Document toolboxDocument toolbox

unionAll

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024

Combine (create the union) of the tables listed in the arguments.

For example: instead of writing following LQL command to combine multiple tables:

LQL command

select * from cloudtrail union
select * from github union
select * from windows union
select * from vpc

you can use the unionAll operator.

LQL command

unionAll(cloudtrail, github, windows, vpc)

Note: unionAll operator will union tables even if they have different schemas, columns, types:

  • different columns: it will add empty columns to the table that doesnt contain that column
  • different types: it will convert different types with same column name to string
    that it will perform join

Operator Usage in Easy Mode

  1. Click + on the parent node.
  2. Enter the Union All operator in the search field and select the operator from the Results to open the operator form.
  3. In the Base Table drop-down, enter or select a node.
  4. Optional. Click Show Optional Field to union with another input table. In the Union With drop-down, enter or select single or multiple nodes.
  5. Click Run to view the result.
  6. Click Cancel to discard the operator form.
  7. Click Submit to add the operator to the playbook.

Usage Details

``` {text}unionAll(tables)

**Input**  
`tables`: List of tables to combine

**Output**  
Union of all tables

## Example

**Input**  
table1

<div><table class="blueTable">
<thead>
<tr>
<th>source_ip</th>
<th>source_port</th>
</tr>
</thead>
<tbody>
<tr>
<td>1.1.1.1</td><td>111</td></tr>
<tr>
<td>3.3.3.3</td><td>333</td></tr>
</tbody>
</tr>
</table></div>

table2

<div><table class="blueTable">
<thead>
<tr>
<th>source_ip</th>
<th>source_port</th>
</tr>
</thead>
<tbody>
<tr>
<td>2.2.2.2</td><td>222</td></tr>
<tr>
<td>4.4.4.4</td><td>444</td></tr>
</tbody>
</tr>
</table></div>

<style>table.blueTable {
  border: 1px solid #1C6EA4;
  background-color: #FFFFFF;
  width: 100%;
  text-align: left;
  border-collapse: collapse;
}
table.blueTable td, table.blueTable th {
  border: 1px solid #AAAAAA;
  padding: 3px 2px;
}
table.blueTable tbody td {
  font-size: 13px;
}
table.blueTable thead {
  background: #E0E0E0;
  background: -moz-linear-gradient(top, #e8e8e8 0%, #e3e3e3 66%, #E0E0E0 100%);
  background: -webkit-linear-gradient(top, #e8e8e8 0%, #e3e3e3 66%, #E0E0E0 100%);
  background: linear-gradient(to bottom, #e8e8e8 0%, #e3e3e3 66%, #E0E0E0 100%);
  border-bottom: 1px solid #444444;
}
table.blueTable thead th {
  font-size: 15px;
  font-weight: bold;
  color: #424242;
  border-left: 1px solid #D0E4F5;
}
table.blueTable thead th:first-child {
  border-left: none;
}

table.blueTable tfoot td {
  font-size: 14px;
}
table.blueTable tfoot .links {
  text-align: right;
}
table.blueTable tfoot .links a{
  display: inline-block;
  background: #1C6EA4;
  color: #FFFFFF;
  padding: 2px 8px;
  border-radius: 5px;
}</style>

LQL command
``` {sql}
unionAll(table1, table2)

Output

source_id source_port
1.1.1.1111
3.3.3.3333
2.2.2.2222
4.4.4.4444