unionAll
Combine tables.
Combine (create the union) of the tables listed in the arguments.
For example: instead of writing following LQL command to combine multiple tables:
select * from cloudtrail union
select * from github union
select * from windows union
select * from vpc
you can use the unionAll operator.
unionAll(cloudtrail, github, windows, vpc)
Note: unionAll operator will union tables even if they have different schemas, columns, types:
- different columns: it will add empty columns to the table that doesnt contain that column
- different types: it will convert different types with same column name to string
that it will perform join
Operator Usage in Easy Mode
- Click + on the parent node.
- Enter the Union All operator in the search field and select the operator from the Results to open the operator form.
- In the Base Table drop-down, enter or select a node.
- Optional. Click Show Optional Field to union with another input table. In the Union With drop-down, enter or select single or multiple nodes.
- Click Run to view the result.
- Click Cancel to discard the operator form.
- Click Submit to add the operator to the playbook.
Usage Details
unionAll(tables)
Input
tables: List of tables to combine
Output
Union of all tables
Example
Input
table1
| source_ip | source_port |
|---|---|
| 1.1.1.1 | 111 |
| 3.3.3.3 | 333 |
table2
| source_ip | source_port |
|---|---|
| 2.2.2.2 | 222 |
| 4.4.4.4 | 444 |
unionAll(table1, table2)
Output
| source_id | source_port |
|---|---|
| 1.1.1.1 | 111 |
| 3.3.3.3 | 333 |
| 2.2.2.2 | 222 |
| 4.4.4.4 | 444 |
Updated about 1 year ago