# Array Functions {% hint style="info" %} PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} ## `arrays.difference()` `arrays.difference(arr: [any], excluded_arr: [any]) -> [any]` Returns an array that contains the elements from `arr` that are not in `excluded_arr`. **Example:** ```kusto panther_logs.public.aws_alb | project ips=arrays.difference(p_any_ip_addresses, p_any_trace_ids) ``` ## `arrays.filter()` `arrays.filter(array: [any], func: fn) -> [any]` Executes `func` on every element of `array` and returns a new array with only the elements where `func` returns true. Learn more about defining functions on [PantherFlow Expressions](https://docs.panther.com/pantherflow/expressions#functions). **Example:** ```kusto datatable [{"a": [1, 2, 3]}] | extend a_even=arrays.filter(a, fn (elem) { elem % 2 == 0 }) ``` ## `arrays.flatten()` `arrays.flatten(array: [any]) -> [any]` When `array` is an array of arrays, returns a single array with all the elements of the inner arrays. **Example:** ```kusto datatable [{"a": [[1, 2], [3]]}] | extend a_flattened=arrays.flatten(a) ``` ## `arrays.intersection()` `arrays.intersection(arr1: [any], arr2: [any]) -> [any]` Returns an array that contains only the elements that are in both `arr1` and `arr2`. **Example:** ```kusto panther_logs.public.aws_alb | project ips=arrays.intersection(p_any_ip_addresses, p_any_trace_ids) ``` ## `arrays.len()` `arrays.len(arr: [any]) -> int` Returns the length of `arr`. If `arr` is not an array it is jsonified first. **Example:** ```kusto panther_logs.public.aws_alb | project ipsFound=arrays.len(p_any_ip_addresses) ``` ## `arrays.map()` `arrays.map(array: [any], func: fn) -> [any]` Executes `func` on each element of `array` and returns an array of the results. Learn more about defining functions on [PantherFlow Expressions](https://docs.panther.com/pantherflow/expressions#functions). **Example:** ```kusto datatable [{"a": [1, 2, 3]}] | extend a_plus_one=arrays.map(a, fn (elem) { elem + 1 }) ``` ## `arrays.overlap()` `arrays.overlap(arr1: [any], arr2: [any]) -> bool` Returns true if `arr1` and `arr2` have any elements in common. **Example:** ```kusto panther_logs.public.aws_alb | project tracesHadIps=arrays.overlap(p_any_ip_addresses, p_any_trace_ids) ``` ## `arrays.sort()` `arrays.sort(arr: [any] [, sort_asc: bool] [, nulls_first: bool]) -> [any]` Returns an array that contains the elements of the input array `arr` sorted in ascending or descending order. Defaults to ascending order. You can specify whether or not null elements are sorted before or after non-null elements. Defaults to nulls last in ascending order and null first in descending order. **Example:** ```kusto panther_logs.public.aws_alb | project tracesSorted=arrays.sort(p_any_trace_ids, false) ``` ## `arrays.union()` `arrays.union(arr1: [any], arr2: [any]) -> [any]` Returns an array that contains all deduplicated elements of `arr1` and `arr2`. **Example:** ```kusto panther_logs.public.aws_alb | project ips=arrays.union(p_any_ip_addresses, p_any_trace_ids) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/pantherflow/functions/array.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.