Skip to main content

Event Filtering

Some events, such as HTTP Request Complete and TCP Connection Closed, are high cardinality events. As such, these events can quickly hit the limits of the receiving destination. To reduce the number of events returned from these sources, you can add filtering logic to only allow specific events through to your destination.

The filtering syntax follows Google's Common Expression Language (CEL) Syntax. All expressions start with ev. which corresponds to the object field of the event. From there, you can use standard JSONPath syntax to find the particular field you are interested in. See the examples below for ideas.

The only events that can be filtered today are http_request_complete.v0 and tcp_connection_closed.v0. Not all selectable fields are usable in filters. A field marked "filterable" indicates that it is usable in the filter for an event source.

Filter Examples

Log requests to an endpoint that didn't use TLS:
ev.conn.server_name.matches(".*-your-org\\.ngrok\\.dev") &&
ev.conn.server_port == 80
Only allow events from the hostname
Only allow events that aren't from this client IP and attempting to access
ev.conn.client_ip != "2601:0:8200:0:4cd7:fd52:0:7823" && 
ev.conn.server_name == ""