Issue

When trying to use Infer Schema with a sample log file in Panther, the following error occurs:

failed to infer schema: Must validate one and only schema (oneOf); Does not match pattern '^[A-Za-z_!#%&',/=@\$\*\+\\~]+.'

Resolution

To resolve this issue, make sure the field names in your log files do not start with a number.

This syntax will infer successfully:

"field": {
    "a123456": { }
}

 

This syntax will cause the error:

“field”: { 
    “123456”: { } 
}


If you can't reshape the incoming data or control the field being named a number, you'll need to cast the problem object as JSON. 

As a workaround to infer the schema with your logs, we suggest the following steps:

  1. Do a regex search in your logs to replace the offending fields. For example, if some of your log field names are numbers, use the following pattern for the regex search:

"\d+":\s
  1. Rename those fields to something else.

  2. Infer the schema.

  3. Edit the inferred schema and change the field type from OBJECT to JSON:

    - name: field
        type: json
    

5. Remove the problem field(s) from the schema.

Cause

This issue occurs when a number is used as a field name. Only specific characters:

^[A-Za-z_!#%&',/=@\$\*\+\\~]+.

are permitted at the beginning of the name, and it cannot be a number.