execute_data_lake_query

Run custom SQL queries on Panther's data lake for advanced analysis. Requires p_event_time filter and Snowflake SQL syntax. Use query_id to retrieve results through get_data_lake_query_results.

Instructions

Execute custom SQL queries against Panther's data lake for advanced data analysis and aggregation. This tool requires a p_event_time filter condition and should only be called five times per user request. For simple log sampling, use get_sample_log_events instead. The query must follow Snowflake SQL syntax (e.g., use field instead of field.nested_field).

WORKFLOW:
1. First call get_table_schema to understand the schema
2. Then execute_data_lake_query with your SQL
3. Finally call get_data_lake_query_results with the returned query_id

Returns a dictionary with query execution status and a query_id for retrieving results.

Input Schema

Name	Required	Description	Default
`database_name`	No	The database to query.	panther_logs.public
`sql`	Yes	The SQL query to execute. Must include a p_event_time filter condition after WHERE or AND. The query must be compatible with Snowflake SQL.

Input Schema (JSON Schema)

{
  "properties": {
    "database_name": {
      "anyOf": [
        {
          "type": "string"
        },
        {
          "type": "null"
        }
      ],
      "default": "panther_logs.public",
      "description": "The database to query.",
      "title": "Database Name"
    },
    "sql": {
      "description": "The SQL query to execute. Must include a p_event_time filter condition after WHERE or AND. The query must be compatible with Snowflake SQL.",
      "title": "Sql",
      "type": "string"
    }
  },
  "required": [
    "sql"
  ],
  "type": "object"
}

Panther MCP Server