Skip to content

Instantly share code, notes, and snippets.

@alxarch

alxarch/schema.json Secret

Created July 9, 2021 13:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save alxarch/e87e15b04ab2bcb0d9739d7f3a36b096 to your computer and use it in GitHub Desktop.
Save alxarch/e87e15b04ab2bcb0d9739d7f3a36b096 to your computer and use it in GitHub Desktop.
Download ZIP
JSON Schema for Panther schema files
Raw
schema.json
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Panther log schema",
"$id": "https://runpanther.io/schemas/logspec/v0",
"$ref": "#/definitions/schemaSpec",
"definitions": {
"schemaSpec": {
"type": "object",
"properties": {
"version": {
"const": 0
},
"schema": {
"type": "string",
"minLength": 3,
"pattern": "^[A-Z][A-Za-z0-9]+(\\.[A-Z][A-Za-z0-9]+)*$"
},
"description": {
"type": "string"
},
"referenceURL": {
"type": "string",
"format": "uri"
},
"parser": {
"type": "object",
"maxProperties": 1,
"minProperties": 1,
"properties": {
"csv": {
"oneOf": [
{
"$ref": "#/definitions/parserCSVWithHeader"
},
{
"$ref": "#/definitions/parserCSVWithoutHeader"
}
]
},
"fastmatch": {
"$ref": "#/definitions/parserFastMatch"
},
"regex": {
"$ref": "#/definitions/parserRegexMatch"
},
"native": {
"$ref": "#/definitions/parserNative"
}
}
},
"fields": {
"$ref": "#/definitions/objectFields"
},
"definitions": {
"type": "object",
"patternProperties": {
"^[A-Z][A-Za-z0-9]+$": {
"$ref": "#/definitions/valueSpec"
}
},
"additionalProperties": false
}
},
"required": ["version", "fields"]
},
"objectFields": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/fieldSpec"
}
},
"fieldSpec": {
"allOf": [
{
"type": "object",
"properties": {
"name": {
"$ref": "#/definitions/nameSpec"
},
"required": {
"type": "boolean"
},
"type": {
"$ref": "#/definitions/typeSpec"
},
"description": {
"type": "string"
}
},
"required": ["name", "type"]
},
{
"$ref": "#/definitions/valueSpec"
}
]
},
"nameSpec": {
"type": "string",
"pattern": "^[A-Za-z_!#%&',/=@\\$\\*\\+\\\\`~]+.*"
},
"valueSpec": {
"oneOf": [
{
"$ref": "#/definitions/stringSpec"
},
{
"$ref": "#/definitions/objectSpec"
},
{
"$ref": "#/definitions/arraySpec"
},
{
"$ref": "#/definitions/jsonSpec"
},
{
"$ref": "#/definitions/scalarSpec"
},
{
"$ref": "#/definitions/timeSpec"
},
{
"$ref": "#/definitions/refSpec"
}
]
},
"typeSpec": {
"type": "string",
"enum": [
"string",
"object",
"array",
"json",
"int",
"float",
"smallint",
"bigint",
"boolean",
"timestamp",
"ref"
]
},
"objectSpec": {
"type": "object",
"properties": {
"type": {
"const": "object"
},
"fields": {
"$ref": "#/definitions/objectFields"
},
"isEmbeddedJSON": {
"$comment": "Parse string values as embedded JSON",
"type": "boolean"
}
},
"required": ["type", "fields"]
},
"arraySpec": {
"type": "object",
"properties": {
"type": {
"const": "array"
},
"element": {
"$ref": "#/definitions/valueSpec"
},
"isEmbeddedJSON": {
"$comment": "Parse string values as embedded JSON",
"type": "boolean"
}
},
"required": ["type", "element"]
},
"jsonSpec": {
"type": "object",
"required": ["type"],
"properties": {
"type": {
"const": "json"
}
},
"isEmbeddedJSON": {
"$comment": "Parse string values as embedded JSON",
"type": "boolean"
}
},
"scalarSpec": {
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": ["int", "float", "bigint", "smallint", "boolean"]
}
},
"required": ["type"]
},
"validateSpec": {
"oneOf": [
{
"type": "object",
"required": ["allow"],
"properties": {
"allow": {
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"minLength": 1
}
}
}
},
{
"type": "object",
"required": ["deny"],
"properties": {
"deny": {
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"minLength": 1
}
}
}
}
]
},
"stringSpec": {
"type": "object",
"required": ["type"],
"properties": {
"type": {
"const": "string"
},
"indicators": {
"type": "array",
"minLength": 1,
"items": {
"$ref": "#/definitions/indicator"
}
},
"validate": {
"$ref": "#/definitions/validateSpec"
}
}
},
"indicator": {
"type": "string",
"enum": [
"ip",
"domain",
"hostname",
"url",
"md5",
"sha1",
"sha256",
"aws_arn",
"aws_account_id",
"aws_instance_id",
"aws_tag",
"trace_id",
"username",
"email",
"net_addr"
]
},
"timeSpec": {
"type": "object",
"properties": {
"type": {
"const": "timestamp"
},
"isEventTime": {
"type": "boolean"
},
"timeFormat": {
"oneOf": [
{
"type": "string",
"title": "Built-in timestamp format",
"description": "Common timestamp formats",
"enum": ["rfc3339", "unix", "unix_ms", "unix_us", "unix_ns", "cloudflare"]
},
{
"type": "string",
"title": "Custom timestamp format",
"description": "A custom time format in strftime notation",
"pattern": "%[aAbBcCdfHIjmMpSUwWxyYzZ]"
},
{
"type": "string",
"title": "Go layout timestamp format",
"description": "A custom time format in go layout notation",
"pattern": "^layout="
}
]
}
},
"required": ["type", "timeFormat"]
},
"refSpec": {
"type": "object",
"properties": {
"type": {
"const": "ref"
},
"target": {
"type": "string",
"minLength": 1
}
},
"required": ["target", "type"]
},
"parserCSVWithHeader": {
"type": "object",
"required": ["hasHeader"],
"properties": {
"hasHeader": {
"const": true
},
"delimiter": {
"type": "string",
"enum": [",", "\t", " "],
"default": ","
},
"columns": {
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"minLength": 1
}
},
"skipPrefix": {
"type": "string",
"minLength": 1
},
"emptyValues": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"trimSpace": {
"type": "boolean"
},
"expandFields": {
"$ref": "#/definitions/textParserExpandFields"
}
}
},
"parserCSVWithoutHeader": {
"type": "object",
"required": ["columns"],
"properties": {
"delimiter": {
"type": "string",
"enum": [",", "\t", " "],
"default": ","
},
"hasHeader": {
"const": false
},
"columns": {
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"minLength": 1
}
},
"skipPrefix": {
"type": "string",
"minLength": 1
},
"emptyValues": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"trimSpace": {
"type": "boolean"
},
"expandFields": {
"$ref": "#/definitions/textParserExpandFields"
}
}
},
"parserFastMatch": {
"type": "object",
"required": ["match"],
"properties": {
"match": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/fastmatchPattern"
}
},
"skipPrefix": {
"type": "string",
"minLength": 1
},
"emptyValues": {
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"minLength": 1
}
},
"trimSpace": {
"type": "boolean"
},
"expandFields": {
"$ref": "#/definitions/textParserExpandFields"
}
}
},
"parserNative": {
"required": ["name"],
"properties": {
"name": {
"type": "string"
}
}
},
"parserRegexMatch": {
"type": "object",
"required": ["match"],
"properties": {
"patternDefintions": {
"type": "object",
"patternProperties": {
"^[A-Z][A-Z0-9_]*$": {
"type": "string",
"minLength": 1
}
},
"additionalProperties": false
},
"match": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"skipPrefix": {
"type": "string",
"minLength": 1
},
"emptyValues": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"trimSpace": {
"type": "boolean"
},
"expandFields": {
"$ref": "#/definitions/textParserExpandFields"
}
}
},
"textParserExpandFields": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"fastmatchPattern": {
"allOf": [
{
"type": "string",
"minLength": 4
},
{
"type": "string",
"title": "Pattern with placeholder",
"$comment": "Must contain at least one placeholder",
"pattern": "%{\\s*[^}]+\\s*\\}"
},
{
"type": "string",
"title": "Pattern without newlines",
"$comment": "Only allow newline at the end",
"pattern": "^[^\\n]+\\n?$"
}
]
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment