How to resolve “Failed to infer schema: Must validate one and only schema (oneOf); Does not match pattern” when inferring schema in Panther?
Issue
When trying to use Infer Schema with a sample log file in Panther, the following error occurs:
failed to infer schema: Must validate one and only schema (oneOf); Does not match pattern '^[A-Za-z_!#%&',/=@\$\*\+\\~]+.'
Resolution
To resolve this issue, make sure the field names in your log files do not start with a number.
This syntax will infer successfully:
"field": {
"a123456": { }
}
This syntax will cause the error:
“field”: {
“123456”: { }
}
If you can't reshape the incoming data or control the field being named a number, you'll need to cast the problem object as JSON.
As a workaround to infer the schema with your logs, we suggest the following steps:
- Do a regex search in your logs to replace the offending fields. For example, if some of your log field names are numbers, use the following pattern for the regex search:
"\d+":\s
-
Rename those fields to something else.
-
Infer the schema.
-
Edit the inferred schema and change the
fieldtype from OBJECT to JSON:- name: field type: json
5. Remove the problem field(s) from the schema.
Cause
This issue occurs when a number is used as a field name. Only specific characters:
^[A-Za-z_!#%&',/=@\$\*\+\\~]+.
are permitted at the beginning of the name, and it cannot be a number.