Combine (create the union) of the tables listed in the arguments.
For example: instead of writing following LQL command to combine multiple tables:
LQL command
select * from cloudtrail union select * from github union select * from windows union select * from vpc
you can use the unionAll
operator.
LQL command
unionAll(cloudtrail, github, windows, vpc)
Note: unionAll
operator will union tables even if they have different schemas, columns, types:
- different columns: it will add empty columns to the table that doesnt contain that column
- different types: it will convert different types with same column name to string
that it will perform join
Operator Usage in Easy Mode
- Click + on the parent node.
- Enter the Union All operator in the search field and select the operator from the Results to open the operator form.
- In the Base Table drop-down, enter or select a node.
- Optional. Click Show Optional Field to union with another input table. In the Union With drop-down, enter or select single or multiple nodes.
- Click Run to view the result.
- Click Cancel to discard the operator form.
- Click Submit to add the operator to the playbook.
Usage Details
``` {text}unionAll(tables)
**Input** `tables`: List of tables to combine **Output** Union of all tables ## Example **Input** table1 <div><table class="blueTable"> <thead> <tr> <th>source_ip</th> <th>source_port</th> </tr> </thead> <tbody> <tr> <td>1.1.1.1</td><td>111</td></tr> <tr> <td>3.3.3.3</td><td>333</td></tr> </tbody> </tr> </table></div> table2 <div><table class="blueTable"> <thead> <tr> <th>source_ip</th> <th>source_port</th> </tr> </thead> <tbody> <tr> <td>2.2.2.2</td><td>222</td></tr> <tr> <td>4.4.4.4</td><td>444</td></tr> </tbody> </tr> </table></div> <style>table.blueTable { border: 1px solid #1C6EA4; background-color: #FFFFFF; width: 100%; text-align: left; border-collapse: collapse; } table.blueTable td, table.blueTable th { border: 1px solid #AAAAAA; padding: 3px 2px; } table.blueTable tbody td { font-size: 13px; } table.blueTable thead { background: #E0E0E0; background: -moz-linear-gradient(top, #e8e8e8 0%, #e3e3e3 66%, #E0E0E0 100%); background: -webkit-linear-gradient(top, #e8e8e8 0%, #e3e3e3 66%, #E0E0E0 100%); background: linear-gradient(to bottom, #e8e8e8 0%, #e3e3e3 66%, #E0E0E0 100%); border-bottom: 1px solid #444444; } table.blueTable thead th { font-size: 15px; font-weight: bold; color: #424242; border-left: 1px solid #D0E4F5; } table.blueTable thead th:first-child { border-left: none; } table.blueTable tfoot td { font-size: 14px; } table.blueTable tfoot .links { text-align: right; } table.blueTable tfoot .links a{ display: inline-block; background: #1C6EA4; color: #FFFFFF; padding: 2px 8px; border-radius: 5px; }</style> LQL command ``` {sql} unionAll(table1, table2)
Output
source_id | source_port |
---|---|
1.1.1.1 | 111 |
3.3.3.3 | 333 |
2.2.2.2 | 222 |
4.4.4.4 | 444 |