Troubleshooting CLI errors with "pantherlog parse"

Issue

When trying to parse a log file using pantherlog, I see one of the following errors:

• no schema entry for "test.yml" from the command $ pantherlog parse --schemas test.yml test.csv
• invalid stream type "csv" or whatever type you tried, from the command $ pantherlog parse --stream csv test.csv
• WARN classification failure [then lots of output] from the command $ pantherlog parse test.csv test.yml
• validation failed with 3 problems

Resolution

To resolve this issue, try the command below. This is the basic command to parse a file. This is also documented here, but the --schemas option is optional.

$ pantherlog parse --path test.yml test.csv

In addition, ensure that you are using the most up to date version of pantherlog.

Cause

1. The --schemas option checks for schemas that came with Panther. To designate a schema of your own choice to use with this parse operation, use the --path option.
2. CSV isn't a stream type that pantherlog knows how to use. Run pantherlog --help to see a list of valid stream types.
3. At least one option is missing here. See the command under Resolution for an example of a command that could work with valid files, or run pantherlog --help to see the recommended way to order the commands and options.
4. Validation can fail if there are issues with a schema, such as syntax errors or compatibility issues due to using an outdated pantherlog tool.