New Blog Post | Must Learn KQL Part 18: The Union Operator

%3CLINGO-SUB%20id%3D%22lingo-sub-3131945%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20Must%20Learn%20KQL%20Part%2018%3A%20The%20Union%20Operator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3131945%22%20slang%3D%22en-US%22%3E%3CP%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fazurecloudai.blog%2F2022%2F02%2F07%2Fmust-learn-kql-part-18-the-union-operator%2F%3FWT.mc_id%3Dm365-0000-rotrent%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EMust%20Learn%20KQL%20Part%2018%3A%20The%20Union%20Operator%20%E2%80%93%20Azure%20Cloud%20%26amp%3B%20AI%20Domain%20Blog%20(azurecloudai.blog)%3C%2FA%3E%3C%2FP%3E%3CP%3EAs%20I%20did%20with%20parts%2Fchapters%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcda.ms%2F3Dv%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3E13-16%3C%2FA%3E%26nbsp%3Bof%20this%20series%20for%20the%26nbsp%3Bseries-within-the-series%26nbsp%3Bfor%20data%20view%20manipulation%2C%20this%20part%2Fchapter%20and%20the%20next%20form%20another%20mini-series%20of%20sorts.%20The%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcda.ms%2F3NQ%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EUnion%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcda.ms%2F3NR%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EJoin%3C%2FA%3E%26nbsp%3Boperators%20are%20important%20parts%20of%20the%20KQL%20journey%20as%20they%20represent%20opportunities%20to%20combine%20data%20from%20tables%20in%20different%20ways.%3C%2FP%3E%3CP%3EBefore%20jumping%20directly%20off%20into%20talking%20about%20the%20Union%20operator%2C%20I%20think%20it%E2%80%99s%20best%20to%20start%20with%20describing%20the%20differences%20between%20Union%20and%20Join.%20Knowing%20the%20differences%20will%20allow%20you%20to%20determine%20which%20one%20to%20use%20for%20which%20scenario.%3C%2FP%3E%3CP%3EUnion%26nbsp%3Ballows%20you%20to%20take%20the%20data%20from%20two%20or%20more%20tables%20and%20display%20the%20results%20(all%20rows%20from%20all%20tables)%20together.%26nbsp%3BJoin%2C%20on%20the%20other%20hand%2C%20is%20intended%20to%20produce%20more%20specific%20results%20by%20joining%20rows%20of%20just%20two%20tables%20through%20matching%20the%20values%20of%20columns%20you%20specify.%20You%E2%80%99ll%26nbsp%3Bsee%26nbsp%3Bthe%20differences%20once%20we%20get%20through%20this%20mini-series%20and%20you%20can%20get%20hands-on%20with%20the%20examples.%20I%20highly%20suggest%20taking%20the%20examples%20from%20this%20part%2Fchapter%20and%20running%20them%20against%20the%20examples%20of%20Part%2019%20on%20the%20Join%20operator%20to%20get%20a%20proper%20comparison.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3131945%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Sentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

AshleyMartin_0-1644265699233.png

Must Learn KQL Part 18: The Union Operator – Azure Cloud & AI Domain Blog (azurecloudai.blog)

As I did with parts/chapters 13-16 of this series for the series-within-the-series for data view manipulation, this part/chapter and the next form another mini-series of sorts. The Union and Join operators are important parts of the KQL journey as they represent opportunities to combine data from tables in different ways.

Before jumping directly off into talking about the Union operator, I think it’s best to start with describing the differences between Union and Join. Knowing the differences will allow you to determine which one to use for which scenario.

Union allows you to take the data from two or more tables and display the results (all rows from all tables) together. Join, on the other hand, is intended to produce more specific results by joining rows of just two tables through matching the values of columns you specify. You’ll see the differences once we get through this mini-series and you can get hands-on with the examples. I highly suggest taking the examples from this part/chapter and running them against the examples of Part 19 on the Join operator to get a proper comparison.

0 Replies