Union Operator

Overview

Query multiple tables with union.

union <table1> [, ...]

| union <table1> [, ...]

Use union to query multiple tables at once or to inject data into an existing query. Table names can contain the wildcard character * to succinctly query tables with similar names, such as those with the same database or suffix. union is one of the possible PantherFlow data sources.

Examples

Example data

let aws_alb = datatable [
  {"type": "https", "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34"},
  {"type": "https", "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1"},
  {"type": "https", "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7"}
];

let aws_cloudtrail = datatable [
  {"aws_region": "us-east-2", "p_event_time": "2023-09-16 05:23:30.812", "eventName": "AssumeRole"}
];

Query multiple source tables

union aws_alb, aws_cloudtrail

EVENT

{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "type": "https" }

{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "type": "https" }

{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "type": "https" }

{ "p_event_time": "2023-09-16 05:23:30.812", "aws_region": "us-east-2", "eventName": "AssumeRole" }

Inject a table into an existing query

aws_alb
// optionally, other statements here
| union aws_cloudtrail

EVENT

{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "type": "https" }

{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "type": "https" }

{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "type": "https" }

{ "p_event_time": "2023-09-16 05:23:30.812", "aws_region": "us-east-2", "eventName": "AssumeRole" }

Use a wildcard character to query many tables

union panther_logs*

This statement queries all tables whose names begin with the prefix panther_logs.

PreviousSummarize Operator NextVisualize Operator

Last updated 2 months ago

Was this helpful?