PantherFlow Quick Reference
Overview of PantherFlow functionality
Statements
PantherFlow queries are made up of one or more statements. There are two types of statements:
Tabular expression statement: Identifies a data source and can include operators separated by pipes
Let statement: Assigns a tabular expression statement to a variable
Operators
<from>
Get data from table
table1
Use provided test data
datatable [{"foo":"bar"}]
Add a new field
T | extend foo=bar
Join with another table
T | join kind:inner dest=(foo) on $left.id == $right.id
Limit the number of rows
T | limit 10
Show only certain fields
T | project foo, bar
Sort
T | sort time
Text search for a value
T | search 'foo'
Aggregate
T | summarize agg.count() by foo
Query multiple tables
T | union table1, table2
Generate chart
T | visualize line
Filter
T | where foo == bar
Data types
1, -1
1.0, -1.0
'foo', "foo"
true, false
time.parse_timestamp('2023-06-01 13:14:15.00Z'), time.parse_timestamp('2023-06-01')
15s, 2d, time.parse_timespan('1d')
{key1: value1, key2: value2}, object('key1', 'foo', 'key2', 1)
[A, B, C], array('apple', 'orange')
tableName
columnName
null
Expressions
References
Comparisons
Equality:
==,!=Boolean:
and,or,notNumerical:
<,<=,>,>=,+,-,*,/,%Arrays:
in,not inBetween:
between,not between
Functions
Aggregations
Date/time
Strings
Arrays
Math
Control flow
Data types
Other
Comments
Write a comment with two slashes:
Last updated
Was this helpful?