Analyzing Data
Use the search bar above or navigate the categories below to find articles about Data Analysis.
For setup instructions, check out the Panther documentation on Data Analytics.
- Data Explorer
- Adding Snowflake views to the PANTHER* databases
- As a BYOSF customer, can I query other non-Panther databases?
- Best practices for faster querying of data in Panther
- Can I query the panther kv store table through Data Explorer in the Panther Console?
- Can I search my log data in Panther without using SQL?
- Can I use Panther Data Model fields in my queries?
- Can I view the raw, expanded SQL from my scheduled and ad-hoc queries in Panther?
- Can we query Snowflake directly or only through Panther?
- CrowdStrike TargetProcessId value is incorrect in Panther's Data Explorer
- Does Panther support querying if an IP belongs in a CIDR?
- How can I find a record of all logins to Okta for a specific user in Panther?
- How can I obtain the aggregate size of ingested events in Panther?
- How can I query for a nested JSON object's attribute in Panther?
- How does the "contains" method work when querying data in Panther?
- How do I correlate user activity across multiple alerts in Panther?
- How do I download the contents of the Summarize tab in the Panther Data Explorer?
- How do I do SQL wildcard searching on the contents of an array in Panther?
- How to identify the source of a log in Panther
- Is there a benefit to writing pure Snowql queries instead of relying on a translation layer (standard SQL) in Panther?
- I get the error "SQL compilation error: ambiguous column name 'P_EVENT_TIME'" in my Panther Console when using INNER JOIN in Data Explorer
- My CSV of Data Explorer results from Panther contains unnecessary double quotes
- My Panther Data Explorer query to list cloud resources IDs is missing resources
- My query using p_event_time in Panther runs slowly
- Panther p_occurs_between returns "Your query did not return any results"
- Queries are running slowly when using TO_OBJECT in Data Explorer
- Should I add a conditional for variant type variables in Panther?
- The "ur" indicator is not populating the p_any_domain_names or p_any_ip_addresses columns in Panther's Data Explorer
- The p_any_usernames column is not populated in Panther's Data Explorer with an "int" type user_id
- What does the query error "maximum row size exceeded" mean in Panther?
- What formats can I use for timestamps in my SQL queries in Panther?
- What is the best way to query for all NULL or non-NULL values in the Panther data lake?
- What is the purpose of the _current and _001, _002 suffixes in Panther's rule_matches tables?
- Why am I getting the Data Explorer error "Multiple SQL statements are not allowed, please only use one SQL statement" in the Panther Console?
- Why does my ingested event name field contain the word "slash" instead of the "/" in link names in Panther?
- Why does running specific queries in Panther Data Explorer cause my browser page to crash/become unresponsive?
- Why do I get an "invalid identifier" SQL compilation error when querying for a p_any field?
- Why do I get NULL results when querying fields under the payload column in the classification_failures table in Panther?
- Why do I see everything under a single Data column when querying directly in Snowflake rather than in Panther?
- Why might Data Explorer in Panther crash or freeze when running a query?
- Indicator Search
- How can I set up a site search shortcut in my browser to quickly access Panther's Indicator Search?
- How do I investigate hits on a known bad IP address in Panther?
- Indicator Search does not show results for Custom Log values
- Panther Indicator Search fails to display same results when switching to Data Explorer
- The Indicator Search in my Panther Console throws a "does not exist or not authorized" SQL compilation error for a "_VARIANT" suffix table
- Why am I not seeing results in the Indicator Search in Panther?
- Scheduled Queries
- Can I add multiple cron schedules per scheduled rule/scheduled query?
- Can I create scheduled queries in Panther that run against baseline metrics to find anomalies?
- Can I have a Saved Query in Panther with a JSON selector in it?
- Can I use a stored procedure (`CALL`) in a Scheduled Query in Panther?
- Error "Column name or alias contains characters not allowed" when trying to write a scheduled query in Panther
- How can I find scheduled queries not associated with rules in the Panther Console?
- How do I create a Panther alert or scheduled query based on baseline metrics?
- How do scheduled rules with multiple associated scheduled queries work in Panther?
- How to resolve "Bulk upload failed to update a saved query" error in Panther
- Is it possible to populate a Lookup Table based on the results of a saved query?
- Is it possible to upload Saved Queries using Panther Analysis Tool?
- What AnalysisType can I use for non-scheduled queries that I upload via PAT?
- What happens to pre-existing scheduled queries onboarded via CI/CD if I enable the LIMIT clause in the Panther Console?
- What timezone are Panther Scheduled Query cron expressions in?
- Why do I get a FailedQuery error on my Scheduled Query saying that the table does not exist?
- Why do I get FailedQuery('status: cancelled error: timeout') when running my Scheduled Query in Panther?