# PantherFlow (Beta) ## Overview {% hint style="info" %} PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} PantherFlow is Panther's pipelined query language. It's designed to be simple to understand, yet powerful and expressive. Use PantherFlow to explore and analyze your data in Panther. With its [operators](https://docs.panther.com/pantherflow/operators) and [functions](https://docs.panther.com/pantherflow/functions), you can perform a variety of data operations, such as filtering, transformations, and aggregations—in addition to [visualizing your results](https://docs.panther.com/pantherflow/operators/visualize) as a bar or line chart. PantherFlow is schema-flexible, meaning you can seamlessly search across multiple data sources (including those with different schemas) in a single query. {% hint style="info" %} In addition to writing your own PantherFlow queries, you can [use AI to generate PantherFlow with natural language](https://docs.panther.com/search/search-tool) in Search. {% endhint %} PantherFlow queries use pipes (`|`) to delineate data operations, which are processed sequentially. This means the output of a query's first operator is passed as the input to the second operator, and so on. See an example query below: ```kusto panther_logs.public.okta_systemlog | where p_event_time > time.ago(1d) | search 'doug' | summarize agg.count() by eventType ``` Learn how to optimize your PantherFlow queries on [PantherFlow Best Practices](https://docs.panther.com/pantherflow/best-practices). ### Where to use PantherFlow Use PantherFlow to query data in Search. [Learn how to enter PantherFlow in Search here](https://docs.panther.com/search/search-tool#using-pantherflow-in-search), as well as how to [use AI to generate PantherFlow with natural language here](https://docs.panther.com/search/search-tool#ai-powered-pantherflow-query-generation). To assist your query writing, the PantherFlow code editor in Search has autocomplete, error underlining, hover tooltips, inlay hints, and function signature assistance. ## How a PantherFlow query works The term "PantherFlow query" typically refers to a [tabular expression statement](https://docs.panther.com/statements#tabular-expression-statements), which retrieves a dataset and returns it in some form (in contrast to a [let statement](https://docs.panther.com/statements#let-statements).) A tabular expression statement usually contains [operators](https://docs.panther.com/pantherflow/operators) separated by pipes (`|`). Each operator performs some action on the data—i.e., filters or transforms it—before passing it on to the next operator. Operator order is important, as PantherFlow statements are read sequentially. See an overview of PantherFlow syntax on [PantherFlow Quick Reference](https://docs.panther.com/pantherflow/quick-reference), or explore syntax topics in more detail: * [PantherFlow Statements](https://docs.panther.com/pantherflow/statements) * [PantherFlow Operators](https://docs.panther.com/pantherflow/operators) * [PantherFlow Data Types](https://docs.panther.com/pantherflow/data-types) * [PantherFlow Expressions](https://docs.panther.com/pantherflow/expressions) * [PantherFlow Functions](https://docs.panther.com/pantherflow/functions) ### Step-by-step PantherFlow query example Let's explore the following PantherFlow query: ```kusto panther_logs.public.aws_alb | where p_event_time > time.ago(1d) | sort p_event_time | limit 10 ``` In short, this query reads data from the `aws_alb` table, filters out events that occurred before the last day, sorts remaining events by time, and returns the first 10 events. Let's take a deeper look at each line: 1. `panther_logs.public.aws_alb` * This statement identifies the data source. * This query is reading from the `panther_logs.public.aws_alb` table. If the query contained only this line, all data in the table would be returned. 2. `| where p_event_time > time.ago(1d)` * The [`where` operator](https://docs.panther.com/pantherflow/operators/where) takes an [expression](https://docs.panther.com/pantherflow/expressions) to filter the data. * This query is requesting data where the `p_event_time` field value is greater than the time one day ago. In other words, it's asking for events that occurred within the last day. The `time.ago()` function subtracts from the current time, and its argument (`1d`) is a timestamp constant representing one day. 3. `| sort p_event_time` * The [`sort` operator](https://docs.panther.com/pantherflow/operators/sort) lets you order events by one or more field values. * This query orders data by `p_event_time`. Because the [default sort order](https://docs.panther.com/pantherflow/operators/sort) is descending, the most recent event will be returned first. 4. `| limit 10` * The [`limit` operator](https://docs.panther.com/pantherflow/operators/limit) defines how many events you'd like returned, at most. * This query is requesting no more than 10 events. See additional query examples: * [PantherFlow Example Queries](https://docs.panther.com/pantherflow/example-queries) * [Scheduled Search Examples](https://docs.panther.com/search/scheduled-searches/examples) ## Limitations of PantherFlow * While you can [create a Saved Search](https://docs.panther.com/search/search-tool#creating-a-saved-search) using PantherFlow in the Panther Console, it's not possible to: * Schedule a Saved Search (i.e., create a [Scheduled Search](https://docs.panther.com/search/scheduled-searches)) * Create a Saved Search using PantherFlow in the developer workflow (i.e., by uploading a `saved_query` via the [Panther Analysis Tool](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/pat-commands) or by using the [REST](https://docs.panther.com/panther-developer-workflows/api/rest/queries) or [GraphQL](https://docs.panther.com/panther-developer-workflows/api/graphql/data-lake-queries) APIs) * Aggregations (i.e., the [`summarize` operator](https://docs.panther.com/pantherflow/operators/summarize)) do not show information on the [Search results histogram](https://docs.panther.com/search/search-tool#search-results-histogram). * In Search, the [**Available Fields** list](https://docs.panther.com/search/search-tool#adding-removing-and-reordering-fields-in-the-results-table) does not reflect fields that are added or removed when using operators like [`project`](https://docs.panther.com/pantherflow/operators/project), [`extend`](https://docs.panther.com/pantherflow/operators/extend), and [`summarize`](https://docs.panther.com/pantherflow/operators/summarize). * In some cases, a PantherFlow query may run slower than an equivalent SQL query. * The [`visualize` operator has its own limitations](https://docs.panther.com/operators/visualize#limitations).