union
Merges the results of subqueries. Because subqueries run concurrently, the output order is not guaranteed.
Command properties
| Property | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Not counted |
| Parallel execution | Supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Target
[ SUBQUERY ]- Subquery enclosed in square brackets (
[]). The subquery results are used as input data for the main pipeline.
Error codes
Parsing errors
| Error code | Message | Description |
|---|---|---|
| 90204 | [가 짝이 맞지 않습니다. | The square brackets of the subquery are unmatched |
| 90206 | 서브 쿼리가 없습니다. | No subquery was specified |
Runtime errors
N/A
Description
The union command runs subqueries and passes their results as input data to the main pipeline. As a driver query, it must be used as the first command in a query pipeline.
Subqueries run concurrently with the main query, so the output order is not guaranteed. This command is primarily used when order is not important (such as when performing statistical processing) and high execution performance is required.
Examples
-
Merge data from multiple tables
union [ table duration=1h web_logs ] | union [ table duration=1h app_logs ] | stats count by src_ipMerges the last hour of data from the
web_logsandapp_logstables, then aggregates the count bysrc_ip. -
Transform in a subquery before merging
union [ table duration=1h firewall_logs | search action == "deny" ] | stats count by src_ipMerges results after filtering only block events from the firewall log.