# Range Operator

## Overview

Generate a sequence of incrementing rows with `range`.

```kusto
range <dest> from <start> to <end> step <size>
```

You can use `range` to generate a table with an incrementing set of rows, which may be useful when building sequences of data.

The first value in the sequence is `<start>`, and following rows are generated by adding `<size>` to the previous row. The final value in the sequence is the last value that is less than or equal to `<end>`—in other words, the sequence is inclusive of `<end>`. `<dest>` is name of the field the resulting sequence is assigned to. The values of `<start>`, `<end>`, and `<step>` must be integers.

`range` is one of the [possible PantherFlow data sources](https://docs.panther.com/statements#data-sources), and can only be used as a table source.

## Examples

### Generate a sequence

Generate a sequence from 0 to 5 (inclusive).

```kusto
range N from 0 to 5 step 1
```

| N |
| - |
| 0 |
| 1 |
| 2 |
| 3 |
| 4 |
| 5 |

### Generate a sequence with a larger step

Sequences stop at the last number that is less than or equal to `<end>`.

```kusto
range data from 1 to 4 step 2
```

Output:

| data |
| ---- |
| 1    |
| 3    |

### Generate a sequence of timestamps

`range` can be used to create time sequences.

```kusto
range data from 0 to 2 step 1
| project t = time.add(time.now(), data, 'h')
```

| t                          |
| -------------------------- |
| 2025-03-13 15:41:46.368000 |
| 2025-03-13 16:41:46.368000 |
| 2025-03-13 17:41:46.368000 |

### Generate time buckets for time series analysis

`range` can be combined with other operators to perform time series analysis. The example below creates hourly buckets into which Panther audit logs are mapped:

```kusto
let all_times = range N from 0 to 23 step 1 
| project bucket=time.add(time.now(), -1*N, "h") 
| project bucket=time.trunc('hour', bucket);

let all_actors = panther_logs.public.panther_audit 
| where p_event_time > time.ago(1d)
| summarize by actor=actor.name;

let zeroes = all_times
| join kind=cross actors=(all_actors)
| project bucket, actor=actors.actor, eventcount=0;

panther_logs.public.panther_audit 
| where p_event_time > time.ago(1d)
| extend bucket=time.trunc('hour', p_event_time)
| summarize eventcount=agg.count() by bucket, actor=actor.name
| union zeroes
| summarize eventcount=agg.sum(eventcount) by bucket, actor
| sort bucket asc, actor asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=actor, legend=bottom, title="Count of Panther Audit Actions Per User Over Last 24 Hours"
```

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-778f25a10f601dd9640f0d3514b5454b45e4fbb8%2Fimage.png?alt=media" alt="Under a &#x22;Count of Panther Audit Actions Per User Over Last 24 Hours&#x22; header is a line chart."><figcaption></figcaption></figure>