# Range Operator

## Overview

Generate a sequence of incrementing rows with `range`.

```kusto
range <dest> from <start> to <end> step <size>
```

You can use `range` to generate a table with an incrementing set of rows, which may be useful when building sequences of data.

The first value in the sequence is `<start>`, and following rows are generated by adding `<size>` to the previous row. The final value in the sequence is the last value that is less than or equal to `<end>`—in other words, the sequence is inclusive of `<end>`. `<dest>` is name of the field the resulting sequence is assigned to. The values of `<start>`, `<end>`, and `<step>` must be integers.

`range` is one of the [possible PantherFlow data sources](/pantherflow/statements.md#data-sources), and can only be used as a table source.

## Examples

### Generate a sequence

Generate a sequence from 0 to 5 (inclusive).

```kusto
range N from 0 to 5 step 1
```

| N |
| - |
| 0 |
| 1 |
| 2 |
| 3 |
| 4 |
| 5 |

### Generate a sequence with a larger step

Sequences stop at the last number that is less than or equal to `<end>`.

```kusto
range data from 1 to 4 step 2
```

Output:

| data |
| ---- |
| 1    |
| 3    |

### Generate a sequence of timestamps

`range` can be used to create time sequences.

```kusto
range data from 0 to 2 step 1
| project t = time.add(time.now(), data, 'h')
```

| t                          |
| -------------------------- |
| 2025-03-13 15:41:46.368000 |
| 2025-03-13 16:41:46.368000 |
| 2025-03-13 17:41:46.368000 |

### Generate time buckets for time series analysis

`range` can be combined with other operators to perform time series analysis. The example below creates hourly buckets into which Panther audit logs are mapped:

```kusto
let all_times = range N from 0 to 23 step 1 
| project bucket=time.add(time.now(), -1*N, "h") 
| project bucket=time.trunc('hour', bucket);

let all_actors = panther_logs.public.panther_audit 
| where p_event_time > time.ago(1d)
| summarize by actor=actor.name;

let zeroes = all_times
| join kind=cross actors=(all_actors)
| project bucket, actor=actors.actor, eventcount=0;

panther_logs.public.panther_audit 
| where p_event_time > time.ago(1d)
| extend bucket=time.trunc('hour', p_event_time)
| summarize eventcount=agg.count() by bucket, actor=actor.name
| union zeroes
| summarize eventcount=agg.sum(eventcount) by bucket, actor
| sort bucket asc, actor asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=actor, legend=bottom, title="Count of Panther Audit Actions Per User Over Last 24 Hours"
```

<figure><img src="/files/SmO1Bu1PkR69WS1tkNGN" alt="Under a &#x22;Count of Panther Audit Actions Per User Over Last 24 Hours&#x22; header is a line chart."><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/pantherflow/operators/range.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.