When ingesting logs via CSV data into Panther, the following classification error occurs:
"wrong number of fields"
This occurs even when the quantity of the fields is correct.
To resolve this issue, try the following:
- Assure that your logs are not using single quotes to indicate your fields' values.
- Export your CSV data using a different delimiter like a comma (,), semicolon (;), tab (\t), space ( ), or pipe (|).
- Also note you will need to update your schema setting the new delimiter.
For more information about parsing CSV formatted logs, check our Panther CSV parser documentation.
This issue occurs because the delimiter is also included in the actual string content of your field. The parser interprets this as a delimiter and not as a value resulting in a wrong field count.