After a log event is successfully ingested into Panther, how long does it normally take for me to be able to query the event in the data lake?
We aim for data to be searchable around 5 minutes of ingestion, but under some circumstances, higher latencies can be observed.
Log collection systems upstream of Panther, frequently exhibit latencies exceeding 5 minutes. As a general guideline, it's recommended to wait at least 15 minutes after the ingestion of an event before initiating any queries. This helps mitigate potential issues related to latency. Panther provides a metrics display showing latency for all ingestion sources, enabling customers to understand the specific expected latency for their particular source.