Array Functions

arrays.difference()

arrays.difference(arr: [any], excluded_arr: [any]) -> [any]

Returns an array that contains the elements from arr that are not in excluded_arr.

Example:

panther_logs.public.aws_alb
| project ips=arrays.difference(p_any_ip_addresses, p_any_trace_ids)

arrays.intersection()

arrays.intersection(arr1: [any], arr2: [any]) -> [any]

Returns an array that contains only the elements that are in both arr1 and arr2.

Example:

panther_logs.public.aws_alb
| project ips=arrays.intersection(p_any_ip_addresses, p_any_trace_ids)

arrays.len()

arrays.len(arr: [any]) -> int

Returns the length of arr. If arr is not an array it is jsonified first.

Example:

panther_logs.public.aws_alb
| project ipsFound=arrays.len(p_any_ip_addresses)

arrays.overlap()

arrays.overlap(arr1: [any], arr2: [any]) -> bool

Returns true if arr1 and arr2 have any elements in common.

Example:

panther_logs.public.aws_alb
| project tracesHadIps=arrays.overlap(p_any_ip_addresses, p_any_trace_ids)

arrays.sort()

arrays.sort(arr: [any] [, sort_asc: bool] [, nulls_first: bool]) -> [any]

Returns an array that contains the elements of the input array arr sorted in ascending or descending order. Defaults to ascending order. You can specify whether or not null elements are sorted before or after non-null elements. Defaults to nulls last in ascending order and null first in descending order.

Example:

panther_logs.public.aws_alb
| project tracesSorted=arrays.sort(p_any_trace_ids, false)

arrays.union()

arrays.union(arr1: [any], arr2: [any]) -> [any]

Returns an array that contains all deduplicated elements of arr1 and arr2.

Example:

panther_logs.public.aws_alb
| project ips=arrays.union(p_any_ip_addresses, p_any_trace_ids)