https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-using-host-inventory-dataset-and-joining-endpoint-ds-for/m-p/539499#M4200 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/231174">@timurphy</a>&nbsp;Thanks a lot that worked well. I went with a similar approach and realised the issue I had was in the join to keep the original field names when I should have aliased them as 'As'.&nbsp;</P> <P>Thanks</P> Thu, 20 Apr 2023 08:35:47 GMT michaelsysec242 2023-04-20T08:35:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-using-host-inventory-dataset-and-joining-endpoint-ds-for/m-p/539352#M4189 <P>Hello, I am attempting to write a query in which I display the host inventory applications and the Group Names field from the endpoint dataset. I have used in separate occasions Union and Join On but without success.&nbsp;</P> <P>What can I do without affecting the datasets with Target etc ?</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Wed, 19 Apr 2023 12:08:58 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-using-host-inventory-dataset-and-joining-endpoint-ds-for/m-p/539352#M4189 michaelsysec242 2023-04-19T12:08:58Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-using-host-inventory-dataset-and-joining-endpoint-ds-for/m-p/539353#M4190 <P>I would much appreciate if someone can provide an example, cheers!</P> Wed, 19 Apr 2023 12:09:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-using-host-inventory-dataset-and-joining-endpoint-ds-for/m-p/539353#M4190 michaelsysec242 2023-04-19T12:09:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-using-host-inventory-dataset-and-joining-endpoint-ds-for/m-p/539400#M4194 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/209373">@michaelsysec242</a>,</P> <P>&nbsp;</P> <P>Here is a simple example to get you started:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">preset = host_inventory_applications | fields install_date, vendor, application_name, version, endpoint_name, endpoint_id | join type = left (dataset = endpoints | fields group_names, endpoint_id) as endpoints endpoints.endpoint_id = endpoint_id</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>In the <CODE>join</CODE> stage, you define the query (wrapped in parenthesis) targeting another dataset. That query is given a name (execution name), which in this example I simply called <CODE>endpoints</CODE>. You can then refer to fields within the secondary query using dot-notation (<CODE>endpoints.endpoint_id</CODE> is referring to the <CODE>endpoint_id</CODE> field within the query defined in the <CODE>join</CODE> stage).</P> <P>&nbsp;</P> <P>The expression at the end of the line explains how the join is performed, in this case we are joining when there is an exact match of the <CODE>endpoint_id</CODE> field from the parent query with the <CODE>endpoint_id</CODE> field in the endpoints dataset.</P> <P>&nbsp;</P> <P>I hope this helps!</P> <P>&nbsp;</P> <P>Regards,</P> <P>Tim</P> Wed, 19 Apr 2023 16:27:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-using-host-inventory-dataset-and-joining-endpoint-ds-for/m-p/539400#M4194 timurphy 2023-04-19T16:27:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-using-host-inventory-dataset-and-joining-endpoint-ds-for/m-p/539499#M4200 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/231174">@timurphy</a>&nbsp;Thanks a lot that worked well. I went with a similar approach and realised the issue I had was in the join to keep the original field names when I should have aliased them as 'As'.&nbsp;</P> <P>Thanks</P> Thu, 20 Apr 2023 08:35:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-using-host-inventory-dataset-and-joining-endpoint-ds-for/m-p/539499#M4200 michaelsysec242 2023-04-20T08:35:47Z