# PantherFlow Quick Reference

{% hint style="info" %}
PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

## Statements

PantherFlow queries are made up of one or more statements. There are two types of statements:

* [Tabular expression statement](https://docs.panther.com/statements#tabular-expression-statements): Identifies a data source and can include operators separated by pipes

  ```kusto
  panther_logs.public.aws_cloudtrail
  | where accountId != '1234567'
  | summarize Count=agg.count() by eventName
  | extend tooHigh = Count > 100
  ```
* [Let statement](https://docs.panther.com/statements#let-statements): Assigns a tabular expression or a scalar expression to a variable

  ```kusto
  // Defining a table variable
  let subquery_name = mytable
  | where foo == 'bar';

  // Defining a scalar variable
  let my_search_term = 'quark'

  // Referencing table variable and scalar variable
  subquery_name
  | where baz == my_search_term
  ```

## Operators

<table><thead><tr><th width="162.33333333333331">Name</th><th width="229">Description</th><th>Example</th></tr></thead><tbody><tr><td>&#x3C;from></td><td>Get data from table</td><td><code>table1</code></td></tr><tr><td><a href="operators/datatable"><code>datatable</code></a></td><td>Use provided test data</td><td><code>datatable [{"foo":"bar"}]</code></td></tr><tr><td><a href="operators/extend"><code>extend</code></a></td><td>Add a new field</td><td><code>T | extend foo=bar</code></td></tr><tr><td><a href="operators/join"><code>join</code></a></td><td>Join with another table</td><td><code>T | join kind=inner dest=(foo) on $left.id == $right.id</code></td></tr><tr><td><a href="operators/limit"><code>limit</code></a></td><td>Limit the number of rows</td><td><code>T | limit 10</code></td></tr><tr><td><a href="operators/project"><code>project</code></a></td><td>Show only certain fields</td><td><code>T | project foo, bar</code></td></tr><tr><td><a href="operators/range"><code>range</code></a></td><td>Generate a sequence of rows</td><td><code>range N from 1 to 5 step 1</code></td></tr><tr><td><a href="operators/sort"><code>sort</code></a></td><td>Sort</td><td><code>T | sort time</code></td></tr><tr><td><a href="operators/search"><code>search</code></a></td><td>Text search for a value</td><td><code>T | search 'foo'</code></td></tr><tr><td><a href="operators/summarize"><code>summarize</code></a></td><td>Aggregate</td><td><code>T | summarize agg.count() by foo</code></td></tr><tr><td><a href="operators/union"><code>union</code></a></td><td>Query multiple tables</td><td><code>T | union table1, table2</code></td></tr><tr><td><a href="operators/visualize"><code>visualize</code></a></td><td>Generate chart</td><td><code>T | visualize line</code></td></tr><tr><td><a href="operators/where"><code>where</code></a></td><td>Filter</td><td><code>T | where foo == bar</code></td></tr></tbody></table>

## Data types

<table><thead><tr><th width="176">Data type</th><th>Example acceptable values</th></tr></thead><tbody><tr><td><a href="../data-types#integer">Integer</a></td><td><code>1</code>, <code>-1</code></td></tr><tr><td><a href="../data-types#double">Double</a></td><td><code>1.0</code>, <code>-1.0</code></td></tr><tr><td><a href="../data-types#string">String</a></td><td><code>'foo'</code>, <code>"foo"</code></td></tr><tr><td><a href="../data-types#boolean">Boolean</a></td><td><code>true</code>, <code>false</code></td></tr><tr><td><a href="../data-types#timestamp">Timestamp</a></td><td><code>time.parse_timestamp('2023-06-01 13:14:15.00Z')</code>, <code>time.parse_timestamp('2023-06-01')</code></td></tr><tr><td><a href="../data-types#timespan">Timespan</a></td><td><code>15s</code>, <code>2d</code>, <code>time.parse_timespan('1d')</code></td></tr><tr><td><a href="../data-types#object">Object</a></td><td><code>{key1: value1, key2: value2}</code>, <code>object('key1', 'foo', 'key2', 1)</code></td></tr><tr><td><a href="../data-types#array">Array</a></td><td><code>[A, B, C]</code>, <code>array('apple', 'orange')</code></td></tr><tr><td><a href="../data-types#table">Table</a></td><td><code>tableName</code></td></tr><tr><td><a href="../data-types#column">Column</a></td><td><code>columnName</code></td></tr><tr><td><a href="../data-types#null">Null</a></td><td><code>null</code></td></tr></tbody></table>

## Expressions

### References

* [Array](https://docs.panther.com/expressions#array-references): `array[X]`
* [Objects](https://docs.panther.com/expressions#object-references): `object['X']`, `object.X`

### Comparisons

* [Equality](https://docs.panther.com/expressions#equality-comparisons): `==`, `!=`
* [Boolean](https://docs.panther.com/expressions#boolean-comparisons): `and`, `or`, `not`
* [Numerical](https://docs.panther.com/expressions#numerical-comparisons): `<`, `<=`, `>`, `>=`, `+`, `-`, `*`, `/`, `%`
* [Arrays](https://docs.panther.com/expressions#array-comparisons): `in`, `not in`
* [Between](https://docs.panther.com/expressions#between-comparisons): `between`, `not between`

### Functions <a href="#expressions-functions" id="expressions-functions"></a>

* [Anonymous functions](https://docs.panther.com/expressions#anonymous-functions): `fn ([arg1] [, arg2...]]) { <expr> }`

## Functions

### Aggregations

* [`agg.avg()`](https://docs.panther.com/functions/aggregation#agg.avg)
* [`agg.count()`](https://docs.panther.com/functions/aggregation#agg.count)
* [`agg.count_distinct()`](https://docs.panther.com/functions/aggregation#agg.count_distinct)
* [`agg.make_set()`](https://docs.panther.com/functions/aggregation#agg.make_set)
* [`agg.max()`](https://docs.panther.com/functions/aggregation#agg.max)
* [`agg.min()`](https://docs.panther.com/functions/aggregation#agg.min)
* [`agg.percentile_cont()`](https://docs.panther.com/functions/aggregation#agg.percentile_cont)
* [`agg.stddev()`](https://docs.panther.com/functions/aggregation#agg.stddev)
* [`agg.sum()`](https://docs.panther.com/functions/aggregation#agg.sum)
* [`agg.take_any()`](https://docs.panther.com/functions/aggregation#agg.take_any)

### Date/time

* [`time.add()`](https://docs.panther.com/functions/date-time#time.add)
* [`time.ago()`](https://docs.panther.com/functions/date-time#time.ago)
* [`time.diff()`](https://docs.panther.com/functions/date-time#time.diff)
* [`time.now()`](https://docs.panther.com/functions/date-time#time.now)
* [`time.parse_timespan()`](https://docs.panther.com/functions/date-time#time.parse_timespan)
* [`time.parse_timestamp()`](https://docs.panther.com/functions/date-time#time.parse_timestamp)
* [`time.slice()`](https://docs.panther.com/functions/date-time#time.slice)
* [`time.trunc()`](https://docs.panther.com/functions/date-time#time.trunc)

### Strings

* [`strings.cat()`](https://docs.panther.com/functions/string#strings.cat)
* [`strings.contains()`](https://docs.panther.com/functions/string#strings.contains)
* [`strings.ends_with()`](https://docs.panther.com/functions/string#strings.ends_with)
* [`strings.ilike()`](https://docs.panther.com/functions/string#strings.ilike)
* [`strings.join()`](https://docs.panther.com/functions/string#strings.join)
* [`strings.len()`](https://docs.panther.com/functions/string#strings.len)
* [`strings.like()`](https://docs.panther.com/functions/string#strings.like)
* [`strings.lower()`](https://docs.panther.com/functions/string#strings.lower)
* [`strings.split()`](https://docs.panther.com/functions/string#strings.split)
* [`strings.starts_with()`](https://docs.panther.com/functions/string#strings.starts_with)
* [`strings.upper()`](https://docs.panther.com/functions/string#strings.upper)

### Arrays

* [`arrays.difference()`](https://docs.panther.com/functions/array#arrays.difference)
* [`arrays.filter()`](https://docs.panther.com/functions/array#arrays.filter)
* [`arrays.flatten()`](https://docs.panther.com/functions/array#arrays.flatten)
* [`arrays.intersection()`](https://docs.panther.com/functions/array#arrays.intersection)
* [`arrays.len()`](https://docs.panther.com/functions/array#arrays.len)
* [`arrays.map()`](https://docs.panther.com/functions/array#arrays.map)
* [`arrays.overlap()`](https://docs.panther.com/functions/array#arrays.overlap)
* [`arrays.sort()`](https://docs.panther.com/functions/array#arrays.sort)
* [`arrays.union()`](https://docs.panther.com/functions/array#arrays.union)

### Math

* [`math.abs()`](https://docs.panther.com/functions/math#math.abs)
* [`math.ceil()`](https://docs.panther.com/functions/math#math.ceil)
* [`math.floor()`](https://docs.panther.com/functions/math#math.floor)
* [`math.round()`](https://docs.panther.com/functions/math#math.round)

### Control flow

* [`case()`](https://docs.panther.com/functions/control-flow#case)

### Data types

* [`array()`](https://docs.panther.com/functions/data-type#array)
* [`object()`](https://docs.panther.com/functions/data-type#object)

### Other

* [`coalesce()`](https://docs.panther.com/functions/other#coalesce)
* [`toscalar()`](https://docs.panther.com/functions/other#toscalar)

## Comments

Write a comment with two slashes:

```kusto
// a comment
```