# PantherFlow Example Queries {% hint style="info" %} PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} ## Overview See additional PantherFlow query examples on [Saved and Scheduled Searches](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/search/scheduled-searches). ## `panther_audit` query examples Query the `panther_logs.public.panther_audit` table: ``` panther_logs.public.panther_audit ``` Return up to 10 results: ``` panther_logs.public.panther_audit | limit 10 ``` Sort by `p_event_time`: ``` panther_logs.public.panther_audit | sort p_event_time desc | limit 10 ``` Filter on the last 24 hours: ``` panther_logs.public.panther_audit | where p_event_time > time.now() - 1d | sort p_event_time desc | limit 10 ``` Filter on timestamp: ``` panther_logs.public.panther_audit | where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') | sort p_event_time desc | limit 10 ``` Filter on a nested field (using dot notation) ``` panther_logs.public.panther_audit | where actor.name == "first.last@example.com" ``` Filter on a nested field (using bracket notation) ``` panther_logs.public.panther_audit | where actor['name'] == "first.last@example.com" ``` Check that a deeply nested value within an array exists (i.e., is not null) ``` panther_logs.public.panther_audit | where actionParams.dynamic.input.tableProperties[0].propertyId != null ``` Count events: ``` panther_logs.public.panther_audit | where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') | summarize row_count=agg.count() ``` Count number of actions: ``` panther_logs.public.panther_audit | where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED" | summarize num_events=agg.count() by actionName ``` Only show rare actions: ``` panther_logs.public.panther_audit | where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED" | summarize num_events=agg.count() by actionName | where num_events < 5 | sort num_events asc ```