QUESTION

 How do I infer sample Cloudwatch Log Events and or JSON Array Events in Panther?

ANSWER

After uploading a sample file to infer logs, you can select the Stream Type. If you leave this set to auto (the default setting), Panther will automatically detect the appropriate stream type. You can also manually choose lines, JSONArray, or CloudWatch Logs

Regarding the CloudWatch Logs, Panther has a specific log stream type to handle them because CloudWatch places the actual log events inside the logEvents.message field. So, when you use the auto stream type, Panther identifies your logs as CloudWatch logs and ignores all the other fields, keeping only what's in the logEvents.message field. This would mean that, when you try to infer a schema, the other fields will be missing, and only the contents of the message field will be retained.

If you'd like to ingest all the fields from CloudWatch though, you should try using the JSON stream type. The lines stream type wouldn't work in this case.

Panther supports JSON stream types for inferring schemas from an S3 source that are not new-line delimited or are multi-line JSON.

See Panther's documentation for more information on inferring a schema.