Combine (create the union) of the tables listed in the arguments.
For example: instead of writing following LQL command to combine multiple tables:
LQL command
select * from cloudtrail union select * from github union select * from windows union select * from vpc
you can use the unionAll
operator.
LQL command
unionAll(cloudtrail, github, windows, vpc)
Note: unionAll
operator will union tables even if they have different schemas, columns, types:
different columns: it will add empty columns to the table that doesnt contain that column
different types: it will convert different types with same column name to string
that it will perform join
Operator usage in easy mode
Click + on the parent node.
Enter the Union All operator in the search field and select the operator from the Results to open the operator form.
In the Base Table drop-down, enter or select a node.
Optional. Click Show Optional Field to union with another input table. In the Union With drop-down, enter or select single or multiple nodes.
Click Run to view the result.
Click Cancel to discard the operator form.
Click Submit to add the operator to the playbook.
Usage details
Text
unionAll(tables)
Inputtables
: List of tables to combine
Output
Union of all tables
Example
Input
table1
source_ip | source_port |
---|---|
1.1.1.1 | 111 |
3.3.3.3 | 333 |
table2
source_ip | source_port |
---|---|
2.2.2.2 | 222 |
4.4.4.4 | 444 |
LQL command
unionAll(table1, table2)
Output
source_id | source_port |
---|---|
1.1.1.1 | 111 |
3.3.3.3 | 333 |
2.2.2.2 | 222 |
4.4.4.4 | 444 |