Removing a field from a schema to reduce classification failures in Panther

Last updated
Save as PDF

Issue

In a certain data source, most data ingests into Panther properly but some events end up unmatched, throwing classification errors, due to a special character or an uncommonly formatted value in one of the fields.

Resolution

To resolve this issue, you'll need to adjust the schema used to ingest data from this log source. If the error occurs in just one field, and this field isn't particularly crucial for your purposes, consider removing the field from the schema. This way, Panther ingestion will ignore this field altogether, so while uncommon formatting won't cause any errors, you also won't be able to use it in other Panther workflows.

For other schema adjustment options, look for other articles related to "classification failures" in our System Errors and Health Notifications section.

Cause

This issue occurs when the data ingested doesn't match the schema.