Skip to content

Filters

To use filters that filter incoming events to be passed to the integration output, the filters option must be specified in the event lane declaration.

Event Lane

In the event lane, specify the path to the filters in the filters option of the integrations section:

/EventLanes/mytenant/fortinet-fortigate-10040.yaml
---
define:
  type: lmio/event-lane
  name: Fortinet FortiGate (10040)

kafka:
  events:
    topic: events.mytenant.fortinet-fortigate-10040  # (required)
  others:
    topic: others.mytenant

integrations:

  raw:
    output_type: tcp
    address: 127.0.0.1 8884
    filters: /Integrations/Filters/AuthenticationFilter.yaml

There can be more filters specified in a list. In this case, events matching at least one filter will be passed to the specified integration output:

/EventLanes/mytenant/fortinet-fortigate-10040.yaml
---
define:
  type: lmio/event-lane
  name: Fortinet FortiGate (10040)

kafka:
  events:
    topic: events.mytenant.fortinet-fortigate-10040  # (required)
  others:
    topic: others.mytenant

integrations:

  raw:
    output_type: tcp
    address: 127.0.0.1 8884
    filters:
      - /Integrations/Filters/AuthenticationFilter.yaml
      - /Integrations/Filters/ConfigurationFilter.yaml

Filter

Filter declarations are located in the /Integrations/Filters/ in the library. The declaration of the filter contains the define and predicate section:

/Integrations/Filters/AuthenticationFilter.yaml
---
define:
  name: AuthenticationFilter
  type: integ/filter

predicate:
  !EQ
  - !ITEM EVENT event.category
  - authentication

Define

Always include in define:

Item in the rule How to include 
name: "(name)"
Name the filter. While the name has no impact on the filter's functionality, it should still be a name that's clear and easy for you and others to understand. 
type: integ/filter
Include this line as-is. The type does impact the rule's functionality.

The following options in define are optional:

Item in the rule How to include 
description: "(description)"
Describe the filter briefly and accurately.

Predicate

The predicate section is the filter itself. When you write the predicate, you use SP-Lang expressions to structure conditions for the filter "allow in" only events that are to be passed to the output.

See this guide to learn more about writing predicates.