Does my log source overview in the Panther Console report raw ingested log volume or uncompressed?

QUESTION

When I view the log source Overview page in Panther, I can see how much data has been ingested over a given time period. Are the figures reported based on the raw (compressed) data that is sent to Panther, or the data after Panther extracts it for parsing? What is counted towards my Panther account's total volume ingested?

ANSWER

The metrics reported in the Overview page are based on the data as it is received by our parsing engine. If you send compressed data to Panther, it will be decompressed first before being parsed. This can sometimes result in the Overview metrics appearing up to 10 times larger than the compressed source data.

Note: When filtering your log source in Panther, those filtered logs will not count towards your processed data.

Your Panther account's total volume ingested is based on your post-filtered, uncompressed data.

If you're managing large data volumes, here are some strategies that might be helpful:

• Implement raw event filtering to exclude non-essential events from parsing.

• Use the required:true tag to your schema to prevent parsing events that lack specific fields.

• Check out our Knowledge Base article on excluding specific logs or fields from ingestion into Panther.