Knowledge BaseCommunityRelease NotesRequest Demo

Array Functions

PantherFlow array functions

PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

arrays.difference()

arrays.difference(arr: [any], excluded_arr: [any]) -> [any]

Returns an array that contains the elements from arr that are not in excluded_arr.

Example:

panther_logs.public.aws_alb
| project ips=arrays.difference(p_any_ip_addresses, p_any_trace_ids)

arrays.filter()

arrays.filter(array: [any], func: fn) -> [any]

Executes func on every element of array and returns a new array with only the elements where func returns true. Learn more about defining functions on PantherFlow Expressions.

Example:

datatable [{"a": [1, 2, 3]}]
| extend a_even=arrays.filter(a, fn (elem) { elem % 2 == 0 })

arrays.flatten()

arrays.flatten(array: [any]) -> [any]

When array is an array of arrays, returns a single array with all the elements of the inner arrays.

Example:

datatable [{"a": [[1, 2], [3]]}]
| extend a_flattened=arrays.flatten(a)

arrays.intersection()

arrays.intersection(arr1: [any], arr2: [any]) -> [any]

Returns an array that contains only the elements that are in both arr1 and arr2.

Example:

panther_logs.public.aws_alb
| project ips=arrays.intersection(p_any_ip_addresses, p_any_trace_ids)

arrays.len()

arrays.len(arr: [any]) -> int

Returns the length of arr. If arr is not an array it is jsonified first.

Example:

panther_logs.public.aws_alb
| project ipsFound=arrays.len(p_any_ip_addresses)

arrays.map()

arrays.map(array: [any], func: fn) -> [any]

Executes func on each element of array and returns an array of the results. Learn more about defining functions on PantherFlow Expressions.

Example:

datatable [{"a": [1, 2, 3]}]
| extend a_plus_one=arrays.map(a, fn (elem) { elem + 1 })

arrays.overlap()

arrays.overlap(arr1: [any], arr2: [any]) -> bool

Returns true if arr1 and arr2 have any elements in common.

Example:

panther_logs.public.aws_alb
| project tracesHadIps=arrays.overlap(p_any_ip_addresses, p_any_trace_ids)

arrays.sort()

arrays.sort(arr: [any] [, sort_asc: bool] [, nulls_first: bool]) -> [any]

Returns an array that contains the elements of the input array arr sorted in ascending or descending order. Defaults to ascending order. You can specify whether or not null elements are sorted before or after non-null elements. Defaults to nulls last in ascending order and null first in descending order.

Example:

panther_logs.public.aws_alb
| project tracesSorted=arrays.sort(p_any_trace_ids, false)

arrays.union()

arrays.union(arr1: [any], arr2: [any]) -> [any]

Returns an array that contains all deduplicated elements of arr1 and arr2.

Example:

panther_logs.public.aws_alb
| project ips=arrays.union(p_any_ip_addresses, p_any_trace_ids)
PreviousString FunctionsNextMath Functions

Last updated

Was this helpful?