Learn more about the Cortex Query Language join
stage that combines the results of two queries into a single result set.
Syntax
join conflict_strategy = both|left|right type = inner|left|right ((<xql query>) as <execution_name> <boolean_expr>)
Description
The join()
stage combines the results of two queries into a single result set. This stage is conceptually identical to a SQL join.
Parameter/Clause | Description |
---|---|
| Identifies the join conflict strategy when there is a conflict in the column names between the 2 result sets which one should be chosen, either:
|
| Identifies the join type.
|
<xql query> | Provides the XQL query to be joined with the parent query. |
as <execution_name> | Provides an alias for the join query's result set. For example, if you specify an execution name of |
<boolean_expr> | Identifies the conditions that must be met in order to place a record in the join result set. |
Note
This stage does not preserve sort order. If you are combing this stage with a sort stage, specify the sort
stage after the join
.
Examples
Return microsoft_windows_raw
records, which are combined with the xdr_data
records to include a new column called edr
. For the event_type
set to EVENT_LOG
, the actor_process_image_name
and event_id
fields are returned from all xdr_data
records, which are then compared to the fields inside the microsoft_windows_raw
dataset, where edr.event_id = edr_event_id
, and the results are added to the new edr
column.
dataset = microsoft_windows_raw | join (dataset = xdr_data | filter event_type = EVENT_LOG | fields actor_process_image_name, event_id ) as edr edr.event_id = edr_event_id
Return a maximum of 100 xdr_data
records with the events of the agent_id
, event_id
, and _product
fields, where the _product
field is displayed as product
. The agent_id
, event_id
, and _product
fields are returned from all xdr_data
records and are then compared to the fields inside the panw_ngfw_filedata_raw
dataset, where _time = panw.time
, and the results are added to the new panw
column. When there is a conflict in the column names between the 2 result sets both columns are used.
dataset = xdr_data | fields agent_id, event_id, _product as product | join conflict_strategy = both (dataset = panw_ngfw_filedata_raw | fields _product as product) as panw _time = panw._time | limit 100