Script Log Parser (Beta)
Parse incoming logs with script defined in Starlark configuration language
Last updated
Was this helpful?
Parse incoming logs with script defined in Starlark configuration language
Last updated
Was this helpful?
script is one of the possible values of the in a custom log schema. This parser lets you specify the transformations Panther should perform on each incoming log event using the , which shares many syntax similarities with Python. The script parser in Panther can handle both structured (JSON) and unstructured events.
You might benefit from using the script parser when you'd like to:
Parse unstructured logs, but the other parser options (, , ) are insufficient
Perform transformations on the data, but the Panther-provided are insufficient
script parserfunctionWhen using the script parser, you must implement a Starlark function. The function takes in a and must return a non-empty . The returned dictionary defines the format of the output event.
The script parser can use any of the primitives described in the . However, it is important to note that:
Raising exceptions is not allowed.
Imports are not allowed.
For example, the following configuration will create a new field called is_panther_employee that will be true if the actor email has the panther.com domain, and false otherwise.
For ease of understanding, the above parse function is shown below with Python syntax highlighting:
scriptImagine the following log line, using the Apache Common Log format, is sent to Panther:
To parse this log type using script, we'll define the following function:
And use the following schema fields:
After the log above is normalized with this parser, it becomes:
While script is mainly intended to be used for text logs, it can also be used for JSON logs in cases where you want to perform transformations outside of . For this reason, the script parser comes pre-loaded with a json module that allows you to convert JSON from type string to dictionary.