How do I split a single log source into multiple tables based on log content in Panther

Last updated: December 31, 2025

QUESTION

Can Panther ingest the same log source into different tables based on log content? For example, splitting AWS CloudTrail logs where S3 events (like GetObject) go to one table and normal CloudTrail API events go to another table to improve query performance?

ANSWER

To do this:

1. Create two identical schemas

2. Attach both schemas to the same log source

3. Instead of using filters, use the validate option at the schema level

For example, something like this:

For the first schema (to capture only S3 events like GetObject):

fields:
  - name: eventName
    type: string
    validate: 
      allow:
        - GetObject

For the second schema (to capture all events except GetObject):

fields:
  - name: eventName
    type: string
    validate: 
      deny:
        - GetObject