# PantherFlow Quick Reference {% hint style="info" %} PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} ## Statements PantherFlow queries are made up of one or more statements. There are two types of statements: * [Tabular expression statement](/pantherflow/statements.md#tabular-expression-statements): Identifies a data source and can include operators separated by pipes ```kusto panther_logs.public.aws_cloudtrail | where accountId != '1234567' | summarize Count=agg.count() by eventName | extend tooHigh = Count > 100 ``` * [Let statement](/pantherflow/statements.md#let-statements): Assigns a tabular expression or a scalar expression to a variable ```kusto // Defining a table variable let subquery_name = mytable | where foo == 'bar'; // Defining a scalar variable let my_search_term = 'quark' // Referencing table variable and scalar variable subquery_name | where baz == my_search_term ``` ## Operators

Name	Description	Example
<from>	Get data from table	`table1`
`datatable`	Use provided test data	`datatable [{"foo":"bar"}]`
`extend`	Add a new field	`T \| extend foo=bar`
`join`	Join with another table	`T \| join kind=inner dest=(foo) on $left.id == $right.id`
`limit`	Limit the number of rows	`T \| limit 10`
`project`	Show only certain fields	`T \| project foo, bar`
`range`	Generate a sequence of rows	`range N from 1 to 5 step 1`
`sort`	Sort	`T \| sort time`
`search`	Text search for a value	`T \| search 'foo'`
`summarize`	Aggregate	`T \| summarize agg.count() by foo`
`union`	Query multiple tables	`T \| union table1, table2`
`visualize`	Generate chart	`T \| visualize line`
`where`	Filter	`T \| where foo == bar`

## Data types

Data type	Example acceptable values
Integer	`1`, `-1`
Double	`1.0`, `-1.0`
String	`'foo'`, `"foo"`
Boolean	`true`, `false`
Timestamp	`time.parse_timestamp('2023-06-01 13:14:15.00Z')`, `time.parse_timestamp('2023-06-01')`
Timespan	`15s`, `2d`, `time.parse_timespan('1d')`
Object	`{key1: value1, key2: value2}`, `object('key1', 'foo', 'key2', 1)`
Array	`[A, B, C]`, `array('apple', 'orange')`
Table	`tableName`
Column	`columnName`
Null	`null`

## Expressions ### References * [Array](/pantherflow/expressions.md#array-references): `array[X]` * [Objects](/pantherflow/expressions.md#object-references): `object['X']`, `object.X` ### Comparisons * [Equality](/pantherflow/expressions.md#equality-comparisons): `==`, `!=` * [Boolean](/pantherflow/expressions.md#boolean-comparisons): `and`, `or`, `not` * [Numerical](/pantherflow/expressions.md#numerical-comparisons): `<`, `<=`, `>`, `>=`, `+`, `-`, `*`, `/`, `%` * [Arrays](/pantherflow/expressions.md#array-comparisons): `in`, `not in` * [Between](/pantherflow/expressions.md#between-comparisons): `between`, `not between` ### Functions * [Anonymous functions](/pantherflow/expressions.md#anonymous-functions): `fn ([arg1] [, arg2...]]) { }` ## Functions ### Aggregations * [`agg.avg()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.avg) * [`agg.count()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.count) * [`agg.count_distinct()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.count_distinct) * [`agg.make_set()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.make_set) * [`agg.max()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.max) * [`agg.min()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.min) * [`agg.percentile_cont()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.percentile_cont) * [`agg.stddev()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.stddev) * [`agg.sum()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.sum) * [`agg.take_any()`](https://docs.panther.com/pantherflow/pages/HJdp9q9LKlt0MME6NKdc#agg.take_any) ### Date/time * [`time.add()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.add) * [`time.ago()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.ago) * [`time.diff()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.diff) * [`time.now()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.now) * [`time.parse_timespan()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.parse_timespan) * [`time.parse_timestamp()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.parse_timestamp) * [`time.slice()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.slice) * [`time.trunc()`](https://docs.panther.com/pantherflow/pages/Bfjm29XLkyQTAunzhThM#time.trunc) ### Strings * [`strings.cat()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.cat) * [`strings.contains()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.contains) * [`strings.ends_with()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.ends_with) * [`strings.ilike()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.ilike) * [`strings.join()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.join) * [`strings.len()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.len) * [`strings.like()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.like) * [`strings.lower()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.lower) * [`strings.split()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.split) * [`strings.starts_with()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.starts_with) * [`strings.upper()`](https://docs.panther.com/pantherflow/pages/bTC6h3OUTuSVQygTdQ4G#strings.upper) ### Arrays * [`arrays.difference()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.difference) * [`arrays.filter()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.filter) * [`arrays.flatten()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.flatten) * [`arrays.intersection()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.intersection) * [`arrays.len()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.len) * [`arrays.map()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.map) * [`arrays.overlap()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.overlap) * [`arrays.sort()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.sort) * [`arrays.union()`](https://docs.panther.com/pantherflow/pages/zFdrNwB3HeOOixXyDKpS#arrays.union) ### Math * [`math.abs()`](https://docs.panther.com/pantherflow/pages/mo83R6mUaWsxnQkcjPl6#math.abs) * [`math.ceil()`](https://docs.panther.com/pantherflow/pages/mo83R6mUaWsxnQkcjPl6#math.ceil) * [`math.floor()`](https://docs.panther.com/pantherflow/pages/mo83R6mUaWsxnQkcjPl6#math.floor) * [`math.round()`](https://docs.panther.com/pantherflow/pages/mo83R6mUaWsxnQkcjPl6#math.round) ### Control flow * [`case()`](/pantherflow/functions/control-flow.md#case) ### Data types * [`array()`](/pantherflow/functions/data-type.md#array) * [`object()`](/pantherflow/functions/data-type.md#object) ### Other * [`coalesce()`](/pantherflow/functions/other.md#coalesce) * [`toscalar()`](/pantherflow/functions/other.md#toscalar) ## Comments Write a comment with two slashes: ```kusto // a comment ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/pantherflow/quick-reference.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.