# Search ## Overview In the Search tool in Panther, search across all of your data—including log events, rule matches, and more—without writing SQL. You can use dropdown fields to create filter expressions, and group them using `AND` and `OR` functionality. It's also possible to execute [PantherFlow](https://docs.panther.com/pantherflow) queries in Search—including to generate [visualizations](https://docs.panther.com/pantherflow/operators/visualize) that can be added to [custom dashboards](https://docs.panther.com/search/visualization-and-dashboards/custom). Filter expressions can be constructed in different ways: as [key/value pairs](#key-value-filter-expression), a [free text](#free-text-filter-expression) search, or a [regular expression](#regular-expression-regex-filter-expression) search. Each of these can also use [wildcard characters](#using-wildcards-in-filter-expressions). You can combine different types of filter expressions in one search.
In the Search page in Panther, there are two conditions joined by "OR" : "Source Domain is apigateway.amazonaws.com" and ".*aws:.*admin.*". Below the search conditions is a histogram, followed by a results table.
When a search is run, a results table is displayed below a histogram visualizing the distribution of result events over time. The results table is customizable—you can [add or remove event fields](#adding-removing-and-reordering-fields-in-the-results-table) as columns. Also from the results table, you can [add inclusive/exclusive filters](#how-to-create-an-inclusive-or-exclusive-filter-expression-from-results) to your search, pivot, and [look up related enrichment data](#how-to-explore-enrichment-data-for-a-value-from-results). You can [use Panther AI to summarize your results set](#panther-ai-search-results-summary). You can [collaborate with your team](#sharing-a-search) by downloading the results table, or sharing a link to your specific search in Panther. ## How to use Search You can effectively search your data using: * A combination of filters: Start by making selections in the [database, table, and date range filters](#using-database-table-and-date-range-filters)—then [create your own filter expressions](#creating-filter-expressions). * PantherFlow: [Learn how to use PantherFlow in Search below](#using-pantherflow-in-search) ### Using database, table, and date range filters Use the database, table, and date range filters to narrow the scope of your search. Using these controls is optional, but can significantly improve search performance when searching over large data sets. Learn more about each of these filters below. {% hint style="info" %} If you [write a PantherFlow query](#using-pantherflow-in-search) in Search, Panther attempts to keep the query text in sync with database, table, and date range filter values. Learn more in [PantherFlow query text and filter syncing](#pantherflow-query-text-and-filter-syncing). {% endhint %}
The Search UI in Panther is shown. Three dropdowns in the upper-right corner are shown. The first has a selection of "Logs," the second has a selection of "All tables," and the third has a value of "Last 24 hours."
#### Database filter Use the database filter to narrow your search to certain databases, such as only **Logs** or **Rule Matches**. The default value of this filter is **Logs**. The options contained in the database filter are: * Rule Matches * Logs * Lookups * Monitor * Cloud Security * Rule Errors * Signals
Three dropdown fields are shown. The first one is open, and the checkbox next to "Logs" is selected. The middle dropdown has a selection of "All tables" made, and the third has a selection of "Last 24 hours."
#### Table filter Use the table filter to narrow your search to certain tables, within the databases indicated by the [database filter](#database-filter). The default value of this filter is **All tables**, which includes all tables for each included database. You can narrow the search by selecting only certain tables in this dropdown.
Three dropdowns are shown: in the first, "Monitor" is selected. the second one is open, and the checkbox next to "Classification Failures" is checked. In the third dropdown, "Last month" is selected.
#### Date range filter Use the date range filter to narrow your search to a certain period of time. The default value of this filter is **Last 20 mins**. You can use one of the preset relative options (like **Last hour** or **Last week**), set your own relative window with **Relative time**, remove the time constraint with **All time**, or set a specific window with **Custom range**. When using Custom range, take note of [how time zones are used in Search](#time-zones-in-search).
A dropdown field with the selection "Last 20 mins" is shown. It is expanded and multiple options are shown, including "Last 3 months" and "All time".
Two fields are shown: one is a numerical field with increase/decrease arrows, and the other is a dropdown with the value "mins" selected. At the bottom are "Cancel" and "Apply" buttons.
A date and time picker is shown. On the left-hand side there are preset relative values, like "Last hour," "Last 3 days," etc. On the right-hand side is a calendar picker, as well as dropdown fields to select the time. At the bottom are "Cancel" and "Apply" buttons.
### Time zones in Search If your Panther Console **Display UTC Time Zone** [setting](https://docs.panther.com/system-configuration#main-information) is `ON`, the Search tool will use Universal Coordinated Time (UTC) whenever displaying a timestamp. If the setting is `OFF`, the Search tool will use your local time zone when displaying a timestamp in the following locations: * When creating a custom range in the [date range filter](#date-range-filter):\ ![Two dates/times are shown, labeled "Time From (Local)" and "Time To (Local)"](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-3af4bcaa7b9234b4edf1bad493faedd22219a6a6%2FScreenshot%202025-07-15%20at%2012.28.40%E2%80%AFPM.png?alt=media) * In [key/value filter expressions](#key-value-filter-expression) where the value is a timestamp:\ ![The words "Parse Time is after 07/15/2025 12:15" are shown.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-9b84b2acc38f3853a2e6d0ec1e87e36a01d5993b%2FScreenshot%202025-07-15%20at%2012.30.52%E2%80%AFPM.png?alt=media) * In the results table `TIME` column:\ ![Under a header reading "675,333 events" a "TIME (LOCAL)" column header is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-103d20263af15fe7ffde2707c10c823650723fdc%2FScreenshot%202025-07-15%20at%2012.43.20%E2%80%AFPM.png?alt=media) * Other timestamp columns in the results table (i.e., those that aren't `TIME`) will still show in UTC.\ ![A column with the header "Parse Time" is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-fca9ac7d8f5e2fb16fed258e8da16edae9c9e43b%2FScreenshot%202025-07-15%20at%2012.43.35%E2%80%AFPM.png?alt=media) * Timestamps (including `p_event_time`) shown in the event in both the [JSON event slide-out panel](#json-event-slide-out-panel) and the [`EVENT` column in the results table](#viewing-full-result-events) will still show in UTC.
Under a "Search" header, there is a filter chip and a results tab shown. A slide-out panel on the right side has a "Time" at the top, which is circled.
### Creating filter expressions A filter expression is a clause containing your [key/value search logic](#key-value-filter-expression), [free search terms](#free-text-filter-expression), or [match patterns](#regular-expression-regex-filter-expression). To create filter expressions, click the **Add search filter** bar or use the add filter expression [keyboard shortcut](#keyboard-shortcuts-for-filter-expressions).
The Search tool is shown. The search bar, which has placeholder text of "Add search filter," is empty. It is circled.
#### Key/value filter expression With a key/value filter expression, you will select an event key and provide a value (if necessary).
In the Search bar is one filter expression. It reads "Emails has john.doe@email.com"
To create a key/value filter expression: 1. Click the **Add search filter** bar, or use the add filter expression [keyboard shortcut](#keyboard-shortcuts-for-filter-expressions). 2. Select an event key from the dropdown list. The dropdown menu contains options grouped into the following categories: * **Panther Fields**: Includes [Indicator Fields](https://docs.panther.com/panther-fields#indicator-fields) (also known as `p_any` fields), and [Core Fields](https://docs.panther.com/panther-fields#core-fields) (`p_udm` fields), which are useful when searching across log types.\ ![In the Search bar, a dropdown shows "Panther Fields" including Actor IDs, AWS Account IDs, and AWS ARNs](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-92973ad414aac62d997613d7163b77b19519e174%2FScreenshot%202023-09-07%20at%2012.59.31%20PM.png?alt=media) * **Multiple tables:** Fields that are found in more than one log type.\ ![In the Search bar, there is a dropdown showing "Multiple Tables" options, including apiVersion, kind, and level](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-3c821429aa89e2ed691c505a3665b81d7677ed44%2FScreenshot%202023-09-07%20at%2012.59.13%20PM.png?alt=media) * All remaining tables with a matching field(s) are displayed in alphabetical order. 3. Select an operator (also known as a condition) from the dropdown menu. * The dropdown options will be limited to those applicable to the selected field's data type. * See a full list of available operators on [Search Filter Operators](https://docs.panther.com/search/search-tool/filter-operators). 4. Enter a value, if the selected operator requires one. * Learn more about using the [wildcard character below](#using-wildcards-in-filter-expressions). 5. If you would like to create another filter expression: * To create an `AND` filter, click outside the expression you just created (but within the same horizontal bar), or press `TAB`. * To create an `OR` filter, click **+ Add OR Condition**. 6. When you are ready to execute your search, click **Search** or press `ENTER`. * If there are more than two rows, they will collapse. To expand all filters into view, click **Show +n conditions**. {% hint style="info" %} You can also quickly [create key/value filter expressions from the results set](#how-to-create-an-inclusive-or-exclusive-filter-expression-from-results) of an initial search. {% endhint %} #### Free text filter expression In a free text filter expression, you will enter a string. {% hint style="info" %} Free text filter expressions may cause your search to take a long time to execute, as they search every field in every event (within the database, table, and date constraints), including fields nested in complex objects. To improve search performance while using a free text filter expression, [select a subset of tables](#table-filter) to search. {% endhint %} To create a free text filter expression: 1. Click the **Add search filter** bar, or use the add filter expression [keyboard shortcut](#keyboard-shortcuts-for-filter-expressions). 2. Enter the text value. * Learn more about using the [wildcard character below](#using-wildcards-in-filter-expressions). 3. If you would like to create another filter expression: * To create an `AND` filter, click outside the expression you just created (but within the same horizontal bar), or press `TAB`. * To create an `OR` filter, click **+ Add OR Condition**. 4. When you are ready to execute your search, click **Search** or press `ENTER`. * If there are more than two rows, they will collapse. To expand all filters into view, click **Show +n conditions**. #### Regular expression (regex) filter expression Using regex in Search can be powerful for dynamic text-based searches across logs. Search supports [POSIX-extended regular expressions](https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_04).
A single filter expression is created in the Search bar. It reads ".*aws:.*admin.*"
To create a regex filter expression: 1. Click the **Add search filter** bar, or use the add filter expression [keyboard shortcut](#keyboard-shortcuts-for-filter-expressions). 2. To enter regex mode, use the regex [keyboard shortcut](#keyboard-shortcuts-for-filter-expressions). * To exit regex mode, you can repeat the same [keyboard shortcut](#keyboard-shortcuts-for-filter-expressions). 3. Enter the regular expression you wish to search, e.g., `.*aws:.*admin.*`. * Learn more about using the [wildcard character below](#using-wildcards-in-filter-expressions). 4. If you would like to create another filter expression: * To create an `AND` filter, click outside the expression you just created (but within the same horizontal bar), or press `TAB`. * To create an `OR` filter, click **+ Add OR Condition**. 5. When you are ready to execute your search, click **Search** or press `ENTER`. * If there are more than two rows, they will collapse. To expand all filters into view, click **Show +n conditions**. ### Using wildcards in filter expressions The wildcard character (`*`) may be used as a placeholder at the beginning, middle, or end of a string or expression. The wildcard character may be used within a [key/value filter expression](#key-value-filter-expression) (only where the key has `type: string` and the operator is `LIKE`), [free text filter expression](#free-text-filter-expression), or [regex filter expression](#regular-expression-regex-filter-expression). The position of the wildcard character determines which data is returned as a match: * Beginning: Any character(s) at or preceding the `*` are considered a match. * Middle: Any character(s) at the `*` are considered a match. * End: Any character(s) at or following the `*` are considered a match.
In the Search page in Panther are three conditions: "Log Type is not Windows.EventLogs", "Log Type like AWS*Flow", and "ACCE*". Below is a histogram, followed by a results table.
### Searching Indicators of Compromise {% hint style="warning" %} This functionality is not available when searching with [PantherFlow](https://docs.panther.com/pantherflow). {% endhint %} When responding to a public breach disclosure or threat hunting generally, you may need to quickly find out whether any values in a list of Indicators of Compromise (IoCs) are found across any of your organization's event logs. To search IoCs in Search: 1. Make [database, table, and date range filter](#using-database-table-and-date-range-filters) selections. 2. Click the **Add search filter** bar, or use the add filter expression [keyboard shortcut](#keyboard-shortcuts-for-filter-expressions). 3. Type or paste in the indicator or list of indicators. 4. From the dropdown options that appear, select the **(auto-detect)** option. * Search parses the inputted string where there are spaces, commas, and semicolons—then detects whether each value matches a [Panther Indictor Field](https://docs.panther.com/panther-fields#indicator-fields). For each detected indicator field, Search creates a [key/value filter expression](#key-value-filter-expression). Other values remain as [free text expressions](#free-text-filter-expression). * Each filter expression is joined by an `OR`. 5. Click **Search** or press `ENTER`. #### Video walkthrough {% embed url="" %} ### Keyboard shortcuts for filter expressions Use the keyboard shortcuts below when building filter expressions in Search:
ActionMacWindows/Linux
Add filter expression
Enter or exit regex mode		⌘/⌃/
Select all filters in the current group⌘A⌃A
Copy selected filters⌘C⌃C
Paste⌘V⌃V
Undo⌘Z⌃Z
Redo⇧⌘Z⇧⌃Z
Delete selected filters
### Using PantherFlow in Search {% hint style="info" %} PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} To execute a [PantherFlow](https://docs.panther.com/pantherflow) query in Search: 1. In the left-hand navigation bar of your Panther Console, click **Investigate** > **Search**. 2. On the left side of the [database filter](#database-filter), click the PantherFlow mode toggle. * This will replace the filter expression builder with a natural language input field and PantherFlow code editor.
3. In the PantherFlow code editor, enter your query (or [use natural language to describe your query](#ai-powered-pantherflow-query-generation) in the text box above). * As you type a query, the [database, table, and date range filters](#using-database-table-and-date-range-filters) in the upper-right corner of the page are kept in sync with the PantherFlow query text. Learn more in [PantherFlow query text and filter syncing](#pantherflow-query-text-and-filter-syncing). * Learn how to construct a PantherFlow query in [the PantherFlow documentation](https://docs.panther.com/pantherflow). * Note the current [limitations of PantherFlow](https://docs.panther.com/pantherflow#limitations-of-pantherflow). 4. Click **Search**. #### PantherFlow query text and filter syncing {% hint style="info" %} PantherFlow query text and filter syncing is in open beta starting with Panther version 1.116, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} When you type a PantherFlow query or update the [database, table, and date range filters](#using-database-table-and-date-range-filters) values after entering a PantherFlow query, Panther will attempt to keep the query text and filter values in sync. {% hint style="info" %} If the PantherFlow query text and filters cannot be synced, the PantherFlow query text will take precedence, and the filter value(s) will be ignored. {% endhint %} Entering or updating a PantherFlow query prompts changes in the filter values: * Specifying a database or table in your PantherFlow query will trigger updates to the [database](#database-filter) and [table](#table-filter) filter values, respectively. * Specifying a date/time range (with a `| where p_event_time...` statement) in your PantherFlow query will trigger an update to the [date range filter](#date-range-filter). After entering a PantherFlow query, updating the [database, table, or date range filters](#using-database-table-and-date-range-filters) will prompt changes in the PantherFlow query text: * When you update a filter value and your PantherFlow query already specifies a corresponding value (e.g., you update the [date range filter](#date-range-filter) and your query already specifies a date/time range with a `| where p_event_time...` statement), that portion of the query will be updated to match the filter value. * When you update a filter value and the PantherFlow query does not already specify a corresponding value (e.g., you update the [database filter](#database-filter) and your query does not already specify a database), a new line will be inserted specifying the filter value. * Database and table changes will be represented in a new line at the top of the PantherFlow query. Date/time changes will be represented in a new line below the database/table statement. ### AI-powered PantherFlow query generation (beta) {% hint style="info" %} AI-powered PantherFlow query generation is in open beta starting with Panther version 1.118, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} In addition to writing PantherFlow queries yourself, you can use natural language to generate them with [Panther AI](https://docs.panther.com/ai). This means you can describe your search intent in plain language (with any language). For example, "Show failed logins in the last 24h from Okta System Log." While describing the query you want to generate, you can get data table name autocomplete suggestions with @ mentions. If you don't name specific data tables, Panther AI will automatically suggest relevant tables based on your description. To use AI-powered query generation: 1. In the left-hand navigation bar of your Panther Console, click **Investigate** > **Search**. 2. On the left side of the [database filter](#database-filter), click the PantherFlow mode toggle. * This will replace the filter expression builder with a natural language input field and PantherFlow code editor.
3. In the text box above the PantherFlow editor, describe the search you'd like to perform. * Note the current [limitations of PantherFlow](https://docs.panther.com/pantherflow#limitations-of-pantherflow).
4. On the right-hand side of the text input box, click the arrow (Generate query).
5. Review the generated PantherFlow query, making any necessary changes, then click **Search**.
### Creating a Saved Search {% hint style="warning" %} While it's possible to create a Saved Search in Search, it's not possible to schedule it (i.e., to create a [Scheduled Search](https://docs.panther.com/search/scheduled-searches)). {% endhint %} Creating a Saved Search means you can quickly reuse commonly run searches. Learn more on [Saved and Scheduled Searches](https://docs.panther.com/search/scheduled-searches). To create a Saved Search: 1. Create a search by following the instructions in [How to use Search](#how-to-use-search). 2. Under the **Add search filter** box, click **Save As**.
The Search UI is shown, with one filter expression created ("kind is http"). Below the search bar, the "Save As" text is circled.
3. Enter values for the fields in the popup modal: * **Search Name**: Add a descriptive name. * **Tags** (optional): Add tags. Tags can be helpful to group related searches. * **Description** (optional): Describe the purpose of the search. 4. Click **Save Search**. * See the next section to learn how to open and reuse Saved Searches. ### Open and reuse a Saved Search in the Search tool After creating a Saved Search in the Search tool, you can view and reuse it. It can be opened from the Search page, or from the Saved Searches page. {% tabs %} {% tab title="Search page" %} **Open a Saved Search from the Search page:** 1. In the left-hand navigation bar of your Panther Console, click **Investigate** > **Search**. 2. In the upper right corner, click the three dots icon, then **Open Saved Search**. * An **Open a Search** modal will pop up, displaying previously saved search. 3. Find the search you'd like to open, select it, then click **Open Search**. * The Saved Search will populate in Search. {% endtab %} {% tab title="Saved Searches page" %} **Open a Saved Search from the Saved Searches page:** 1. In the left-hand navigation bar of your Panther Console, click **Investigate** > **Saved Searches**. 2. Find the search you'd like to open, utilizing the search bar and **Filters** at the top, if necessary. 3. In the top right corner of the search's tile, click the three dots icon. 4. Click **View in Search**. * You will be redirected to Search, where the Saved Search will populate. {% endtab %} {% endtabs %} ## Analyzing Search results The results of a Search contain a [histogram](#search-results-histogram), a [table of result events](#adding-removing-and-reordering-fields-in-the-results-table), and [summary visualizations](#search-results-summary-charts). ### Search results histogram The results histogram displays the distribution of events within the search's date and time window, to help quickly contextualize results.
A histogram is shown, depicting a number of bars spanning from JUN 05 20:08 to JUN 05 21:03.
After a search is run, the histogram is shown collapsed by default. You can expand it by clicking the diagonal arrows button in the upper-right corner of the chart. Clicking the button again will collapse the chart.
A histogram is shown. A double-sided arrow button in the upper-right corner, with the tooltip "Expand," is circled.
#### Interacting with the histogram To see additional data insights into the counts by log type for any of the time periods, hover over a bar within the chart.
A rectangle has the text, "Wednesday 05 June 2024, 15:00 (UTC)." Then, below, "AWS.CloudTrail" and "Panther.Audit."
To drill down and create a new search (in a new browser tab) with a time period set to that of one of the histogram bars, click the bar. {% hint style="info" %} This drill down functionality is only available for bars in the table that represent timeframes longer than one minute. {% endhint %} ### Adding, removing, and reordering fields in the results table You can customize a search's results table by [adding](#how-to-add-a-column-in-the-search-results-table), [removing](#how-to-remove-a-column-in-the-search-results-table), and [reordering](#how-to-reorder-columns-in-the-search-results-table) columns. You can also [create a new filter directly from the results table](#how-to-create-an-inclusive-or-exclusive-filter-expression-from-results), [replace filter expressions with a results table value](#how-to-replace-filter-expressions-with-a-value-from-results), and [explore enrichment data for a results table value](#how-to-explore-enrichment-data-for-a-value-from-results). #### How to add a column in the Search results table You can add a column to the Search results table using the [**Available Fields** list](#add-a-column-to-the-search-results-table-from-the-available-fields-list) on the left-hand side of the table, or from the [JSON event view](#add-a-column-to-the-search-results-table-from-the-json-event-view). It is only possible to add *nested* fields to the table from the [JSON event view](#add-a-column-to-the-search-results-table-from-the-json-event-view). {% tabs %} {% tab title="Available Fields list" %} **Add a column to the Search results table from the Available Fields list** 1. In the field list on the left-hand side of the results table, within the **Available Fields** header, locate the column you'd like to add to the results table.
A list of event fields is displayed underneath an "Available Fields" header.
* Only top-level fields are shown in this list. If you'd like to add a nested field to the table, you can do so from the [JSON event view](#add-a-column-to-the-search-results-table-from-the-json-event-view). 2. To the right of the field, click **+** (the plus symbol). * The field will be added as a column in the results table, and listed on the left-hand side of the table within **Selected Fields**. {% endtab %} {% tab title="JSON event view" %} **Add a column to the Search results table from the JSON event view** 1. In the results table, click on a row to open the JSON event view slide-out panel. 2. Locate the field you'd like to add to the results table. 3. While hovering over the field, click **+** (the plus symbol).\ ![The JSON event view of a log is shown. To the right of one field, the plus button is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-8cbfe6d5466977a8a2e5bed21500522dee57823f%2FScreenshot%202023-09-12%20at%203.15.23%20PM.png?alt=media) * The field will be added as a column in the results table, and listed on the left-hand side of the table within **Selected Fields**. {% endtab %} {% endtabs %} #### How to remove a column in the Search results table You can remove a column from the Search results table using the [**Selected Fields** list](#remove-a-column-from-the-search-results-table-from-the-selected-fields-list) on the left-hand side of the table, from the [JSON event view](#remove-a-column-from-the-search-results-table-from-the-json-event-view), or from the [table header row](#remove-a-column-from-the-search-results-table-from-the-header-row). {% tabs %} {% tab title="Selected Fields list" %} **Remove a column from the Search results table from the Selected Fields list** 1. In the field list on the left-hand side of the results table, within the **Selected Fields** header, locate the field you'd like to remove from the results table. 2. To the right of the field, click **-** (the minus symbol).
Under the "Selected Fields" header, there are log fields. To the right of "PantherAudit.actionName" the minus button is hovered over. Its tooltip reads, "Remove column"
* The field's column will be removed from the results table, and listed on the left-hand side of the table within **Available Fields**. {% endtab %} {% tab title="JSON event view" %} **Remove a column from the Search results table from the JSON event view** 1. In the results table, click on a row to open the JSON event view slide-out panel. 2. Locate the field you'd like to remove from the results table. 3. While hovering over the field, click **-** (the minus symbol).\ ![The JSON event view of a log is shown. To the right of one field, the minus button is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-511c44abbecb604c180d78344d8ddf734c860ff7%2FScreenshot%202023-09-12%20at%203.45.23%20PM.png?alt=media) * The field's column will be removed from the results table, and listed on the left-hand side of the table within **Available Fields**. {% endtab %} {% tab title="Table header row" %} **Remove a column from the Search results table from the header row** 1. In the results table, hover over the header of the column you'd like to remove. 2. On the right side of the column header, click **X**.\ ![A header reading "GitHubAudit.config.content\_type" is shown, and the "X" to its right is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-4ee9b0c8d055bdd280c8e1f99dfd709df2f6401f%2FScreenshot%202023-09-12%20at%203.48.26%20PM.png?alt=media) * The field's column will be removed from the results table, and listed on the left-hand side of the table within **Available Fields**. {% endtab %} {% endtabs %} #### How to reorder columns in the Search results table * Reorder the columns in the results table by clicking on a column header and dragging it to the desired position. ### Viewing full result events The results table is loaded, by default, in a compact view. This view displays all log fields, including the often sizable `EVENT` field, in a single row. To view the `EVENT` value in this view, scroll horizontally. To more easily view the full event data, you can use [detailed table view](#detailed-results-table-view) or the [JSON event slide-out panel](#json-event-slide-out-panel). An added benefit of using the slide-out panel is the ability to show or hide [Panther fields](https://docs.panther.com/search/panther-fields). #### Detailed results table view The results table can alternatively display logs in a detailed view. This view displays the `EVENT` field value in a new row below the event's other fields, with text-wrapping.
A tooltip of a button below a histogram (and at the top of the results table) reads "Detailed view." A full event in the results table has been circled.
To enable detailed view, click the toggle button in the upper-right corner of the table:
Below a histogram (and at the top of the results table), a button's tooltip reads, "Compact view."
#### JSON event slide-out panel It's possible to view the full event data, in JSON format, by clicking an event row. This will open a slide-out panel on the right side of the browser window. In the JSON event view, [Panther fields](https://docs.panther.com/search/panther-fields) are displayed at the top of the JSON object followed by the event fields. You can hide or reveal these fields by clicking the **Show Panther fields** toggle.
In Search, the event JSON slide-out panel is shown. Above the event JSON, a "Show Panther fields" toggle, set to ON, is circled.
Hovering over fields in the slide-out panel will display icons with which you can perform additional actions, like adding a filter. Learn more in [Iterating on a Search](#iterating-on-a-search). ### Search results summary charts Within the results of a Search, the **Visualizations** tab displays bar charts for field values, which can help provide quick insights into your data. To view these charts, click **Visualizations**.
A "Visualizations" tab is circled. Two bar charts are shown, titled "Log Type" and "Destination Bytes."
You can also [create a filter directly from a summary chart](#how-to-create-an-inclusive-or-exclusive-filter-expression-from-results), [replace filters with a value from a summary chart](#how-to-replace-filter-expressions-with-a-value-from-results), and [explore enrichment data for a summary chart value](#how-to-explore-enrichment-data-for-a-value-from-results). **How to add or remove summary charts** Add or remove visualizations for event fields using the **Available Fields** and **Selected Fields** lists on the left-hand side of the results panel. Adding or removing a field shows or hides the field both as a chart and as a column in the results table. To add a visualization: * Within the **Available Fields** list, to the right of a field's name, click **+**.
Under an "Available Fields" header is a "Panther Fields" header, then a field called "Destination ARNs." To its right is a plus sign that's been hovered over; its tooltip reads "Add as column."
To remove a visualization: * Within the **Selected Fields** list, to the right of a field's name, click **–**.
Under a "Selected Fields" header are three fields: "Log Type," "Destination Bytes," and "Destination IP." To their right is a minus sign, one has been hovered over; its tooltip reads "Remove column."
**How to set the sort order of a chart** To sort results in ascending order (lowest to highest): * In the upper-right corner of a visualization, click the icon with an arrow pointing downward:
An icon with an arrow pointing downward has been hovered over, its tooltip reads, "Sort Ascending"
To sort results in descending order (highest to lowest): * In the upper-right corner of a visualization, click the icon with an arrow pointing upward:
An icon with an arrow pointing downward has been hovered over, its tooltip reads, "Sort Descending"
**How to expand or condense the number of values shown in a chart** * To view the first 25 values in a visualization, in its lower-right corner, click **Show Top 25**. If there are fewer than 25 values available, the text will read **Show all \ rows** instead. To view only the first five values in a visualization, in its lower-right corner, click **Hide additional rows**. ### Panther AI Search results summary {% hint style="info" %} AI event summaries in Search are in open beta starting with Panther version 1.113, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} {% hint style="info" %} Use of Panther AI features is subject to the [AI disclaimer found on the Legal page](https://docs.panther.com/resources/help/legal#ai-disclaimer). {% endhint %} After running a search that generates results, you can view a [Panther AI](https://docs.panther.com/ai)-generated summary of the result events. [Watch a full video demonstration of AI Search results summarization here](https://docs.panther.com/ai/examples#search-results-ai-summarization). AI event summaries are likely to describe the action(s) the log(s) represent, which may include identifying actors, naming resources accessed, making an evaluation of the security risk posed, connecting actions to MITRE ATT\&CK tactics, and more. Learn more about Panther AI, including how to [configure AI response length](https://docs.panther.com/ai#ai-prompt-settings) and manage AI responses, on [Panther AI](https://docs.panther.com/ai) and [Managing Panther AI Response History](https://docs.panther.com/ai/managing-ai-response-history). To view an AI-generated summary for the events visible in the results table: 1. After running a search, in the upper-right corner of the results table, click **View AI Summary**.
On a page titled "Search" a "View AI Summary" button is circled.
* In the slide-out panel, see the summary generated by Panther AI. * The events summarized are the events loaded into view in the results table—by default, this is 25 events. If you scroll to the end of the results table and load more events, then click **View AI Summary**, a higher number of events will be summarized.
A slide-out panel titled "ALB Reconnaissance Analysis" is circled. It has "Summary" and "Key Findings" sections, as well as a chart titled "Request Status Distribution."
2. (Optional) In the prompt box at the top of the slide-out panel, ask follow-up questions or direct Panther AI to take some action. These prompts and their responses are preserved in the [AI response history](https://docs.panther.com/ai/managing-ai-response-history). For example: * `Who is this user?` * `Create a Panther detection from this activity.` * Asking Panther AI to create a detection typically yields the best result when the [response length](https://docs.panther.com/ai#response-length) setting is **Long**. * [Watch a full video demonstration of detection creation following AI Search results summarization here](https://docs.panther.com/ai/examples#detection-writing-from-search-results). * `Run a search to see if this user generated any CloudTrail logs today.`
A text box with the prompt "Ask a question about the data, rewrite the prompt, etc." is circled.
## Iterating on a Search Directly from the JSON event slide-out panel and summary charts, you can [create inclusive/exclusive filters](#how-to-create-an-inclusive-or-exclusive-filter-expression-from-results), [replace filter expressions with a results value](#how-to-replace-filter-expressions-with-a-value-from-results), and [explore enrichment data](#how-to-explore-enrichment-data-for-a-value-from-results). ### How to create an inclusive or exclusive filter expression from results {% tabs %} {% tab title="Slide-out panel" %} **How to create a filter expression from the JSON event slide-out panel** 1. In the results table, locate the event row of interest, and click it. * The JSON event slide-out panel will be shown. 2. In the JSON event slide-out panel, hover over the value you'd like to create an inclusive or exclusive filter expression for.\ ![In the JSON event slide out panel, a field has been hovered over, and the tooltip of a button that has appeared reads, "Filter by value."](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-1b5953c21bb810fc7c51b5852be23fa255c055c7%2Fimage.png?alt=media) * To create an inclusive filter, click A filter icon with a plus sign.. * To create an exclusive filter, click A filter icon with a minus sign.. 3. View the new filter expression in the search bar at the top of the window. 4. To refresh the search results, click **Search**. {% endtab %} {% tab title="Results summary chart" %} **How to create a filter expression from a summary chart** * Within a summary chart, hover over a row value.
Next to an IP address are two filter icons. One has a tooltip reading "Filter out value"
* To create an inclusive filter, click A filter icon with a plus sign.. * To create an exclusive filter, click A filter icon with a minus sign.. {% endtab %} {% endtabs %} ### How to replace filter expressions with a value from results {% tabs %} {% tab title="Slide-out panel" %} **How to replace filter expressions with a value from the results table** 1. In the results table, locate the event row of interest, and click it. * The JSON event slide-out panel will be shown. 2. In the JSON event slide-out panel, hover over the field on which you'd like to pivot. ![In the JSON event slide out panel, a field has been hovered over, and the tooltip of a button that has appeared reads, "Replace filters with value."](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-0c34626d422f93ad9360014d529cf70a749655d6%2Fimage.png?alt=media) 3. Click the replace icon A magnifying glass icon. * All existing filters are replaced with a filter expression representing only the key/value you pivoted on. 4. To refresh the search results, click **Search**. {% endtab %} {% tab title="Results summary chart" %} **How to replace filter expressions with a value from summary charts** 1. Within a summary chart, hover over the value you would like to replace filter expression values with.\ ![The Summary tab shows a chart for Log Type. Panther.Audit has been hovered over, and several icons are visible, including a magnifying glass.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-d0c29295f126598ea6114a479c47be486fb84d49%2FScreenshot%202024-01-22%20at%203.34.13%20PM.png?alt=media) 2. Click the replace icon A magnifying glass icon. * All existing filters are replaced with a filter expression representing only the key/value you pivoted on. 3. To refresh the search results, click **Search**. {% endtab %} {% endtabs %} ### How to explore enrichment data for a value from results {% tabs %} {% tab title="Slide-out panel" %} **How to explore enrichment data for a value from the JSON event slide-out panel** 1. In the results table, locate the event row of interest, and click it. * The JSON event slide-out panel will be shown. 2. In the JSON event slide-out panel, hover over the value you'd like to explore [enrichment data](https://docs.panther.com/enrichment) for.\ ![The p\_any\_ip\_addresses field is shown, and next two one of its values is a series of icons. The table icon is hovered over.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-d3baeb8a4a06176102a8e60e0506f71cd6826315%2FScreenshot%202024-01-22%20at%203.54.15%20PM.png?alt=media) 3. Click the enrichment icon A small database table icon. 4. In the **Lookup Enrichment** pop-up modal, use the **`LOOKUP TABLE`** column to locate the row of the enrichment source you would like to explore, then click **`View JSON→`**.\ ![The Lookup Enrichment modal has two rows, with differing Lookup Table values. The first row's "View JSON" button is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-7e570aef31794a5c1a8f9d3adfd0d7f655641c22%2FScreenshot%202024-01-22%20at%204.35.33%20PM.png?alt=media) * The enrichment entry will be shown.\ ![The Lookup Enrichment modal shows an ipinfo\_asn entry in JSON.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-a166dd2ca38ee4fb7638f5c880e51f0eb4a042d3%2FScreenshot%202024-01-22%20at%204.37.08%20PM.png?alt=media) {% endtab %} {% tab title="Results summary chart" %} **How to explore enrichment data for a value from a summary chart** 1. Within a summary chart, hover over a value for which you would like to explore [enrichment data](https://docs.panther.com/enrichment).\ ![A summary chart for the IP Addresses field is shown, and next two one of its values is a series of icons. The table icon is hovered over.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-18e265e8a395fd23085fd595ca81e74ba85546bc%2FScreenshot%202024-01-22%20at%203.59.47%20PM.png?alt=media) 2. Click the enrichment icon A small database table icon. 3. In the **Lookup Enrichment** pop-up modal, use the **`LOOKUP TABLE`** column to locate the row of the enrichment source you would like to explore, then click **`View JSON→`**.\ ![The Lookup Enrichment modal has two rows, with differing Lookup Table values. The first row's "View JSON" button is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-7e570aef31794a5c1a8f9d3adfd0d7f655641c22%2FScreenshot%202024-01-22%20at%204.35.33%20PM.png?alt=media) * The enrichment entry will be shown.\ ![The Lookup Enrichment modal shows an ipinfo\_asn entry in JSON.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-a166dd2ca38ee4fb7638f5c880e51f0eb4a042d3%2FScreenshot%202024-01-22%20at%204.37.08%20PM.png?alt=media) {% endtab %} {% endtabs %} ## Sharing a Search While investigating or threat hunting, it may be useful to share a Search or a results set with your team. To do this: 1. In the upper-right corner of the results table, click **Share**:
The results table is shown. In the upper-right corner, the Share button's menu is open, displaying two options: Copy link to view and Download CSV. This button and its options are circled.
2. Select one of the menu options: * **Copy link to view**: Copies a URL to this specific Search to your clipboard. * (If there are 1000 results or fewer) **Download CSV**: Downloads a CSV of the results table. * (If there are more than 1000 results) **Generate CSV**: Panther begins creating a CSV file of results (up to 1 GB) asynchronously, noted by a pop-up in the lower-left corner of your Panther Console:\ ![A slide-in notification displays the text: "Generating CSV... this may take some time. You will be notified in app when the file is ready"](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-04cef410a664a0788be427f098861b3d398aee18%2FScreenshot%202025-07-07%20at%205.36.16%E2%80%AFPM.png?alt=media) * When Panther has finished generating the CSV and it is ready to be downloaded, you will receive a [notification](https://docs.panther.com/system-configuration/notifications). To access the CSV, do one of the following: * On the pop-up notification in the lower-left corner of your Panther Console, click **Download CSV**.\ ![A notification has a circled "Download CSV" button.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-a048907e04520ae45335d457f4a38ecbd7944c35%2FScreenshot%202025-07-07%20at%205.37.02%E2%80%AFPM.png?alt=media) * On the **CSV Download Ready** notification in your [notifications list](https://docs.panther.com/system-configuration/notifications#viewing-notifications), click **Download CSV**. This download link expires after 12 hours—after that time, you can click the Search link in the notification to navigate back to your query, then regenerate the CSV. ![Under a "Notifications" header, a "Download CSV" button is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-9502c65f3dfbddd75e768249d93cc532f2b4ca30%2FScreenshot%202025-07-07%20at%205.37.32%E2%80%AFPM.png?alt=media)