execute_data_lake_query
Run custom SQL queries on Panther's data lake for advanced analysis. Requires p_event_time filter and Snowflake SQL syntax. Use query_id to retrieve results through get_data_lake_query_results.
Instructions
Execute custom SQL queries against Panther's data lake for advanced data analysis and aggregation. This tool requires a p_event_time filter condition and should only be called five times per user request. For simple log sampling, use get_sample_log_events instead. The query must follow Snowflake SQL syntax (e.g., use field instead of field.nested_field).
Input Schema
Name | Required | Description | Default |
---|---|---|---|
database_name | No | The database to query. | panther_logs.public |
sql | Yes | The SQL query to execute. Must include a p_event_time filter condition after WHERE or AND. The query must be compatible with Snowflake SQL. |