Document:Cortex XDR™ XQL Language Reference

Join

Search the Table of Contents

Cortex XDR XQL join() stage combines the results of two queries into a single result set.

join conflict_strategy = both|left|right 
     type = inner|left|right 
     (<xql query>) 
     as <execution_name> 
     <boolean_expr>)

The

join()

stage combines the results of two queries into a single result set. This stage is conceptually identical to a SQL join.

Parameter/Clause	Description
conflict_strategy	Identifies the join conflict strategy.
type	Identifies the join type. inner Returns all the records in common between the queries that are being joined. This is the default join type. right Returns all records from the join result set, plus any records from the parent result set that intersect with the join result set. left Returns all records from the parent result set, plus any records from the join result set that intersect with the parent result set.
<xql query >	Provides the XQL query to be joined with the parent query.
as <execution_name >	Provides an alias for the join query's result set. For example, if you specify an execution name of join1 , and in the join query you return field agent_id , then you can subsequently refer to that field as join1.agent_id .
<boolean_expr >	Identifies the conditions that must be met in order to place a record in the join result set.

This stage does not preserve sort order. If you are combing this stage with a sort stage, specify the

sort

stage after the join.