QUESTION

I have a log type with a field that can be one of several data types (for example, sometimes it's a string, boolean and/or other nested fields). Is there a way to allow the data types for the same field when creating the log schema in Panther?

ANSWER

Currently, Panther only supports one data type for each log field in a schema. If you are in the situation of requiring 1 field to match multiple data types, you could specify the field type as json.

By setting the type as json, Panther will allow valid JSON data formats, including:

In the case, it's to be a json object with known nested fields, you can specify the type as object.