# Union Operator ## Overview Query multiple tables with `union`. ```kusto union [, ...] ``` Or ```kusto | union [, ...] ``` Use `union` to query multiple tables at once or to inject data into an existing query. Table names can contain the wildcard character `*` to succinctly query tables with similar names, such as those with the same database or suffix. `union` is one of the [possible PantherFlow data sources](/pantherflow/statements.md#data-sources). Learn more about using union to search across all logs on [PantherFlow Best Practices](/pantherflow/best-practices.md#how-to-best-search-across-all-logs-in-pantherflow). ## Examples {% hint style="info" %} Example data ```kusto let aws_alb = datatable [ {"type": "https", "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34"}, {"type": "https", "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1"}, {"type": "https", "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7"} ]; let aws_cloudtrail = datatable [ {"aws_region": "us-east-2", "p_event_time": "2023-09-16 05:23:30.812", "eventName": "AssumeRole"} ]; ``` {% endhint %} ### Query multiple source tables ```kusto union aws_alb, aws_cloudtrail ``` | EVENT | | ----------------------------------------------------------------------------------------------------- | | `{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "type": "https" }` | | `{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "type": "https" }` | | `{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "type": "https" }` | | `{ "p_event_time": "2023-09-16 05:23:30.812", "aws_region": "us-east-2", "eventName": "AssumeRole" }` | ### Inject a table into an existing query ```kusto aws_alb // optionally, other statements here | union aws_cloudtrail ``` | EVENT | | ----------------------------------------------------------------------------------------------------- | | `{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "type": "https" }` | | `{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "type": "https" }` | | `{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "type": "https" }` | | `{ "p_event_time": "2023-09-16 05:23:30.812", "aws_region": "us-east-2", "eventName": "AssumeRole" }` | ### Use a wildcard character to query many tables ```kusto union panther_logs* ``` This statement queries all tables whose names begin with the prefix `panther_logs`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/pantherflow/operators/union.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.