Filters** tab.
4. Locate the filter you'd like to enable or disable, and set its toggle to **Enabled** or **Disabled**.\
\\
## Viewing filtered event metrics
* See [Viewing filtered event volume](https://docs.panther.com/monitoring-log-sources#viewing-filtered-event-volume).
) to edit the filter's name.
2. In the **Condition** dropdown, make a selection:
* **Exclude if**: Choose this if you'd like to create an [exclusion filter](https://docs.panther.com/data-onboarding/ingestion-filters/..#inclusion-vs.-exclusion-filters).
* **Include if**: Choose this if you'd like to create an [inclusion filter](https://docs.panther.com/data-onboarding/ingestion-filters/..#inclusion-vs.-exclusion-filters).
3. Click **+** to add a condition.\
4. Click **Condition**, and select one of the options below. Learn more about the different ways to construct conditions in [Types of raw event filters](#types-of-raw-event-filters).
* **Matches Regex**
* **Contains**\
5. If you selected the **Matches Regex** condition, enter a regular expression. If you selected the **Contains** condition, enter a string value.
6. In the **Quick Test** section, enter a raw event to test against the filter you just created.
* You can click **View raw data** to see raw events received by the source. To the right of an event, click **Test event** to populate the **Raw Event** field in **Quick Test** with the event.\
7. Click **Run Test**.
* Notice whether the test event matches the pattern.
8. The filter is enabled by default. If you would like to disable it, click the **Enabled** toggle.
6. In the upper-right corner, click **Save**.
## Enabling or disabling a raw event filter
After an ingestion filter has been created, you can enable or disable it:
1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click the name of the log source you'd like to enable or disable a filter on.
3. Click the **Filters** tab.
4. Locate the filter you'd like to enable or disable, and set its toggle to **Enabled** or **Disabled**.\
\\
## Viewing filtered event metrics
* See [Viewing filtered event volume](https://docs.panther.com/monitoring-log-sources#viewing-filtered-event-volume).