QUESTION

My custom log schema uses a timestamp format of %Y-%m-%d %H:%M:%S.%f %z. Some log entries come in without the microsecond part (.%f). Is there a way to handle both timestamp formats (one with the .%f and one without) in the same schema file without having to treat it as simple string?

ANSWER

Panther version 1.46 introduced the support of multiple timestamp formats in a single schema. Timestamps are defined by setting the type field to timestamp and specifying the timestamp format using the timeFormats field. 

You can find more information on how to use multiple timestamps formats in a singe schema by following our documentation page on Panther's Timestamps.