Is there a maximum size limit on data that Panther ingests?
When ingesting data from natively Supported Log Sources, Panther already takes the data size into account, and created native Log Source integrations with that in mind.
When using a Custom Log Source, you can send arbitrary data to Panther. Therefore some consideration should be made into the size of the data you are sending.
The maximum size for a single log event is 15MB.
However, when using log sources such as S3 and GCS, you can send objects that contain many events. Usually these objects are compressed, so they can store many different events. For this scenario there is not necessarily a size limit, but Panther does recommend to keep these objects within 20-30MB.
If your log event is too large:
If you want to avoid classification failures due to the large event, you can use Panther's Raw Event Filters. To effectively filter out the large events without also filtering the "correct" events, you need to identify a specific string value or "indicator" within the raw event that distinguishes them from the other events that you do want ingested.