# Array Functions

{% hint style="info" %}
PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

## `arrays.difference()`

`arrays.difference(arr: [any], excluded_arr: [any]) -> [any]`

Returns an array that contains the elements from `arr` that are not in `excluded_arr`.

**Example:**

```kusto
panther_logs.public.aws_alb
| project ips=arrays.difference(p_any_ip_addresses, p_any_trace_ids)
```

## `arrays.filter()`

`arrays.filter(array: [any], func: fn) -> [any]`

Executes `func` on every element of `array` and returns a new array with only the elements where `func` returns true. Learn more about defining functions on [PantherFlow Expressions](https://docs.panther.com/pantherflow/expressions#functions).

**Example:**

```kusto
datatable [{"a": [1, 2, 3]}]
| extend a_even=arrays.filter(a, fn (elem) { elem % 2 == 0 })
```

## `arrays.flatten()`

`arrays.flatten(array: [any]) -> [any]`

When `array` is an array of arrays, returns a single array with all the elements of the inner arrays.

**Example:**

```kusto
datatable [{"a": [[1, 2], [3]]}]
| extend a_flattened=arrays.flatten(a)
```

## `arrays.intersection()`

`arrays.intersection(arr1: [any], arr2: [any]) -> [any]`

Returns an array that contains only the elements that are in both `arr1` and `arr2`.

**Example:**

```kusto
panther_logs.public.aws_alb
| project ips=arrays.intersection(p_any_ip_addresses, p_any_trace_ids)
```

## `arrays.len()`

`arrays.len(arr: [any]) -> int`

Returns the length of `arr`. If `arr` is not an array it is jsonified first.

**Example:**

```kusto
panther_logs.public.aws_alb
| project ipsFound=arrays.len(p_any_ip_addresses)
```

## `arrays.map()`

`arrays.map(array: [any], func: fn) -> [any]`

Executes `func` on each element of `array` and returns an array of the results. Learn more about defining functions on [PantherFlow Expressions](https://docs.panther.com/pantherflow/expressions#functions).

**Example:**

```kusto
datatable [{"a": [1, 2, 3]}]
| extend a_plus_one=arrays.map(a, fn (elem) { elem + 1 })
```

## `arrays.overlap()`

`arrays.overlap(arr1: [any], arr2: [any]) -> bool`

Returns true if `arr1` and `arr2` have any elements in common.

**Example:**

```kusto
panther_logs.public.aws_alb
| project tracesHadIps=arrays.overlap(p_any_ip_addresses, p_any_trace_ids)
```

## `arrays.sort()`

`arrays.sort(arr: [any] [, sort_asc: bool] [, nulls_first: bool]) -> [any]`

Returns an array that contains the elements of the input array `arr` sorted in ascending or descending order. Defaults to ascending order. You can specify whether or not null elements are sorted before or after non-null elements. Defaults to nulls last in ascending order and null first in descending order.

**Example:**

```kusto
panther_logs.public.aws_alb
| project tracesSorted=arrays.sort(p_any_trace_ids, false)
```

## `arrays.union()`

`arrays.union(arr1: [any], arr2: [any]) -> [any]`

Returns an array that contains all deduplicated elements of `arr1` and `arr2`.

**Example:**

```kusto
panther_logs.public.aws_alb
| project ips=arrays.union(p_any_ip_addresses, p_any_trace_ids)
```