Range Operator

Overview

Generate a sequence of incrementing rows with range.

range <dest> from <start> to <end> step <size>

You can use range to generate a table with an incrementing set of rows, which may be useful when building sequences of data.

The first value in the sequence is <start>, and following rows are generated by adding <size> to the previous row. The final value in the sequence is the last value that is less than or equal to <end>—in other words, the sequence is inclusive of <end>. <dest> is name of the field the resulting sequence is assigned to. The values of <start>, <end>, and <step> must be integers.

range is one of the possible PantherFlow data sources, and can only be used as a table source.

Examples

Generate a sequence

Generate a sequence from 0 to 5 (inclusive).

range N from 0 to 5 step 1

Generate a sequence with a larger step

Sequences stop at the last number that is less than or equal to <end>.

range data from 1 to 4 step 2

Output:

data

Generate a sequence of timestamps

range can be used to create time sequences.

range data from 0 to 2 step 1
| project t = time.add(time.now(), data, 'h')

2025-03-13 15:41:46.368000

2025-03-13 16:41:46.368000

2025-03-13 17:41:46.368000

Generate time buckets for time series analysis

range can be combined with other operators to perform time series analysis. The example below creates hourly buckets into which Panther audit logs are mapped:

let all_times = range N from 0 to 23 step 1 
| project bucket=time.add(time.now(), -1*N, "h") 
| project bucket=time.trunc('hour', bucket);

let all_actors = panther_logs.public.panther_audit 
| where p_event_time > time.ago(1d)
| summarize by actor=actor.name;

let zeroes = all_times
| join kind=cross actors=(all_actors)
| project bucket, actor=actors.actor, eventcount=0;

panther_logs.public.panther_audit 
| where p_event_time > time.ago(1d)
| extend bucket=time.trunc('hour', p_event_time)
| summarize eventcount=agg.count() by bucket, actor=actor.name
| union zeroes
| summarize eventcount=agg.sum(eventcount) by bucket, actor
| sort bucket asc, actor asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=actor, legend=bottom, title="Count of Panther Audit Actions Per User Over Last 24 Hours"

Under a "Count of Panther Audit Actions Per User Over Last 24 Hours" header is a line chart.

PreviousProject Operator NextSort Operator

Last updated 9 months ago

Was this helpful?

hashtagOverview

hashtagExamples

hashtagGenerate a sequence

hashtagGenerate a sequence with a larger step

hashtagGenerate a sequence of timestamps

hashtagGenerate time buckets for time series analysis