Skip to main content
Panther Knowledge Base

How can I investigate log classification errors in Panther?

  1. Last updated
  2. Save as PDF

QUESTION

If you see a System Health Notification alert for a log source, such as the following:

Source has turned Unhealthy
Log(s) cannot be properly classified into attached schemas

You may want to see a sample of alerts to investigate the logs or schemas involved. How can you find out what this alert is for?

 

ANSWER

  1. Open the Panther Console and go to Integrations > Log Sources.
  2. Find an alert from the log source in question, by scrolling or typing the name of the source in the box at the top that says "Filter Log Sources by text."
  3. Once you've found an alert, look at the end of its error message and click the "View Alerts" link there. This can reveal additional information about the state of the log source.

Alternatively, in the Data Explorer, use this query to check for new classification errors:

select * from panther_monitor.public.classification_failures
 where p_occurs_since('48 hours') -- adjust as needed
 and p_source_label = 'Your log source name'
 order by p_parse_time desc
 limit 10

 If your Panther instance doesn't use Snowflake, omit .public from the database name(s).