Skip to content

Internal traffic exclusion

The internal-traffic filter excludes events that originate from your own team — your office network, your QA pipeline, your sales engineers. Without it, “engaged time” on your homepage is dominated by your own designers iterating on the homepage.

Modes

Section titled “Modes”
INTERNAL_MODE=Tag   # default — persist with is_internal=true
INTERNAL_MODE=Drop  # silently discard

Same trade-off as bot detectionTag is the safer default, Drop saves storage when the operator has decided the filter is correct.

Detection rules

Section titled “Detection rules”

Two rules, both opt-in via env config. A request matches if EITHER fires.

IP CIDR rule

Section titled “IP CIDR rule”
INTERNAL_NETS=10.42.0.0/16,203.0.113.0/24

Comma-separated CIDR list. The collector reads the leftmost address of X-Forwarded-For (set by your reverse proxy) and matches against every configured CIDR. Match label: internal_ip.

Email-domain rule

Section titled “Email-domain rule”
INTERNAL_DOMAINS=mycompany.com,mycompany.dev

Comma-separated domain list. The collector inspects traits.email on identify events and props.email on any event that carries one. If the email’s domain matches, the event AND every subsequent event from the same anon_id for the same session is tagged. Match label: internal_email.

The session-sticky behaviour matters: once an internal user identifies, we don’t want only their identify event tagged — we want everything they did in that session.

Tag mode workflow

Section titled “Tag mode workflow”

Same as bot tagging: is_internal=true rows are persisted, every analytics endpoint filters is_internal=false by default. The bot and internal flags are independent — an event can be is_bot=true, is_internal=true.

Drop mode workflow

Section titled “Drop mode workflow”

Drop mode silently discards matching events. The decision is recorded in Prometheus as syntarie_events_dropped_total{reason="internal"}.

Combining the two rules

Section titled “Combining the two rules”

The two rules are OR’d. A request matches if its IP is in INTERNAL_NETS, OR its email is in INTERNAL_DOMAINS, OR both. This is the right semantic — your internal user might be working from a coffee shop (no IP match) but their identify(traits.email) still fires.

What this is NOT

Section titled “What this is NOT”
  • Not a UTM-source filter. If you want to exclude utm_source=internal campaigns, do that at the analytics query layer — the platform does not ship a generic prop-based exclusion in v1.0.
  • Not a per-site override. The CIDRs and domains are platform-wide. Per-workspace overrides land in v1.1.
  • Not retroactive. Adding a new CIDR today does not retag yesterday’s events. If you need that, manually UPDATE events SET is_internal=true WHERE … in the operator’s SQL session.

Recommendations

Section titled “Recommendations”
  • Set INTERNAL_NETS for your office and VPN egress IPs at minimum.
  • Set INTERNAL_DOMAINS to your primary corporate email domain.
  • Start in Tag mode for a couple of weeks, audit the is_internal=true row count against expectations, then switch to Drop if the storage saving justifies it.