https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/565872#M5549 <P>So how to add the user field from xdr_data into my query?&nbsp; Thanks for your help</P> <P>config case_sensitive = false <BR />| dataset in (host_inventory, xdr_data)<BR />| fields host_name, applications<BR />| arrayexpand applications | alter readable_application_name = json_extract(applications, "$.application_name")<BR />| fields readable_application_name, host_name</P> Wed, 15 Nov 2023 17:56:17 GMT RiveraMarco 2023-11-15T17:56:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/565870#M5547 <P>Hi,</P> <P>I hope you can shed some light.&nbsp; I am attempting to run a query to find out what system is running what applications including the username.</P> <P>I have this query which gives me what I need except the "user" which is a field in another dataset xdr_data.&nbsp; How can add this new dataset to get the "user" field?&nbsp; Thank you</P> <P>config case_sensitive = false <BR />| dataset = host_inventory <BR />| fields host_name, applications<BR />| arrayexpand applications | alter readable_application_name = json_extract(applications, "$.application_name")<BR />| fields readable_application_name, host_name</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 15 Nov 2023 17:43:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/565870#M5547 RiveraMarco 2023-11-15T17:43:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/565871#M5548 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/221132">@RiveraMarco</a>&nbsp;, thanks for reaching us using the Live Community.</P> <P>You can call two datasets using the "in" operator.</P> <P>Example:</P> <P>&nbsp;</P> <P>dataset in (xdr_data, panw_ngfw_traffic_raw )</P> <P>&nbsp;</P> Wed, 15 Nov 2023 17:47:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/565871#M5548 jmazzeo 2023-11-15T17:47:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/565872#M5549 <P>So how to add the user field from xdr_data into my query?&nbsp; Thanks for your help</P> <P>config case_sensitive = false <BR />| dataset in (host_inventory, xdr_data)<BR />| fields host_name, applications<BR />| arrayexpand applications | alter readable_application_name = json_extract(applications, "$.application_name")<BR />| fields readable_application_name, host_name</P> Wed, 15 Nov 2023 17:56:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/565872#M5549 RiveraMarco 2023-11-15T17:56:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/565873#M5550 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>&nbsp;</P> <P>So how to add the user field from xdr_data into my query?&nbsp; Thanks for your help</P> <P>config case_sensitive = false<BR />| dataset in (host_inventory, xdr_data)<BR />| fields host_name, applications<BR />| arrayexpand applications | alter readable_application_name = json_extract(applications, "$.application_name")<BR />| fields readable_application_name, host_name</P> Wed, 15 Nov 2023 17:59:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/565873#M5550 RiveraMarco 2023-11-15T17:59:26Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/565968#M5557 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/221132">@RiveraMarco</a>&nbsp;</P> <P>&nbsp;</P> <P>You may try this and edit this query based on your requirements:<BR /><BR />config case_sensitive = false<BR />| dataset = host_inventory <BR />| fields host_name, applications<BR />| arrayexpand applications <BR />| alter readable_application_name = json_extract(applications, "$.application_name")<BR />| alter app_name = trim (readable_application_name ,"\"")<BR />| fields app_name <BR />| join type = inner (dataset= xdr_data | fields actor_process_image_name , os_actor_process_image_name , action_file_name , actor_primary_username , causality_actor_process_image_name ) as aip aip.actor_process_image_name contains app_name <BR />| filter (actor_primary_username != """NT AUTHORITY\\SYSTEM""") <BR />| dedup app_name , actor_primary_username , actor_process_image_name <BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PiyushKohli_0-1700132520171.png" style="width: 404px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55229iB3E81ED4A2BA17D0/image-dimensions/404x103/is-moderation-mode/true?v=v2" width="404" height="103" role="button" title="PiyushKohli_0-1700132520171.png" alt="PiyushKohli_0-1700132520171.png" /></span></P> <P>&nbsp;</P> <P>Feel free to write back if you have further query.</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> Thu, 16 Nov 2023 11:02:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/565968#M5557 PiyushKohli 2023-11-16T11:02:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/566022#M5559 <P>Thank you!</P> Thu, 16 Nov 2023 16:54:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-two-datasets-in-a-query/m-p/566022#M5559 RiveraMarco 2023-11-16T16:54:42Z