# PantherFlow 빠른 참조 {% hint style="info" %} PantherFlow는 Panther 버전 1.110부터 공개 베타로 제공되며, 모든 고객이 이용할 수 있습니다. 버그 보고 및 기능 요청은 Panther 지원 팀에 공유해 주세요. {% endhint %} ## 문장 PantherFlow 쿼리는 하나 이상의 문장으로 구성됩니다. 문장에는 두 가지 유형이 있습니다: * [표 형식 표현식 문장](/ko/pantherflow/statements.md#tabular-expression-statements): 데이터 원본을 식별하며 파이프로 구분된 연산자를 포함할 수 있습니다 ```kusto panther_logs.public.aws_cloudtrail | where accountId != '1234567' | summarize Count=agg.count() by eventName | extend tooHigh = Count > 100 ``` * [let 문장](/ko/pantherflow/statements.md#let-statements): 표 형식 표현식 또는 스칼라 표현식을 변수에 할당합니다 ```kusto // 테이블 변수 정의 let subquery_name = mytable | where foo == 'bar'; // 스칼라 변수 정의 let my_search_term = 'quark' // 테이블 변수 및 스칼라 변수 참조 subquery_name | where baz == my_search_term ``` ## 연산자
Name설명예제
<from>테이블에서 데이터 가져오기table1
datatable제공된 테스트 데이터 사용datatable [{"foo":"bar"}]
extend새 필드 추가T | extend foo=bar
조인다른 테이블과 조인T | join kind=inner dest=(foo) on $left.id == $right.id
limit행 수 제한T | limit 10
project특정 필드만 표시T | project foo, bar
range행의 시퀀스 생성range N from 1 to 5 step 1
sort정렬T | sort time
search값에 대한 텍스트 검색T | search 'foo'
summarize집계T | summarize agg.count() by foo
union여러 테이블 쿼리T | union table1, table2
visualize차트 생성T | visualize line
where필터T | where foo == bar
## 데이터 유형
데이터 유형예시 허용 값
정수1, -1
Double1.0, -1.0
문자열'foo', "foo"
불리언true, false
타임스탬프time.parse_timestamp('2023-06-01 13:14:15.00Z'), time.parse_timestamp('2023-06-01')
Timespan15s, 2d, time.parse_timespan('1d')
Object{key1: value1, key2: value2}, object('key1', 'foo', 'key2', 1)
Array[A, B, C], array('apple', 'orange')
TabletableName
ColumncolumnName
Nullnull
## 표현식 ### 참조 * [Array](/ko/pantherflow/expressions.md#array-references): `array[X]` * [객체](/ko/pantherflow/expressions.md#object-references): `object['X']`, `object.X` ### 비교 * [동등](/ko/pantherflow/expressions.md#equality-comparisons): `==`, `!=` * [불리언](/ko/pantherflow/expressions.md#boolean-comparisons): `Run Panther AI`, `또는`, `not` * [숫자](/ko/pantherflow/expressions.md#numerical-comparisons): `<`, `<=`, `>`, `>=`, `+`, `-`, `*`, `/`, `%` * [배열](/ko/pantherflow/expressions.md#array-comparisons): `in`, `not in` * [Between](/ko/pantherflow/expressions.md#between-comparisons): `between`, `not between` ### 함수 * [익명 함수](/ko/pantherflow/expressions.md#anonymous-functions): `fn ([arg1] [, arg2...]]) { }` ## 함수 ### 집계 * [`agg.avg()`](https://docs.panther.com/ko/pantherflow/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.avg) * [`agg.count()`](https://docs.panther.com/ko/pantherflow/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.count) * [`agg.count_distinct()`](https://docs.panther.com/ko/pantherflow/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.count_distinct) * [`agg.make_set()`](https://docs.panther.com/ko/pantherflow/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.make_set) * [`agg.max()`](https://docs.panther.com/ko/pantherflow/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.max) * [`agg.min()`](https://docs.panther.com/ko/pantherflow/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.min) * [`agg.percentile_cont()`](https://docs.panther.com/ko/pantherflow/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.percentile_cont) * [`agg.stddev()`](https://docs.panther.com/ko/pantherflow/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.stddev) * [`agg.sum()`](https://docs.panther.com/ko/pantherflow/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.sum) * [`agg.take_any()`](https://docs.panther.com/ko/pantherflow/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.take_any) ### 날짜/시간 * [`time.add()`](https://docs.panther.com/ko/pantherflow/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.add) * [`time.ago()`](https://docs.panther.com/ko/pantherflow/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.ago) * [`time.diff()`](https://docs.panther.com/ko/pantherflow/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.diff) * [`time.now()`](https://docs.panther.com/ko/pantherflow/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.now) * [`time.parse_timespan()`](https://docs.panther.com/ko/pantherflow/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.parse_timespan) * [`time.parse_timestamp()`](https://docs.panther.com/ko/pantherflow/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.parse_timestamp) * [`time.slice()`](https://docs.panther.com/ko/pantherflow/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.slice) * [`time.trunc()`](https://docs.panther.com/ko/pantherflow/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.trunc) ### 문자열 * [`strings.cat()`](https://docs.panther.com/ko/pantherflow/pages/e5c4ab662f13148d5d148a22c398090241e61a1c#strings.cat) * [`strings.contains()`](https://docs.panther.com/ko/pantherflow/pages/e5c4ab662f13148d5d148a22c398090241e61a1c#strings.contains) * [`strings.ends_with()`](https://docs.panther.com/ko/pantherflow/pages/e5c4ab662f13148d5d148a22c398090241e61a1c#strings.ends_with) * [`strings.ilike()`](https://docs.panther.com/ko/pantherflow/pages/e5c4ab662f13148d5d148a22c398090241e61a1c#strings.ilike) * [`strings.join()`](https://docs.panther.com/ko/pantherflow/pages/e5c4ab662f13148d5d148a22c398090241e61a1c#strings.join) * [`strings.len()`](https://docs.panther.com/ko/pantherflow/pages/e5c4ab662f13148d5d148a22c398090241e61a1c#strings.len) * [`strings.like()`](https://docs.panther.com/ko/pantherflow/pages/e5c4ab662f13148d5d148a22c398090241e61a1c#strings.like) * [`strings.lower()`](https://docs.panther.com/ko/pantherflow/pages/e5c4ab662f13148d5d148a22c398090241e61a1c#strings.lower) * [`strings.split()`](https://docs.panther.com/ko/pantherflow/pages/e5c4ab662f13148d5d148a22c398090241e61a1c#strings.split) * [`strings.starts_with()`](https://docs.panther.com/ko/pantherflow/pages/e5c4ab662f13148d5d148a22c398090241e61a1c#strings.starts_with) * [`strings.upper()`](https://docs.panther.com/ko/pantherflow/pages/e5c4ab662f13148d5d148a22c398090241e61a1c#strings.upper) ### 배열 * [`arrays.difference()`](https://docs.panther.com/ko/pantherflow/pages/c58ae0e898fd6f293efee986d6d1707148384f17#arrays.difference) * [`arrays.filter()`](https://docs.panther.com/ko/pantherflow/pages/c58ae0e898fd6f293efee986d6d1707148384f17#arrays.filter) * [`arrays.flatten()`](https://docs.panther.com/ko/pantherflow/pages/c58ae0e898fd6f293efee986d6d1707148384f17#arrays.flatten) * [`arrays.intersection()`](https://docs.panther.com/ko/pantherflow/pages/c58ae0e898fd6f293efee986d6d1707148384f17#arrays.intersection) * [`arrays.len()`](https://docs.panther.com/ko/pantherflow/pages/c58ae0e898fd6f293efee986d6d1707148384f17#arrays.len) * [`arrays.map()`](https://docs.panther.com/ko/pantherflow/pages/c58ae0e898fd6f293efee986d6d1707148384f17#arrays.map) * [`arrays.overlap()`](https://docs.panther.com/ko/pantherflow/pages/c58ae0e898fd6f293efee986d6d1707148384f17#arrays.overlap) * [`arrays.sort()`](https://docs.panther.com/ko/pantherflow/pages/c58ae0e898fd6f293efee986d6d1707148384f17#arrays.sort) * [`arrays.union()`](https://docs.panther.com/ko/pantherflow/pages/c58ae0e898fd6f293efee986d6d1707148384f17#arrays.union) ### 수학 * [`math.abs()`](https://docs.panther.com/ko/pantherflow/pages/caeeddc15129809d56ff004574406b10351a913b#math.abs) * [`math.ceil()`](https://docs.panther.com/ko/pantherflow/pages/caeeddc15129809d56ff004574406b10351a913b#math.ceil) * [`math.floor()`](https://docs.panther.com/ko/pantherflow/pages/caeeddc15129809d56ff004574406b10351a913b#math.floor) * [`math.round()`](https://docs.panther.com/ko/pantherflow/pages/caeeddc15129809d56ff004574406b10351a913b#math.round) ### 제어 흐름 * [`case()`](/ko/pantherflow/functions/control-flow.md#case) ### 데이터 유형 * [`array()`](/ko/pantherflow/functions/data-type.md#array) * [`object()`](/ko/pantherflow/functions/data-type.md#object) ### 기타 * [`coalesce()`](/ko/pantherflow/functions/other.md#coalesce) * [`toscalar()`](/ko/pantherflow/functions/other.md#toscalar) ## 주석 두 개의 슬래시로 주석을 작성합니다: ```kusto // 주석 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/ko/pantherflow/quick-reference.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.