Union Operator

Overview

Query multiple tables with union.

union <table1> [, ...]

| union <table1> [, ...]

Union can be used to query multiple tables (including data defined by a let statement) at once or to inject data into an existing query.

Examples

Example data

let aws_alb = datatable [
  {"type": "https", "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34"},
  {"type": "https", "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1"},
  {"type": "https", "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7"}
];

let aws_cloudtrail = datatable [
  {"aws_region": "us-east-2", "p_event_time": "2023-09-16 05:23:30.812", "eventName": "AssumeRole"}
];

Query multiple source tables

union aws_alb, aws_cloudtrail

p_event_time	clientIp	type	awsRegion	eventName
2023-09-16 05:45:34.863	192.168.11.34	https
2023-09-16 05:59:04.058	192.168.1.1	https
2023-09-16 05:36:09.017	10.168.22.7	https
2023-09-16 05:23:30.812			us-east-2	AssumeRole

p_event_time

clientIp

type

awsRegion

eventName

2023-09-16 05:45:34.863

192.168.11.34

https

2023-09-16 05:59:04.058

192.168.1.1

https

2023-09-16 05:36:09.017

10.168.22.7

https

2023-09-16 05:23:30.812

us-east-2

AssumeRole

Inject a table into an existing query

aws_alb
// optionally, other statements here
| union aws_cloudtrail

p_event_time	clientIp	type	awsRegion	eventName
2023-09-16 05:45:34.863	192.168.11.34	https
2023-09-16 05:59:04.058	192.168.1.1	https
2023-09-16 05:36:09.017	10.168.22.7	https
2023-09-16 05:23:30.812			us-east-2	AssumeRole

p_event_time

clientIp

type

awsRegion

eventName

2023-09-16 05:45:34.863

192.168.11.34

https

2023-09-16 05:59:04.058

192.168.1.1

https

2023-09-16 05:36:09.017

10.168.22.7

https

2023-09-16 05:23:30.812

us-east-2

AssumeRole

PreviousSummarize Operator NextWhere Operator

Last updated 2 months ago