QUESTION

If I have two instances of the same application (for example, Okta) that are receiving logs, and both integrations send data into the same source, how can I differentiate which source a given log came from? Is there a way to add a field which shows the source, or to send the integrations into separate sources?

ANSWER

If your log sources are configured using the default integration, then Panther adds the p_source_id and p_source_label standard fields to the data.

You can try the following query in the Data Explorer (replacing okta_systemlog in the example below with your desired table name).

 SELECT DISTINCT p_source_id, p_source_label 
 FROM panther_logs.public.okta_systemlog 
 LIMIT 10; 

For more information on Panther's standard fields across all log events, check out our documentation page on Standard Fields.