How do I infer sample Cloudwatch Log Events and or JSON Array Events in Panther?
After uploading a sample file to infer logs, you can select the Stream Type. If you leave this set to auto
(the default setting), Panther will automatically detect the appropriate stream type. You can also manually choose lines
, JSONArray
, or CloudWatch Logs
.
Regarding the CloudWatch Logs, Panther has a specific log stream type to handle them because CloudWatch places the actual log events inside the logEvents.message
field. So, when you use the auto
stream type, Panther identifies your logs as CloudWatch logs and ignores all the other fields, keeping only what's in the logEvents.message
field. This would mean that, when you try to infer a schema, the other fields will be missing, and only the contents of the message
field will be retained.
If you'd like to ingest all the fields from CloudWatch though, you should try using the JSON
stream type. The lines
stream type wouldn't work in this case.
Panther supports JSON
stream types for inferring schemas from an S3 source that are not new-line delimited or are multi-line JSON.
See Panther's documentation for more information on inferring a schema.