Does Panther offer any way to split 1 incoming event into several separate events?

Last updated: July 4, 2025

QUESTION

I have a log source which formats log events as a single "event" which contains an array of JSON objects. I'd like to treat each item in the array as its own event, similar to the unwind transformation from MongoDB. Does Panther provide any way to do this during ingest?

ANSWER

Panther does not currently support separating multiple logs from a single payload array during ingestion. If you are interested in supporting this feature, please contact Panther Support to put in a request.

There are a few workaround options:

  1. Separate string values in your data lake queries using Pantherflow after the events are stored in the datalake. Please refer to our knowledge base article for an example.

  2. Create a scheduled query using LATERAL FLATTEN to break the event into multiple rows with the desired fields. Each row returned by the scheduled query will be treated as a separate event. Note that this approach will only store events in the correlation_signals table when there is a match with the scheduled rule, and the events won't be stored in the logs table.

  3. Separating the log events before the Panther processing. We recommend using a preprocessor such as Cribbl, Fluentd, or a custom-scripted solution.