Create a union table
After creating a custom table, you can merge its data with other queries to create a union table. When merging a custom table with an already existing query, the fields of the custom table whose name matches those in the query are automatically merged. The rest of them will appear as not assigned, and you can merge them with the custom table fields with the same type.
The following diagram represents how the merging process works:
To merge a custom table with a query:
- Go to Data Search and open the data table whose data you want to merge with your custom table.
- Select Additional Tools → Custom tables → Add to existing union.
- Choose the custom table you want to merge with the current query.
- Those column names of the custom table matching the ones in the query will be automatically merged. The rest of them will appear as not assigned. On the right side, in the Current query fields area, you can select specific fields from the query and drag them to the custom table, in the Query field value column. Note that the data type of both fields must be the same.
In the following example, we are merging the serverIp column in our query with the srcIp column of the custom table. See that the action and dstPort are automatically assigned with the query columns with the same name.
- Optionally, you can create more columns selecting New field. Enter the new field name and then drag the required field from the Current query fields area.
See below how we add a new field and drag the virusID column from our query to include those events in the union table. You must set a name for the new field and change the data type if needed.
- Click Save once you finish. Now go to the Data Search area and open your custom table. It should contain the data merged from the query.
Note that you cannot use tables that contain columns labeled as extra unless you rename them. Check this article to know more: Selecting unrevealed columns.