Skip to main content
Panther Knowledge Base

How to identify the source of a log in Panther

QUESTION

If I have two instances of the same application (for example, Okta) that are receiving logs, and both integrations send data into the same source, how can I differentiate which source a given log came from? Is there a way to add a field which shows the source, or to send the integrations into separate sources?

ANSWER

If your log sources are configured using the default integration, then Panther adds the p_source_id and p_source_label fields to the data.

One way to confirm this is to try the following in the Data Explorer (replacing okta_systemlog in the example below with your desired table name).

 SELECT DISTINCT p_source_id, p_source_label FROM panther_logs.public.okta_systemlog LIMIT 10;