union operator
Combines events from two or more datasets, returning rows from each of them. This operator processes rows sourced from multiple datasets into a set of results. Based on the set union principle from mathematics, union is ideal for merging data from multiple sources for comprehensive data analysis.
Syntax
['DatasetA']
| union ['DatasetB', 'DatasetC', ...]Arguments
| name | type | description |
|---|---|---|
| Dataset name | string | Name of the dataset to be included in the union. Multiple datasets can be included in the union. |
Returns
A combined event comprising all rows from the included datasets. If fields overlap, they are merged. Non-overlapping fields are retained in their original form.
Examples
Basic union
Combines all rows from github-push-event and github-pull-request-event without any transformation or filtering.
['github-push-event']
| union ['github-pull-request-event']Filtering after union
Combines the datasets, and then filters the data to only include rows where the method is GET.
['sample-http-logs']
| union ['github-issues-event']
| where method == "GET"Aggregating after union
Combines the datasets and summarizes the data, counting the occurrences of each combination of content_type and actor.
['sample-http-logs']
| union ['github-pull-request-event']
| summarize Count = count() by content_type, actor