PantherFlow Quick Reference
Overview of PantherFlow functionality
Last updated
Was this helpful?
Overview of PantherFlow functionality
Last updated
Was this helpful?
PantherFlow queries are made up of one or more statements. There are two types of statements:
: Identifies a data source and can include operators separated by pipes
: Assigns a tabular expression or a scalar expression to a variable
<from>
Get data from table
table1
Use provided test data
datatable [{"foo":"bar"}]
Add a new field
T | extend foo=bar
Join with another table
T | join kind=inner dest=(foo) on $left.id == $right.id
Limit the number of rows
T | limit 10
Show only certain fields
T | project foo, bar
Generate a sequence of rows
range N from 1 to 5 step 1
Sort
T | sort time
Text search for a value
T | search 'foo'
Aggregate
T | summarize agg.count() by foo
Query multiple tables
T | union table1, table2
Generate chart
T | visualize line
Filter
T | where foo == bar
1, -1
1.0, -1.0
'foo', "foo"
true, false
time.parse_timestamp('2023-06-01 13:14:15.00Z'), time.parse_timestamp('2023-06-01')
15s, 2d, time.parse_timespan('1d')
{key1: value1, key2: value2}, object('key1', 'foo', 'key2', 1)
[A, B, C], array('apple', 'orange')
tableName
columnName
null
Write a comment with two slashes:
: array[X]
: object['X'], object.X
: ==, !=
: and, or, not
: <, <=, >, >=, +, -, *, /, %
: in, not in
: between, not between
: fn ([arg1] [, arg2...]]) { <expr> }