QUESTION

Can I view data volume breakdowns by specific columns within a log source in Panther? For example, I want to see which event types in my AWS CloudTrail logs are contributing the most to my ingestion volume.

ANSWER

No, you cannot. While Panther's built-in dashboards provide volume breakdowns by log type and log source, there isn't currently a native feature to view data volume by specific columns through the Search interface.

However, you can use a custom SQL query to estimate volume breakdown by column. For example, you can use the following query to estimate volume by eventName in AWS.CloudTrail logs:

select data:eventName as eventName, sum(octet_length(data))/1024/1024 as vol_mb 
from panther_logs.public.aws_cloudtrail_variant -- use variant tables
where p_occurs_since(30d)
group by eventName
order by vol_mb desc

Important notes about this query:

• This reflects the compressed size of the data field, so it is not analogous to the billable ingestion volume

• It does not include p_ fields in the calculation, though those are generally small relative to the raw log payload

• While this won't match billing exactly, it provides a reasonable directional view of which event types are contributing more relative volume