Pantherlog error: "Error: Not equal: expected: """ when testing a custom schema in Panther
Last updated: September 3, 2024
Issue
When trying to test a custom schema in Panther using Pantherlog the following error occurs:
00:03:13 ERROR
Error Trace: /home/runner/work/panther-enterprise/panther-enterprise/panther-enterprise/internal/log_analysis/log_processor/logtypes/logtesting/logtesting.go:180
Error: Not equal:
expected: ""
actual : "Custom.XX"
Diff:
--- Expected
+++ Actual
@@ -1 +1 @@
-
+Custom.XX
Messages: p_log_type
{"testFile": "tests/XX.yml", "testName": "XX"}
00:03:13 ERROR FAIL: 0/0 tests failed in tests/XX.yml {"testFile": "tests/XX.yml"}
00:03:13 ERROR FAIL: 1/1 tests failed
one or more tests failedResolution
To resolve this issue:
Ensure that you have added the Panther Standard Fields (p_* values) to your test event. These values are expected and should be present in the test
result.If the issue still occurs, ensure that all the
required: truefields and their expected values are present in the testresult.
Cause
This issue occurs when the Panther Standard Fields are not present in the test result. However, these fields are expected since they are automatically populated when a new event is being parsed.