Control Flow Functions

PantherFlow control flow functions

PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

`case()`

case(condition1: bool, value1: any [, condition2: bool, value2: any, ... ] [, else: any]) -> any

Returns the first value for which the corresponding condition is true. If no condition is true, returns null.

Example:

panther_logs.public.aws_alb
| extend avg=toscalar(panther_logs.public.aws_alb | summarize agg.avg(receivedBytes) by clientIp)
| project bytesSize=case(receivedBytes > avg, "larger", receivedBytes < avg, "smaller", "same")

PreviousMath Functions NextRegular Expression Functions

Last updated 2 months ago

Was this helpful?