QUESTION

I previously ran a search query, or have a scheduled query which recently ran, and I want to review the results of the search. How can I do this?

ANSWER

You can accomplish this in 2 ways, depending on how recently the query was run.

Query was Run within the Past 24 hours

If the query was run less than 24 hours ago, then the results of the search will be cached in Snowflake. They can be accessed by following these steps:

  1. In the Panther Console, navigate to Investigate > Search History.

  2. Find your query from the list, and copy the UUID of this particular execution - as an example, the UUID could look like 01b0758c-0603-cf42-0041-6a03051b1c12

  3. Open the Data Explorer, and run the following query - be sure to insert the UUID from the previous step:

SELECT * FROM TABLE(RESULT_SCAN('YOUR_UUID_HERE'))

Query is Older than 24 hours

If the query was run more than 24 hours ago, then you'll need to re-run it. To do so, follow these steps:

  1. In the Panther Console, navigate to Investigate > Search History.

  2. Find your query from the list. Make note of the execution time of the query.

  3. Click the UUID to open the query.

  4. Manually adjust the timeframe of the query to reflect the original run.

    1. If your query is using the new Search interface, you can use the date picker in the top right to adjust the timespan of the query.

    2. If your query is instead raw SQL code, you'll need to manually adjust any sections of the query which refer to time. When adjusting p_occurs_since macros, replace them with p_occurs_between macros.

  5. Run the altered search query - the results that are returned should be the same as the original run.

Note: in some cases, if log data is entered to Panther with a delay, it may not be present in the original query run, but will be in a re-run.