Data Explorer

Articles

• Why do I get an "invalid identifier" SQL compilation error when querying for a p_any field?
• Can we query Snowflake directly or only through Panther?
• What timezone is the timestamp data in the Panther Data Explorer?
• How can I export data from my Panther Console?
• How can I query my Panther Audit logs in the Data Explorer?
• Can I query the panther kv store table through Data Explorer in the Panther Console?
• My Data Explorer view in Panther displays a field with null values, even though I removed the field from my schema. How can I remove this field from the view?
• Best practices for faster querying of data in Panther
• Panther is missing column(s) when querying the data lake
• Can I view the raw, expanded SQL from my scheduled and ad-hoc queries in Panther?
• What is the purpose of the _current and _001, _002 suffixes in Panther's rule_matches tables?
• Why does running a query in Panther Data Explorer cause my page to crash or become unresponsive?
• How do I resolve the error "ErrorMessage=Timestamp ' ' is not recognized" with custom schemas in Panther?
• With a Customer-configured Snowflake deployment, can I query other non-Panther databases?
• I get the error "SQL compilation error: ambiguous column name 'P_EVENT_TIME'" in my Panther Console when using INNER JOIN in Data Explorer
• How to resolve Panther Data Explorer error "Result size exceeded configured limit"
• What is the best way to query for all NULL or non-NULL values in Panther?
• How can I query for a nested JSON object's attribute in Panther?
• How can I use Panther's Data Explorer to query the number of cloud resources currently failing policies?
• How does the "contains" method work when querying data in Panther?
• Why am I getting the Data Explorer error "Multiple SQL statements are not allowed, please only use one SQL statement" in the Panther Console?
• Why do I see everything under a single Data column when querying directly in Snowflake rather than in Panther?
• My query using p_event_time in Panther runs slowly
• Does the `p_occurs` macro use `p_parse_time` in the Panther Data Explorer?
• How to identify the source of a log in Panther
• Should I add a conditional for variant type variables in Panther?
• How do I do SQL wildcard searching on the contents of an array in Panther?
• What does the query error "maximum row size exceeded" mean in Panther?
• How is the p_any_usernames Panther field populated?
• Why does my ingested event name field contain the word "slash" instead of the "/" in link names in Panther?
• Is there a benefit to writing pure Snowql queries instead of relying on a translation layer (standard SQL) in Panther?
• Queries are running slowly when using TO_OBJECT in Data Explorer
• The "url" indicator is not populating the p_any_domain_names or p_any_ip_addresses columns in Panther's Data Explorer
• The p_any_usernames column is not populated in Panther's Data Explorer with an "int" type user_id
• Does Panther support querying if an IP belongs in a CIDR?
• Why do I get NULL results when querying fields under the payload column in the classification_failures table in Panther?
• What time format is p_event_time in?
• Can I use Panther Data Model fields in my queries?
• How do I export a list of non-compliant AWS resources into a CSV file in Panther?
• What formats can I use for timestamps in my SQL queries in Panther?
• Can I search my log data in Panther without using SQL?
• What does the _variant suffix mean in a Panther table name?
• How can I find a record of all logins to Okta for a specific user in Panther?
• How do I download the contents of the Summarize tab in the Panther Data Explorer?
• Panther p_occurs_between returns "Your query did not return any results"
• My CSV of Data Explorer results from Panther contains unnecessary double quotes
• What is the difference between shared views and non-shared views in the Panther Data Explorer?
• Are SQL aliases case-sensitive in Panther's JSON output?
• How do I correlate user activity across multiple alerts in Panther?
• How can I perform a case-insensitive search in the p_any_emails array in Panther?
• Adding Snowflake views to the PANTHER* databases
• How do I query on a nested field within arrays in Panther?
• Why is there a trailing white space in my p_source_label field in my Data Explorer results in Panther?
• How can I find the total number of Panther alerts sent over a certain period of time?
• How can I query all my failed policy events in Panther for a specific policy?