> For the complete documentation index, see [llms.txt](https://docs.panther.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.panther.com/pantherflow/quick-reference.md).

# PantherFlow Quick Reference

{% hint style="info" %}
PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

## Statements

PantherFlow queries are made up of one or more statements. There are two types of statements:

* [Tabular expression statement](/pantherflow/statements.md#tabular-expression-statements): Identifies a data source and can include operators separated by pipes

  ```kusto
  panther_logs.public.aws_cloudtrail
  | where accountId != '1234567'
  | summarize Count=agg.count() by eventName
  | extend tooHigh = Count > 100
  ```
* [Let statement](/pantherflow/statements.md#let-statements): Assigns a tabular expression or a scalar expression to a variable

  ```kusto
  // Defining a table variable
  let subquery_name = mytable
  | where foo == 'bar';

  // Defining a scalar variable
  let my_search_term = 'quark'

  // Referencing table variable and scalar variable
  subquery_name
  | where baz == my_search_term
  ```

## Operators

<table><thead><tr><th width="162.33333333333331">Name</th><th width="229">Description</th><th>Example</th></tr></thead><tbody><tr><td>&#x3C;from></td><td>Get data from table</td><td><code>table1</code></td></tr><tr><td><a href="/pages/fA7hnPuLdJUgMlNmyHYW"><code>datatable</code></a></td><td>Use provided test data</td><td><code>datatable [{"foo":"bar"}]</code></td></tr><tr><td><a href="/pages/Lo5Zoz9rIKiH9AEAikbm"><code>extend</code></a></td><td>Add a new field</td><td><code>T | extend foo=bar</code></td></tr><tr><td><a href="/pages/Z3f3cDGhgpRFz2bfLshl"><code>join</code></a></td><td>Join with another table</td><td><code>T | join kind=inner dest=(foo) on $left.id == $right.id</code></td></tr><tr><td><a href="/pages/uFp3dVd95Ya7rEz6mld3"><code>limit</code></a></td><td>Limit the number of rows</td><td><code>T | limit 10</code></td></tr><tr><td><a href="/pages/oCACp3IdZeGcuhhVGX1r"><code>project</code></a></td><td>Show only certain fields</td><td><code>T | project foo, bar</code></td></tr><tr><td><a href="/pages/BeA5d89Mi8l9HlMSC7PG"><code>range</code></a></td><td>Generate a sequence of rows</td><td><code>range N from 1 to 5 step 1</code></td></tr><tr><td><a href="/pages/UfEdWmcYvOg00ElQwT8y"><code>sort</code></a></td><td>Sort</td><td><code>T | sort time</code></td></tr><tr><td><a href="/pages/QL6XCGM0iWrHr7eCMhgB"><code>search</code></a></td><td>Text search for a value</td><td><code>T | search 'foo'</code></td></tr><tr><td><a href="/pages/vW46hlsy2WhjAPf7e29U"><code>summarize</code></a></td><td>Aggregate</td><td><code>T | summarize agg.count() by foo</code></td></tr><tr><td><a href="/pages/uCvo3eF7JgbTr3mNIX5O"><code>union</code></a></td><td>Query multiple tables</td><td><code>T | union table1, table2</code></td></tr><tr><td><a href="/pages/Two7qXMXxTO2UE9Zw8Yj"><code>visualize</code></a></td><td>Generate chart</td><td><code>T | visualize line</code></td></tr><tr><td><a href="/pages/qi0YXkQDcreWq2UXCOpN"><code>where</code></a></td><td>Filter</td><td><code>T | where foo == bar</code></td></tr></tbody></table>

## Data types

<table><thead><tr><th width="176">Data type</th><th>Example acceptable values</th></tr></thead><tbody><tr><td><a href="/pages/bUKbFlyFtb6FteV1RwGI#integer">Integer</a></td><td><code>1</code>, <code>-1</code></td></tr><tr><td><a href="/pages/bUKbFlyFtb6FteV1RwGI#double">Double</a></td><td><code>1.0</code>, <code>-1.0</code></td></tr><tr><td><a href="/pages/bUKbFlyFtb6FteV1RwGI#string">String</a></td><td><code>'foo'</code>, <code>"foo"</code></td></tr><tr><td><a href="/pages/bUKbFlyFtb6FteV1RwGI#boolean">Boolean</a></td><td><code>true</code>, <code>false</code></td></tr><tr><td><a href="/pages/bUKbFlyFtb6FteV1RwGI#timestamp">Timestamp</a></td><td><code>time.parse_timestamp('2023-06-01 13:14:15.00Z')</code>, <code>time.parse_timestamp('2023-06-01')</code></td></tr><tr><td><a href="/pages/bUKbFlyFtb6FteV1RwGI#timespan">Timespan</a></td><td><code>15s</code>, <code>2d</code>, <code>time.parse_timespan('1d')</code></td></tr><tr><td><a href="/pages/bUKbFlyFtb6FteV1RwGI#object">Object</a></td><td><code>{key1: value1, key2: value2}</code>, <code>object('key1', 'foo', 'key2', 1)</code></td></tr><tr><td><a href="/pages/bUKbFlyFtb6FteV1RwGI#array">Array</a></td><td><code>[A, B, C]</code>, <code>array('apple', 'orange')</code></td></tr><tr><td><a href="/pages/bUKbFlyFtb6FteV1RwGI#table">Table</a></td><td><code>tableName</code></td></tr><tr><td><a href="/pages/bUKbFlyFtb6FteV1RwGI#column">Column</a></td><td><code>columnName</code></td></tr><tr><td><a href="/pages/bUKbFlyFtb6FteV1RwGI#null">Null</a></td><td><code>null</code></td></tr></tbody></table>

## Expressions

### References

* [Array](/pantherflow/expressions.md#array-references): `array[X]`
* [Objects](/pantherflow/expressions.md#object-references): `object['X']`, `object.X`

### Comparisons

* [Equality](/pantherflow/expressions.md#equality-comparisons): `==`, `!=`
* [Boolean](/pantherflow/expressions.md#boolean-comparisons): `and`, `or`, `not`
* [Numerical](/pantherflow/expressions.md#numerical-comparisons): `<`, `<=`, `>`, `>=`, `+`, `-`, `*`, `/`, `%`
* [Arrays](/pantherflow/expressions.md#array-comparisons): `in`, `not in`
* [Between](/pantherflow/expressions.md#between-comparisons): `between`, `not between`

### Functions <a href="#expressions-functions" id="expressions-functions"></a>

* [Anonymous functions](/pantherflow/expressions.md#anonymous-functions): `fn ([arg1] [, arg2...]]) { <expr> }`

## Functions

### Aggregations

* [`agg.avg()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.avg)
* [`agg.count()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.count)
* [`agg.count_distinct()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.count_distinct)
* [`agg.make_set()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.make_set)
* [`agg.max()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.max)
* [`agg.min()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.min)
* [`agg.percentile_cont()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.percentile_cont)
* [`agg.stddev()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.stddev)
* [`agg.sum()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.sum)
* [`agg.take_any()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.take_any)

### Date/time

* [`time.add()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.add)
* [`time.ago()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.ago)
* [`time.diff()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.diff)
* [`time.now()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.now)
* [`time.parse_timespan()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.parse_timespan)
* [`time.parse_timestamp()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.parse_timestamp)
* [`time.slice()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.slice)
* [`time.trunc()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.trunc)

### Strings

* [`strings.cat()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.cat)
* [`strings.contains()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.contains)
* [`strings.ends_with()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.ends_with)
* [`strings.ilike()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.ilike)
* [`strings.join()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.join)
* [`strings.len()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.len)
* [`strings.like()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.like)
* [`strings.lower()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.lower)
* [`strings.split()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.split)
* [`strings.starts_with()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.starts_with)
* [`strings.upper()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.upper)

### Arrays

* [`arrays.difference()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.difference)
* [`arrays.filter()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.filter)
* [`arrays.flatten()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.flatten)
* [`arrays.intersection()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.intersection)
* [`arrays.len()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.len)
* [`arrays.map()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.map)
* [`arrays.overlap()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.overlap)
* [`arrays.sort()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.sort)
* [`arrays.union()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.union)

### Math

* [`math.abs()`](https://docs.panther.com/pantherflow/pages/mo83R6mUaWsxnQkcjPl6#math.abs)
* [`math.ceil()`](https://docs.panther.com/pantherflow/pages/mo83R6mUaWsxnQkcjPl6#math.ceil)
* [`math.floor()`](https://docs.panther.com/pantherflow/pages/mo83R6mUaWsxnQkcjPl6#math.floor)
* [`math.round()`](https://docs.panther.com/pantherflow/pages/mo83R6mUaWsxnQkcjPl6#math.round)

### Control flow

* [`case()`](/pantherflow/functions/control-flow.md#case)

### Data types

* [`array()`](/pantherflow/functions/data-type.md#array)
* [`object()`](/pantherflow/functions/data-type.md#object)

### Other

* [`coalesce()`](/pantherflow/functions/other.md#coalesce)
* [`toscalar()`](/pantherflow/functions/other.md#toscalar)

## Comments

Write a comment with two slashes:

```kusto
// a comment
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.panther.com/pantherflow/quick-reference.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.