https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/show-results-only-with-matching-fields-from-two-different/m-p/565026#M5524 <P>I am trying to combine the results from two queries, one using dataset=xdr_data and one from preset=xdr_file. But, I only want to see the results when the same "agent_hostname" appears in both queries. In other words IF agent_hostname from filtered xdr_data = agent_hostname from filtered preset, show me all the results with those agent_hostnames from each query.&nbsp;<BR /><BR />How would I go about staging this?</P> <P>&nbsp;</P> <P>Thanks</P> Thu, 09 Nov 2023 18:13:26 GMT balazshajdu 2023-11-09T18:13:26Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/show-results-only-with-matching-fields-from-two-different/m-p/565026#M5524 <P>I am trying to combine the results from two queries, one using dataset=xdr_data and one from preset=xdr_file. But, I only want to see the results when the same "agent_hostname" appears in both queries. In other words IF agent_hostname from filtered xdr_data = agent_hostname from filtered preset, show me all the results with those agent_hostnames from each query.&nbsp;<BR /><BR />How would I go about staging this?</P> <P>&nbsp;</P> <P>Thanks</P> Thu, 09 Nov 2023 18:13:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/show-results-only-with-matching-fields-from-two-different/m-p/565026#M5524 balazshajdu 2023-11-09T18:13:26Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/show-results-only-with-matching-fields-from-two-different/m-p/565030#M5525 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/271778">@balazshajdu</a>&nbsp;<BR /><BR />You can use the Join stage to do so. The join() stage combines the results of two queries into a single result set.&nbsp; The default type is inner,&nbsp;</P> <P>inner: Returns all the records in common between the queries that are being joined. This is the default join type.</P> <P><BR />However, not sure if your example is just for demo or it is your actual use case, the reason is that agent_hostname filed is the same in both sources you have in reference, this is because&nbsp;preset = xdr_file is part of the bigger dataset&nbsp;dataset = xdr_data , so i recommend doing the matching on fields other than the hostname, but nonetheless, whatever field you choose you can use the syntax below and changes it accordingly to fit your use case<BR /><BR />dataset = xdr_data<BR />// here add your filters/ stages, the next step is to do the Join as below<BR /><BR />| join type = inner ( preset = xdr_file ) as presetjoin presetjoin.agent_hostname = agent_hostname <BR />| fields agent_hostname , * // here define the fields you want to show in your result table<BR /><BR />Hope that helps and shed some light, please let me know if any and if that answers your question, feel free to mark this as accepted solution so others can benefit from.<BR /><BR />Best,<BR />Zee</P> Thu, 09 Nov 2023 19:30:07 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/show-results-only-with-matching-fields-from-two-different/m-p/565030#M5525 zarnous 2023-11-09T19:30:07Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/show-results-only-with-matching-fields-from-two-different/m-p/1220212#M7875 <P>how do you show what IS NOT in common? I cant figure this part out</P> Wed, 12 Feb 2025 19:18:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/show-results-only-with-matching-fields-from-two-different/m-p/1220212#M7875 D.Demarest 2025-02-12T19:18:26Z