Union Operator
Overview
Query multiple tables with union.
union <table1> [, ...]Or
| union <table1> [, ...]Use union to query multiple tables at once or to inject data into an existing query. Table names can contain the wildcard character * to succinctly query tables with similar names, such as those with the same database or suffix. union is one of the possible PantherFlow data sources.
Learn more about using union to search across all logs on PantherFlow Best Practices.
Examples
Query multiple source tables
{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "type": "https" }
{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "type": "https" }
{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "type": "https" }
{ "p_event_time": "2023-09-16 05:23:30.812", "aws_region": "us-east-2", "eventName": "AssumeRole" }
Inject a table into an existing query
{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "type": "https" }
{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "type": "https" }
{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "type": "https" }
{ "p_event_time": "2023-09-16 05:23:30.812", "aws_region": "us-east-2", "eventName": "AssumeRole" }
Use a wildcard character to query many tables
This statement queries all tables whose names begin with the prefix panther_logs.
Last updated
Was this helpful?