PantherFlow Data Types

These data types are supported in PantherFlow query statements

PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Integer

Integers are allowed. For example:

1
-2

Double

Doubles are allowed. For example:

1.01
-6.6

String

Strings enclosed in either single or double quotation marks are allowed. For example:

'foo'
"foo"

Unicode characters can be embedded directly in strings. For example:

'Panther is my favorite animal '

Quotation marks of different types are unescaped. For example:

'foo and "bar"' → foo and "bar"
"foo and 'bar'" → foo and 'bar'

Quotation marks of the same type are escaped with a backslash character. For example:

'foo and \'bar\'' → foo and 'bar'
"foo and \"bar\"" → foo and "bar"

Backslash characters must be escaped. For example:

"foo\\bar" → foo\bar

Other escapes are also supported:

Escape

Description

Example

\'

'

\"

"

\\

\

\b

Backspace character

\f

Formfeed character

\n

Newline character

\r

Carriage return character

\t

Tab character

\ooo

Octal

\377

\xhh

Hex

\xF0\x9F\x98\x8E

\uhhhh

Unicode

\u5b89

Boolean

Typical boolean values are allowed:true and false.

Timestamp

Timestamps must be indicated using the function, which converts strings to timestamps. For example:

time.parse_timestamp('2023-06-01 13:14:15.00Z')

Timestamps can be compared to one another. For example, the following expression evaluates to true if the current date and time is after 2024-12-11 09:46:22.00Z:

time.now() > time.parse_timestamp('2024-12-11 10:42:32.00Z')

Timespan

Timespans must be composed of a number and a unit. The function converts a string in this format to a timespan. For example:

time.parse_timespan('1d')
1d
1.5s

Several units are supported:

Unit

Length of time

microsecond

microseconds

ms

millisecond

s

second

m

minute

h

hour

d

day

Timespans can be used arithmetically with timestamps. For example:

time.now() - 1d
- This expression evaluates to a timestamp that is one day ago
p_event_time > time.ago(1d)
- This expression evaluates to true if p_event_time is more recent than one day ago

Object

Objects can be expressed with curly brackets {'key': value} or by passing values to the function. Keys must be strings, while values can be any type (including scalars, arrays, and objects).

For example:

{'key1': 'foo', 'key2': 1}
object('key1', 'foo', 'key2', 1)

Object fields can be accessed using dot notation or square brackets. For example:

obj.key1
obj['key1']

The value of a key that is not in an object is null:

obj['missing key'] == null

Setting a key to null removes it from the object:

obj['delete me'] = null

Array

Arrays can be expressed with square brackets [A, B], or by passing the values to the function. Elements in an array can be of any type (including scalars, arrays, and objects), and a single array can contain values of different types. For example:

['apple', 'orange', 'banana']
array('apple', 12, 'orange')
['one', 1, {'flavor': 'chocolate', 'texture': 'melted'}]

Elements in an array can be accessed with square brackets:

arr[1]

Arrays can be checked for elements with in and not in. For example:

'foo' in myarray
'foo' not in myarray

Table

Table names are not case sensitive. This means, for example, tableName is the same as Tablename.

Column

Column names are case sensitive. This means, for example, columnName is different from ColumnName.

Null

Null is referred to with null.

PreviousWhere Operator NextPantherFlow Expressions

Last updated 4 months ago

Was this helpful?