Other Functions

PantherFlow miscellaneous functions

PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

`coalesce()`

coalesce(value1: any, value2: any, valueN: any, ... ) -> any

Returns the first non-null value in the list of arguments.

Example:

panther_logs.public.aws_alb
| project firstArn=coalesce(targetGroupArn, chosenCertArn)

`toscalar()`

toscalar(query: tabular) -> any

Converts a query to a scalar value. If the row contains more than one value it randomly selects one of the values. If the query returns more than one row, it selects the first row.

Example:

panther_logs.public.aws_alb
| extend avgBytes = toscalar(panther_logs.public.aws_alb | summarize agg.avg(receivedBytes) by ip_address)
| project biggerMsg = receivedBytes - avgBytes > 0, receivedBytes

PreviousData Type Functions NextPantherFlow Example Queries

Last updated 7 hours ago