How does the "contains" method work when querying data in Panther?
QUESTION
How do I use the contains method when querying data in Data Explorer in my Panther Console? What's the difference between Athena and Snowflake's contains method?
ANSWER
Athena's contains method requires an exact match for data you're searching. Snowflake's contains can be a partial match for the data, and Snowflake's array_contains method requires an exact match for the data in question.
Examples
Athena contains method:
SELECT
*
FROM
panther_logs.okta_systemlog
WHERE
contains(p_any_ip_addresses, '1.2.3.4')
LIMIT 10
Snowflake contains method:
CONTAINS( <expr1> , <expr2> ) where <expr1> is 'The string to search in'. and <expr2> is 'The string to search for'.
SELECT
*
FROM
panther_logs.public.okta_systemlog
WHERE
contains(p_any_ip_addresses::varchar, '1.2')
LIMIT 10;
Snowflake array_contains method:
SELECT
*
FROM
panther_logs.public.okta_systemlog
WHERE
array_contains('1.2.3.4'::variant, p_any_ip_addresses)
LIMIT 10;
Similarly for int values in the array_contains method:
SELECT
*
FROM
panther_logs.public.okta_systemlog
WHERE
array_contains(7022::int, securityContext:asNumber)
LIMIT 10;