The following error appears on a log source in the Panther Console:
Error:Field validation for '<Field>' failed on the 'required' tag
This error can appear for supported logs or custom logs.
How do I resolve this error? Once I resolve it, how can I re-ingest the failed logs?
To troubleshoot the error:
In the Panther Console, click Configure > Log Sources on the left sidebar.
Click the log source name, then click the Schemas tab to navigate to the log source's schema definition.
Locate the field for which the error message is returned.
For example, if the error message contains the reference Field_4_Ip
, then you can look for a field named ip
in your schema.
Identify whether this field is declared as required, as shown in the example below:
name: ip
required: true
type: string
If the field is required, check the raw events that are causing the error message to appear. The most probable scenario is that this field is missing from the raw events.
If the field is not always present in the raw events that are coming to your log source, then you can remove the required flag from the statement in the schema and modify it as shown in the example below:
- name: ip
type: string
After removing the required flag, check to see if the events are arriving without causing the error message.
If everything seems as expected, then you're good to go! If not, you can always contact Panther Support.
Re-ingesting the failed logs
The failed logs are not automatically re-ingested. For this purpose, we have this article from our KB that describes how to backfill logs into Panther:📄 Can I backfill the logs of a new log source into Panther?
Note: Duplications might be created if some of the backfilled events of a file have already been ingested without issues.
Τhis error message indicates that a required field in the schema definition is missing from the raw events that were ingested.