Why is my PantherFlow query taking a very long time to run and often failing to complete the search in Panther?

Last updated: December 16, 2024

QUESTION

Why is my PantherFlow query taking a very long time to run and often failing to complete the search?

ANSWER

If your PantherFlow query specifies a database/table, then the dropdown options for database, table, and date range filters in the upper-right corner of the Search page are ignored.

To query the last 20 minutes, add and p_event_time > time.ago(20m) to your PantherFlow query.

For example:

panther_logs.public.aws_alb
| where p_event_time > time.ago(20m)
| sort p_event_time
| limit 10

For more detailed information, please see Panther’s PantherFlow documentation.