Skip to main content
Panther Knowledge Base

The Okta nested field "logOnlySecurityData" is not succesfully parsed in Panther

  1. Last updated
  2. Save as PDF

Issue

There is a field called logOnlySecurityData in the Okta.SystemLog schema nested under debugContext:debugData:logOnlySecurityData which is not parsed. 

Resolution

This field should be treated as a String type field. To query this field, you can use the LIKE operator.

For example, if you want to extract the events with a MEDIUM risk level, you can try running the following query:

SELECT *
FROM panther_logs.public.okta_systemlog
WHERE debugContext:debugData:logOnlySecurityData LIKE '%"level":"MEDIUM"%'
ORDER by p_event_time DESC
LIMIT 100

Cause

This subfield is received as String from Okta. When a field is defined asJSONin Panther (i.e. the field debugContext), Panther does not proceed with any further modifications to the data.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.