# PantherFlow Expressions {% hint style="info" %} PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} ## References ### Array references
SyntaxDescriptionExample
array[X]Retrieve value at Xfoo[1]
### Object references
SyntaxDescriptionExample
object['X']Retrieve value at Xfoo['bar']
object.XRetrieve value at Xfoo.bar
## Comparisons ### Equality comparisons
OperatorDescriptionExampleOperatorMeaning
==EqualityA == B==
!=InequalityA != B!=
### Boolean comparisons
OperatorDescriptionExampleOperatorMeaning
andLogical andA and Band
orLogical orA or Bor
notLogical notnot Anot
### Numerical comparisons
SyntaxDescriptionExample
<Less thanA < B
<=Less than or equal toA <= B
>Greater thanA > B
>=Greater than or equal toA >= B
+AddA + B
-SubtractA - B
*MultiplyA * B
/DivideA / B
%ModuloA % B
### Array comparisons
SyntaxDescriptionExample
inValue is in arrayX in [X, Y, Z], '10.10.10.100' in p_any_ip_addresses
not inValue is not in arrayX not in [A, B, C]
### Between comparisons
OperatorDescriptionExample
betweenValue is between two values (inclusive), which are separated by ..<foo> between <begin> .. <end>
not betweenValue is not between two values (exclusive), which are separated by ..<foo> not between <begin> .. <end>
## Functions ### Anonymous functions An anonymous function, or "lambda function," is an unnamed function that can be used as an argument to the `arrays.map()` and `arrays.filter()` functions. Anonymous functions have zero or more parameters and a body that is an expression: ```kusto fn ([arg1] [, arg2...]]) { } ``` #### Example: **Add one to a number in `arrays.map()`** In the example below, the anonymous function is applied to each of the elements in the array provided as the first argument to `arrays.map()`: ```kusto arrays.map([1, 2, 3], fn (r) { r + 1 }) ``` After `arrays.map()` applies the function on each element, the array becomes: ```kusto [2, 3, 4] ``` #### **Example: Compare to null in `arrays.filter()`** In the example below, `arrays.filter()` uses the anonymous function as the filter condition: ```kusto arrays.filter([null, 5, null, 6], fn (elem) { elem != null }) ``` After `arrays.filter()` filters the list using the anonymous function, it becomes: ```kusto [5, 6] ``` #### **Example: Nest multiple anonymous functions** It's possible to nest anonymous functions, or use an anonymous function in the body of another anonymous function. This can be useful for extracting arrays within arrays: ```kusto let source = datatable [{ "results": [ { "cats": [ { "Name": "Whiskers", "Breed": "Siamese", "FurLength": "Short", "ID": "AAAAA" }, { "Name": "Mittens", "Breed": "Maine Coon", "FurLength": "Long", "ID": "BBBBB" } ] }, { "cats": [ { "Name": "Mr. Meow", "Breed": "Orange Tabby", "FurLength": "Short", "ID": "CCCCC" }, { "Name": "Mrs. Meow", "Breed": "Persian", "FurLength": "Long", "ID": "DDDDD" } ] } ] }]; source | project results=arrays.flatten( arrays.map(results, fn (result) { arrays.map(result.cats, fn (cat) { object("CatName", cat.Name, "ID", cat.ID) }) }) ) ``` | results | | --------------------------------------------------------------------------------------------------------------------------------------------------- | | `[{"CatName":"Whiskers","ID":"AAAAA"},{"CatName":"Mittens","ID":"BBBBB"},{"CatName":"Mr. Meow","ID":"CCCCC"},{"CatName":"Mrs. Meow","ID":"DDDDD"}]` | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/pantherflow/expressions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.