Array Functions

arrays.difference()

arrays.difference(arr: [any], excluded_arr: [any]) -> [any]

Returns an array that contains the elements from arr that are not in excluded_arr.

Example:

panther_logs.public.aws_alb
| project ips=arrays.difference(p_any_ip_addresses, p_any_trace_ids)

arrays.filter()

arrays.filter(array: [any], func: fn) -> [any]

Executes func on every element of array and returns a new array with only the elements where func returns true. Learn more about defining functions on PantherFlow Expressions.

Example:

datatable [{"a": [1, 2, 3]}]
| extend a_even=arrays.filter(a, fn (elem) { elem % 2 == 0 })

arrays.flatten()

arrays.flatten(array: [any]) -> [any]

When array is an array of arrays, returns a single array with all the elements of the inner arrays.

Example:

arrays.intersection()

arrays.intersection(arr1: [any], arr2: [any]) -> [any]

Returns an array that contains only the elements that are in both arr1 and arr2.

Example:

arrays.len()

arrays.len(arr: [any]) -> int

Returns the length of arr. If arr is not an array it is jsonified first.

Example:

arrays.map()

arrays.map(array: [any], func: fn) -> [any]

Executes func on each element of array and returns an array of the results. Learn more about defining functions on PantherFlow Expressions.

Example:

arrays.overlap()

arrays.overlap(arr1: [any], arr2: [any]) -> bool

Returns true if arr1 and arr2 have any elements in common.

Example:

arrays.sort()

arrays.sort(arr: [any] [, sort_asc: bool] [, nulls_first: bool]) -> [any]

Returns an array that contains the elements of the input array arr sorted in ascending or descending order. Defaults to ascending order. You can specify whether or not null elements are sorted before or after non-null elements. Defaults to nulls last in ascending order and null first in descending order.

Example:

arrays.union()

arrays.union(arr1: [any], arr2: [any]) -> [any]

Returns an array that contains all deduplicated elements of arr1 and arr2.

Example: