Dashboard
Account 🔐
Sign Up
Login
Global Leaderboard
Game Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Kusto
›
union
Union
Kusto
Definition
The `union` operator in Kusto Query Language (KQL) combines the results of multiple tables into a single result set by stacking them vertically. It returns all rows from each input, aligning columns by name and filling in nulls where columns don’t exist in all tables. This makes it useful when you want to analyze data from multiple sources together or treat separate datasets as one.
Explore More Terms
Dark-Web
Checkpoint
Ransom-Note
Cyber Kill Chain
Living-Off-The-Land-Lolbins
Examples & Use Cases
Combine logs from multiple sources ```sql SigninLogs | union SecurityEvent ``` This returns all rows from both `SigninLogs` and `SecurityEvent`. ### Union Multiple Tables ```sql TableA | union TableB, TableC ``` This merges data from three tables into one result set. --- ### Keeping Only Distinct Rows ```sql TableA | union distinct TableB ``` This removes duplicate rows across the combined datasets. --- ### Union with Filters ``` SigninLogs | where Status == "Failed" | union SecurityEvent ``` This combines failed sign-in logs with all security events. --- ### Column Alignment Behavior When using `union`, KQL aligns columns by name. If a column exists in one table but not another, missing values will be returned as `null`. --- ### Why it matters Data is often spread across multiple tables or sources. * Combines related datasets into a single view * Useful for cross-table analysis and monitoring * Helps simplify queries across multiple log sources However, `union` can return large datasets quickly, so filtering before or after the operation is important for performance. --- ## Further Reading - [Microsoft Learn - union operator](https://learn.microsoft.com/en-us/kusto/query/union-operator)
.png)
