PantherFlow Data Types
These data types are supported in PantherFlow query statements
Integer
Integers are allowed. For example:
1
-2
Double
Doubles are allowed. For example:
1.01
-6.6
String
Strings enclosed in either single or double quotation marks are allowed. For example:
'foo'
"foo"
Unicode characters can be embedded directly in strings. For example:
Quotation marks of different types are unescaped. For example:
'foo and "bar"'
→foo and "bar"
"foo and 'bar'"
→foo and 'bar'
Quotation marks of the same type are escaped with a backslash character. For example:
'foo and \'bar\''
→foo and 'bar'
"foo and \"bar\""
→foo and "bar"
Backslash characters must be escaped. For example:
"foo\\bar"
→foo\bar
Other escapes are also supported:
\'
'
\"
"
\\
\
\b
Backspace character
\f
Formfeed character
\n
Newline character
\r
Carriage return character
\t
Tab character
\ooo
Octal
\377
\xhh
Hex
\xF0\x9F\x98\x8E
\uhhhh
Unicode
\u5b89
Boolean
Typical boolean values are allowed:true
and false
.
Timestamp
Timestamps must be indicated using the time.parse_timestamp()
function, which converts strings to timestamps. For example:
time.parse_timestamp('2023-06-01 13:14:15.00Z')
Timestamps can be compared to one another. For example, the following expression evaluates to true if the current date and time is after 2024-12-11 09:46:22.00Z
:
time.now() > time.parse_timestamp('2024-12-11 10:42:32.00Z')
Timespan
Timespans must be composed of a number and a unit. The time.parse_timespan()
function converts a string in this format to a timespan. For example:
time.parse_timespan('1d')
1d
1.5s
Several units are supported:
microsecond
microseconds
ms
millisecond
s
second
m
minute
h
hour
d
day
Timespans can be used arithmetically with timestamps. For example:
time.now() - 1d
This expression evaluates to a timestamp that is one day ago
p_event_time > time.ago(1d)
This expression evaluates to true if
p_event_time
is more recent than one day ago
Object
Objects can be expressed with curly brackets {'key': value}
or by passing values to the object()
function. Keys must be strings, while values can be any type (including scalars, arrays, and objects).
For example:
{'key1': 'foo', 'key2': 1}
object('key1', 'foo', 'key2', 1)
Object fields can be accessed using dot notation or square brackets. For example:
obj.key1
obj['key1']
The value of a key that is not in an object is null
:
obj['missing key'] == null
Setting a key to null removes it from the object:
obj['delete me'] = null
Array
Arrays can be expressed with square brackets [A, B]
, or by passing the values to the array()
function. Elements in an array can be of any type (including scalars, arrays, and objects), and a single array can contain values of different types. For example:
['apple', 'orange', 'banana']
array('apple', 12, 'orange')
['one', 1, {'flavor': 'chocolate', 'texture': 'melted'}]
Elements in an array can be accessed with square brackets:
arr[1]
Arrays can be checked for elements with in
and not in
. For example:
'foo' in myarray
'foo' not in myarray
Table
Table names are not case sensitive. This means, for example, tableName
is the same as Tablename
.
Column
Column names are case sensitive. This means, for example, columnName
is different from ColumnName
.
Null
Null is referred to with null
.
Last updated
Was this helpful?