PantherFlow Functions
Use these functions in your PantherFlow query statements
PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Aggregations
agg.avg()
agg.avg()agg.avg(column: any) -> float
Returns the average of the values in the aggregation.
agg.count()
agg.count()agg.count([column: any]) -> int
Returns the number of values in the aggregation.
agg.count_distinct()
agg.count_distinct()agg.count_distinct(column: any) -> int
Returns the number of unique values in the aggregation.
agg.make_set()
agg.make_set()agg.make_set(column: any) -> any
Returns a set of unique values from the column.
agg.max()
agg.max()agg.max(column: any) -> float
Returns the maximum value in the aggregation.
agg.min()
agg.min()agg.min(column: any) -> float
Returns the minimum value in the aggregation.
agg.sum()
agg.sum()agg.sum(column: [any]) -> float
Returns the sum of the values in the aggregation.
agg.take_any()
agg.take_any()agg.take_any(column: [any]) -> any
Returns any value from the aggregation.
Date/time
time.ago()
time.ago()time.ago(span: timespan) -> timestamp
Returns the timestamp that is span ago.
time.date_trunc()
time.date_trunc()time.date_trunc(unit: string, timestamp: timestamp) -> timestamp
Returns the timestamp truncated to the specified unit.
time.diff()
time.diff()time.diff(unit: string, timestamp1: timestamp, timestamp2: timestamp) -> int
Calculates the difference between two timestamp expressions based on the date or time unitrequested. The function returns the result of subtracting timestamp1 from timestamp2 (i.e. timestamp2 - timestamp1).
time.now()
time.now()time.now() -> timestamp
Returns the current timestamp.
time.parse_date()
time.parse_date()time.parse_date(str: string) -> timestamp
Returns the timestamp representation of the date string.
time.parse_timespan()
time.parse_timespan()time.parse_timespan(str: string) -> timestamp
Returns the timespan representation of the duration string.
time.parse_timestamp()
time.parse_timestamp()time.parse_timestamp(str: string) -> timestamp
Returns the timestamp representation of the timestamp string.
time.slice()
time.slice()time.slice(time: timestamp, slice_length: int, slice_unit: string) -> timestamp
Returns the timestamp that time resides in, given chunks of slice_unit and slice_length. For example, if slice_length is 1 and slice_unit is "hour", the time is truncated to the hour it belongs to. Slices are calculated relative to midnight January 1, 1970. slice_unit can be "second", "minute", "hour", "day", "week", "month", "quarter", or "year".
Strings
strings.cat()
strings.cat()strings.cat(str: string, str: string, ... ) -> string
Concatenates strings.
strings.contains()
strings.contains()strings.contains(thing: any, substr: string) -> bool
Returns true if thing contains substr. If thing is not a string, it is stringified first.
strings.ilike()
strings.ilike()strings.ilike(str: any, substr: string) -> bool
Returns true if str contains substr with SQL LIKE semantics, ignoring case.
strings.len()
strings.len()strings.len(thing: any) -> int
Returns the length of thing. If thing is not a string, it is stringified first.
strings.like()
strings.like()strings.like(str: any, substr: string) -> bool
Returns true if str contains substr with SQL LIKE semantics.
strings.lower()
strings.lower()strings.lower(str: string) -> string
Returns str converted to lower case.
strings.split()
strings.split()strings.split(str: any, sep: string) -> [string]
Returns a list of substrings of str separated by sep.
strings.starts_with()
strings.starts_with()strings.starts_with(str: string, prefix: string) -> bool
Returns true if str starts with prefix.
strings.upper()
strings.upper()strings.upper(str: string) -> string
Returns str converted to upper case.
Arrays
arrays.len()
arrays.len()arrays.len(arr: [any]) -> int
Returns the length of arr. If arr is not an array it is jsonified first.
arrays.overlap()
arrays.overlap()arrays.overlap(arr1: [any], arr2: [any]) -> bool
Returns true if arr1 and arr2 have any elements in common.
Math
math.round()
math.round()math.round(value: number [, precision: int]) -> float
Returns the value rounded to the specified precision.
Control flow
case()
case()case(condition1: bool, value1: any [, condition2: bool, value2: any, ... ] [, else: any]) -> any
Returns the first value for which the corresponding condition is true. If no condition is true, returns null.
Regular expressions
re.count()
re.count()re.count(stringable: any, regex: string) -> int
Returns the number of times that regex occurs in stringable, or null if any value is null.
re.matches()
re.matches()re.matches(stringable: any, regex: string) -> bool
Returns true if stringable matches the regular expression regex.
re.replace()
re.replace()re.replace(stringable: any, regex: string, replacement: string) -> string
Returns stringable with the specified pattern regex (or all occurrences of the pattern) either removed or replaced by replacement, or null if any value is null.
re.substr()
re.substr()re.substr(stringable: any, regex: string) -> string
Returns the first substring that matches regex within stringable, or null if any value is null.
Data types
array()
array()array(value1: any, value2: any, valueN: any, ... ) -> array
Returns an array with the given values.
datetime()
datetime()datetime(value: timestamp) -> timestamp
Returns the timestamp representation of the value.
object()
object()object([key1: string, value1: any, ... ]) -> object
Returns an object with the given key-value pairs.
Other
coalesce()
coalesce()coalesce(value1: any, value2: any, valueN: any, ... ) -> any
Returns the first non-null value in the list of arguments.
toscalar()
toscalar()toscalar(query: tabular) -> any
Converts a query to a scalar value. If the row contains more than one value it randomly selects one of the values. If the query returns more than one row, it selects the first row.
Last updated