# Union Operator

## Overview

Query multiple tables with `union`.

```kusto
union <table1> [, ...]
```

Or

```kusto
| union <table1> [, ...]
```

Use `union` to query multiple tables at once or to inject data into an existing query. Table names can contain the wildcard character `*` to succinctly query tables with similar names, such as those with the same database or suffix. `union` is one of the [possible PantherFlow data sources](https://docs.panther.com/statements#data-sources).

Learn more about using union to search across all logs on [PantherFlow Best Practices](https://docs.panther.com/best-practices#how-to-best-search-across-all-logs-in-pantherflow).

## Examples

{% hint style="info" %}
Example data

```kusto
let aws_alb = datatable [
  {"type": "https", "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34"},
  {"type": "https", "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1"},
  {"type": "https", "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7"}
];

let aws_cloudtrail = datatable [
  {"aws_region": "us-east-2", "p_event_time": "2023-09-16 05:23:30.812", "eventName": "AssumeRole"}
];
```

{% endhint %}

### Query multiple source tables

```kusto
union aws_alb, aws_cloudtrail
```

| EVENT                                                                                                 |
| ----------------------------------------------------------------------------------------------------- |
| `{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "type": "https" }`         |
| `{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "type": "https" }`           |
| `{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "type": "https" }`           |
| `{ "p_event_time": "2023-09-16 05:23:30.812", "aws_region": "us-east-2", "eventName": "AssumeRole" }` |

### Inject a table into an existing query

```kusto
aws_alb
// optionally, other statements here
| union aws_cloudtrail
```

| EVENT                                                                                                 |
| ----------------------------------------------------------------------------------------------------- |
| `{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "type": "https" }`         |
| `{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "type": "https" }`           |
| `{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "type": "https" }`           |
| `{ "p_event_time": "2023-09-16 05:23:30.812", "aws_region": "us-east-2", "eventName": "AssumeRole" }` |

### Use a wildcard character to query many tables

```kusto
union panther_logs*
```

This statement queries all tables whose names begin with the prefix `panther_logs`.