Can I re-ingest log data that failed to ingest in Panther?

Last updated: July 29, 2025

QUESTION

Does Panther support re-ingesting (or "backfilling") logs that failed to ingest?

For example, one of my log sources used a schema that failed to classify the incoming logs. Now that I've fixed the schema, I'd like to re-ingest those logs through the same source.

ANSWER

Starting with Panther version 1.114, it is possible to reprocess events that failed to classify.

When you receive a Classification failure alert, click Mark as Resolved and a Reprocess Events? modal will pop-up with two options:

  • Reprocess Events (Beta): events that failed classification will be processed again.

  • Skip Reprocessing: events that failed classification will not be ingested into Panther.

    Screenshot 2025-07-29 at 7.53.45 AM.png

    Event reclassification is only possible for events that failed classification within the last 15 days.

    If the Classification Failure alert you are resolving contains both events received within the last 15 days and events older than 15 days, only the former will be reprocessed—the latter will be ignored.

Panther also supports backfilling logs through an AWS S3 log source as described here, but not for other log/Data Transport sources at this time.