PantherFlow Quick Reference
Overview of PantherFlow functionality
PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Statements
PantherFlow queries are made up of one or more statements. There are two types of statements:
Tabular expression statement: Identifies a data source and can include operators separated by pipes
Let statement: Assigns a tabular expression or a scalar expression to a variable
Operators
<from>
Get data from table
table1
Use provided test data
datatable [{"foo":"bar"}]
Add a new field
T | extend foo=bar
Join with another table
T | join kind=inner dest=(foo) on $left.id == $right.id
Limit the number of rows
T | limit 10
Show only certain fields
T | project foo, bar
Generate a sequence of rows
range N from 1 to 5 step 1
Sort
T | sort time
Text search for a value
T | search 'foo'
Aggregate
T | summarize agg.count() by foo
Query multiple tables
T | union table1, table2
Generate chart
T | visualize line
Filter
T | where foo == bar
Data types
1, -1
1.0, -1.0
'foo', "foo"
true, false
time.parse_timestamp('2023-06-01 13:14:15.00Z'), time.parse_timestamp('2023-06-01')
15s, 2d, time.parse_timespan('1d')
{key1: value1, key2: value2}, object('key1', 'foo', 'key2', 1)
[A, B, C], array('apple', 'orange')
tableName
columnName
null
Expressions
References
Comparisons
Equality:
==,!=Boolean:
and,or,notNumerical:
<,<=,>,>=,+,-,*,/,%Arrays:
in,not inBetween:
between,not between
Functions
Anonymous functions:
fn ([arg1] [, arg2...]]) { <expr> }
Functions
Aggregations
Date/time
Strings
Arrays
Math
Control flow
Data types
Other
Comments
Write a comment with two slashes:
Last updated
Was this helpful?