How does the "contains" method work when querying data in Panther?
QUESTION
How do I use the contains method when querying data in Data Explorer in my Panther Console? What's the difference between Athena and Snowflake's contains method?
ANSWER
Snowflake's contains can be a partial match for the data, and Snowflake's array_contains method requires an exact match for the data in question.
Examples
Snowflake
Snowflake contains method:
CONTAINS( <expr1> , <expr2> ) where <expr1> is 'The string to search in'. and <expr2> is 'The string to search for'.
SELECT
*
FROM
panther_logs.public.okta_systemlog
WHERE
contains(p_any_ip_addresses::varchar, '1.2')
LIMIT 10;
Snowflake array_contains method:
SELECT
*
FROM
panther_logs.public.okta_systemlog
WHERE
array_contains('1.2.3.4'::variant, p_any_ip_addresses)
LIMIT 10;
Similarly for int values in the array_contains method:
SELECT
*
FROM
panther_logs.public.okta_systemlog
WHERE
array_contains(7022::int, securityContext:asNumber)
LIMIT 10;
Additional information: