Filtering (Beta)
Filter incoming log data
Last updated
Was this helpful?
Filter incoming log data
Last updated
Was this helpful?
Raw event filters allow you to filter your log data ingested into Panther, using regex expressions or substrings patterns. Excluding certain events from ingestion can help improve the hygiene of your data lake, and lower costs.
There are currently two types of filters:
Regex filters: Events that match the regex expression will be dropped.
Regex filters use .
Substring filters: Events that include the pattern at least once will be dropped.
To create a raw event filter:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the name of the log source you'd like to add a filter to.
Click the Filters tab.
Provide a value in the Add Filter name or short description field, then click the checkmark to the right of the field to save it.
Matches Regex
If you used the Matches Regex condition, enter a regular expression. If you used the Contains condition, enter a string value.
In the Quick Test section, enter a raw event to test against the filter you just created.
Click Run Test.
Notice whether the test event matches the exclusion pattern.
Click Save.
To enable or disable a filter, by clicking on the toggle in the righthand side corner.
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the name of the log source you'd like to add a filter to.
Click the Filters tab.
Click New Filter.
In the Exclusion Condition section, click the + to the right of Exclude if.
Click Condition, and select one of the options below. Learn more about the difference ways to construct exclusion statements in .
Contains
You can click View raw data to see raw events received by the source. To the right of an event, click Test event to populate the Raw Event field in Quick Test with the event.
On the right-hand side of the tile of the filter you would like to enable or disable, click the toggle next to Enabled.
