When trying to use Infer Schema with a sample log file in Panther, the following error occurs:
failed to infer schema: Must validate one and only schema (oneOf); Does not match pattern '^[A-Za-z_!#%&',/=@\$\*\+\\~]+.'
To resolve this issue, make sure the field names in your log files do not start with a number.
This syntax will infer successfully:
"field": {
"a123456": { }
}
This syntax will cause the error:
“field”: {
“123456”: { }
}
If you can't reshape the incoming data or control the field being named a number, you'll need to cast the problem object as JSON.
As a workaround to infer the schema with your logs, we suggest the following steps:
Do a regex search in your logs to replace the offending fields. For example, if some of your log field names are numbers, use the following pattern for the regex search:
"\d+":\s
Rename those fields to something else.
Infer the schema.
Edit the inferred schema and change the field
type from OBJECT to JSON:
- name: field
type: json
5. Remove the problem field(s) from the schema.
This issue occurs when a number is used as a field name. Only specific characters:
^[A-Za-z_!#%&',/=@\$\*\+\\~]+.
are permitted at the beginning of the name, and it cannot be a number.