Analyzing Data
Use the search bar above or navigate the categories below to find articles about Data Analysis.
For setup instructions, check out the Panther documentation on Data Analytics.
- Data Explorer
- Adding Snowflake views to the PANTHER* databases
- Best practices for faster querying of data in Panther
- Can I query the panther kv store table through Data Explorer in the Panther Console?
- Can I search my log data in Panther without using SQL?
- Can I use Panther Data Model fields in my queries?
- Can I view the raw, expanded SQL from my scheduled and ad-hoc queries in Panther?
- Can we query Snowflake directly or only through Panther?
- Does Panther store the alert title for detections in Snowflake?
- Does Panther support querying if an IP belongs in a CIDR?
- Does the `p_occurs` macro use `p_parse_time` in the Panther Data Explorer?
- How can I export data from my Panther Console?
- How can I find a record of all logins to Okta for a specific user in Panther?
- How can I find the total number of Panther alerts sent over a certain period of time?
- How can I obtain the aggregate size of ingested events in Panther?
- How can I perform a case-insensitive search in the p_any_emails array in Panther?
- How can I query for a nested JSON object's attribute in Panther?
- How can I query my Panther Audit logs in the Data Explorer?
- How does the "contains" method work when querying data in Panther?
- How do I correlate user activity across multiple alerts in Panther?
- How do I download the contents of the Summarize tab in the Panther Data Explorer?
- How do I do SQL wildcard searching on the contents of an array in Panther?
- How do I export a list of non-compliant AWS resources into a CSV file in Panther?
- How to identify the source of a log in Panther
- Is there a benefit to writing pure Snowql queries instead of relying on a translation layer (standard SQL) in Panther?
- I get the error "SQL compilation error: ambiguous column name 'P_EVENT_TIME'" in my Panther Console when using INNER JOIN in Data Explorer
- My CSV of Data Explorer results from Panther contains unnecessary double quotes
- My query using p_event_time in Panther runs slowly
- Panther is missing column(s) when querying the data lake
- Panther p_occurs_between returns "Your query did not return any results"
- Queries are running slowly when using TO_OBJECT in Data Explorer
- Should I add a conditional for variant type variables in Panther?
- The "url" indicator is not populating the p_any_domain_names or p_any_ip_addresses columns in Panther's Data Explorer
- The p_any_usernames column is not populated in Panther's Data Explorer with an "int" type user_id
- What does the query error "maximum row size exceeded" mean in Panther?
- What formats can I use for timestamps in my SQL queries in Panther?
- What is the best way to query for all NULL or non-NULL values in the Panther data lake?
- What is the difference between shared views and non-shared views in the Panther Data Explorer?
- What is the purpose of the _current and _001, _002 suffixes in Panther's rule_matches tables?
- What timezone is the timestamp data in the Panther Data Explorer?
- Why am I getting the Data Explorer error "Multiple SQL statements are not allowed, please only use one SQL statement" in the Panther Console?
- Why does my ingested event name field contain the word "slash" instead of the "/" in link names in Panther?
- Why does running a query in Panther Data Explorer cause my page to crash or become unresponsive?
- Why do I get an "invalid identifier" SQL compilation error when querying for a p_any field?
- Why do I get NULL results when querying fields under the payload column in the classification_failures table in Panther?
- Why do I see everything under a single Data column when querying directly in Snowflake rather than in Panther?
- Why is there a trailing white space in my p_source_label field in my Data Explorer results in Panther?
- With a Customer-configured Snowflake deployment, can I query other non-Panther databases?
- Scheduled Queries
- Can I add multiple cron schedules per scheduled rule/scheduled query?
- Can I create scheduled queries in Panther that run against baseline metrics to find anomalies?
- Can I have a Saved Search in Panther with a JSON selector in it?
- Can I use a stored procedure (`CALL`) in a Scheduled Query in Panther?
- Does Panther support using SET snowflake variables in a Saved/Scheduled Query?
- Error "Column name or alias contains characters not allowed" when trying to write a scheduled query in Panther
- How can I find scheduled queries not associated with rules in the Panther Console?
- How can I search p_any_ip_addresses for one or more of a set of IP addresses in Panther?
- How can I view the results of a previously-run search query in Panther?
- How do I create a Panther alert or scheduled query based on baseline metrics?
- How do I resolve "FailedQuery error: could not query sqlite file for column info for ...: database is locked" when running a Scheduled Query in Panther?
- How do I resolve a "behind schedule" System Error for scheduled query in Panther?
- How do scheduled rules with multiple associated scheduled queries work in Panther?
- How to resolve "Bulk upload failed to update a saved query" error in Panther
- How to resolve Panther query error: failed to connect to Snowflake with user credentials...
- Is it possible to populate a Lookup Table based on the results of a saved query?
- Is it possible to upload Saved Queries using Panther Analysis Tool?
- Scheduled queries appear as updated by Panther (Deactivated) in my Panther Console
- What AnalysisType can I use for non-scheduled queries that I upload via PAT?
- What happens to pre-existing scheduled queries onboarded via CI/CD if I enable the LIMIT clause in the Panther Console?
- What timezone are Panther Scheduled Query cron expressions in?
- Why do I get a FailedQuery error on my Scheduled Query saying that the table does not exist?
- Why do I get FailedQuery('status: cancelled error: timeout') when running my Scheduled Query in Panther?
- Why do I see "sql variable pStartTimeVar was set but not used; sql variable pEndTimeVar was set but not used" in the Panther Console?
- Search
- Exporting data from Panther's new Search page yields incomplete data
- How can I perform a regex search in Panther's Search?
- How can I search for a common indicator across multiple log types in Panther?
- How can I set up a site search shortcut in my browser to quickly access Panther's Search tool?
- How do I investigate hits on a known bad IP address in Panther?
- Is there a way to search for resource ARN details in the Panther Console’s Investigate Resource page?
- Why am I not seeing results in Search in Panther?
- Why is the Indicator Search missing in my Panther Console?