PantherFlow (Beta)

PantherFlow is Panther's pipelined query language

Overview

PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

PantherFlow is Panther's pipelined query language. It's designed to be simple to understand, yet powerful and expressive.

Use PantherFlow to explore and analyze your data in Panther. With its operators and functions, you can perform a variety of data operations, such as filtering, transformations, and aggregations—in addition to visualizing your results as a bar or line chart. PantherFlow is schema-flexible, meaning you can seamlessly search across multiple data sources (including those with different schemas) in a single query.

PantherFlow queries use pipes (|) to delineate data operations, which are processed sequentially. This means the output of a query's first operator is passed as the input to the second operator, and so on. See an example query below:

panther_logs.public.okta_systemlog
| where p_event_time > time.ago(1d)
| search 'doug'
| summarize agg.count() by eventType

Learn how to optimize your PantherFlow queries on PantherFlow Best Practices.

Where to use PantherFlow

Use PantherFlow to query data in Search. Learn how to use PantherFlow in Search here.

To assist your query writing, the PantherFlow code editor in Search has autocomplete, error underlining, hover tooltips, inlay hints, and function signature assistance.

If your PantherFlow query specifies a database/table, the database, table, and date range filters in the upper-right corner of the Search page are ignored.

If your PantherFlow query does not specify a database/table, the database, table, and date range filters are all applied. In this scenario, if your PantherFlow query includes a date/time range (with a | where p_event_time ... statement), both date/time ranges are applied—i.e., returned data must fall within the date/time range set in both the date range filter and the range defined by the | where p_event_time ... statement.

How a PantherFlow query works

The term "PantherFlow query" typically refers to a tabular expression statement, which retrieves a dataset and returns it in some form (in contrast to a let statement.) A tabular expression statement usually contains operators separated by pipes (|). Each operator performs some action on the data—i.e., filters or transforms it—before passing it on to the next operator. Operator order is important, as PantherFlow statements are read sequentially.

See an overview of PantherFlow syntax on PantherFlow Quick Reference, or explore syntax topics in more detail:

Step-by-step PantherFlow query example

Let's explore the following PantherFlow query:

panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
| sort p_event_time
| limit 10

In short, this query reads data from the aws_alb table, filters out events that occurred before the last day, sorts remaining events by time, and returns the first 10 events.

Let's take a deeper look at each line:

panther_logs.public.aws_alb
- This statement identifies the data source.
- This query is reading from the panther_logs.public.aws_alb table. If the query contained only this line, all data in the table would be returned.
| where p_event_time > time.ago(1d)
- The where operator takes an expression to filter the data.
- This query is requesting data where the p_event_time field value is greater than the time one day ago. In other words, it's asking for events that occurred within the last day. The time.ago() function subtracts from the current time, and its argument (1d) is a timestamp constant representing one day.
| sort p_event_time
- The sort operator lets you order events by one or more field values.
- This query orders data by p_event_time. Because the default sort order is descending, the most recent event will be returned first.
| limit 10
- The limit operator defines how many events you'd like returned, at most.
- This query is requesting no more than 10 events.

See additional query examples:

Limitations of PantherFlow

While you can create a Saved Search using PantherFlow in the Panther Console, it's not possible to:
- Schedule a Saved Search (i.e., create a Scheduled Search)
- Create a Saved Search using PantherFlow in the developer workflow (i.e., by uploading a saved_query via the Panther Analysis Tool or by using the REST or GraphQL APIs)
Aggregations (i.e., the summarize operator) do not show information on the Search results histogram.
In Search, the Available Fields list does not reflect fields that are added or removed when using operators like project, extend, and summarize.
In some cases, a PantherFlow query may run slower than an equivalent SQL query.
The visualize operator has its own limitations.

PreviousAthena NextPantherFlow Quick Reference

Last updated 19 days ago

Was this helpful?