QUESTION

What does the _variant suffix mean in a Panther table name?

ANSWER

All of Panther’s log data is stored in *_variant tables. For simplicity, we created views on those tables that “flatten” the data column, and that’s what gets exposed to the Data Explorer in Panther. The pattern is that every user-facing “table” is a view over a real table with the same name as the view having the suffix _variant.

Based on this, there will be no differentiation in the results when querying the views instead of the *_variant tables.