Union Operator
Overview
Query multiple tables with union.
union <table1> [, ...]Or
| union <table1> [, ...]Use union to query multiple tables at once or to inject data into an existing query. Table names can contain the wildcard character * to succinctly query tables with similar names, such as those with the same database or suffix. union is one of the possible PantherFlow data sources.
Learn more about using union to search across all logs on PantherFlow Best Practices.
Examples
Query multiple source tables
union aws_alb, aws_cloudtrail{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "type": "https" }
{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "type": "https" }
{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "type": "https" }
{ "p_event_time": "2023-09-16 05:23:30.812", "aws_region": "us-east-2", "eventName": "AssumeRole" }
Inject a table into an existing query
aws_alb
// optionally, other statements here
| union aws_cloudtrail{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "type": "https" }
{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "type": "https" }
{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "type": "https" }
{ "p_event_time": "2023-09-16 05:23:30.812", "aws_region": "us-east-2", "eventName": "AssumeRole" }
Use a wildcard character to query many tables
union panther_logs*This statement queries all tables whose names begin with the prefix panther_logs.
Last updated
Was this helpful?