Union Operator

Overview

Query multiple tables with union.

union <table1> [, ...]

| union <table1> [, ...]

Union can be used to query multiple tables (including those defined by a let statement) at once or to inject data into an existing query. Table names can contain the wildcard character * to succinctly query tables with similar names, such as those with the same database or suffix.

Examples

Example data

let aws_alb = datatable [
  {"type": "https", "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34"},
  {"type": "https", "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1"},
  {"type": "https", "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7"}
];

let aws_cloudtrail = datatable [
  {"aws_region": "us-east-2", "p_event_time": "2023-09-16 05:23:30.812", "eventName": "AssumeRole"}
];

Query multiple source tables

union aws_alb, aws_cloudtrail

p_event_time

clientIp

type

awsRegion

eventName

2023-09-16 05:45:34.863

192.168.11.34

https

2023-09-16 05:59:04.058

192.168.1.1

https

2023-09-16 05:36:09.017

10.168.22.7

https

2023-09-16 05:23:30.812

us-east-2

AssumeRole

Inject a table into an existing query

aws_alb
// optionally, other statements here
| union aws_cloudtrail

p_event_time

clientIp

type

awsRegion

eventName

2023-09-16 05:45:34.863

192.168.11.34

https

2023-09-16 05:59:04.058

192.168.1.1

https

2023-09-16 05:36:09.017

10.168.22.7

https

2023-09-16 05:23:30.812

us-east-2

AssumeRole

Use a wildcard character to query many tables

union panther_logs*

This statement queries all tables whose names begin with the prefix panther_logs.

PreviousSummarize Operator NextVisualize Operator

Last updated 10 days ago