Merge Query allows you to combine data from different data collections, which helps you perform advanced analysis based on different data sources.

Let’s take a look at a sample use case - identifying the device info of users triggering DLP alerts. While DLP alert data is stored in our Alerts data collection, device info is stored in a different place, the Devices data collection. To combine data from these two different data collections, Merge Query can help.

To get started, simply create a widget that lists users triggering DLP alerts. 

Once the widget is saved to the dashboard, select “Explore from here.” This will direct us to the “explore” mode of this widget.

On the top right corner, click the gear button and select “Merge results.” We will then be able to select a second data collection. Let’s select “Devices.”  

Next, let’s pick the data fields we need. Since we’re looking to combine DLP alert data with device info based on users, we select “User,” “Device ID,” and “Hostname” here. Don’t forget to click “Save” to save the configuration.

Now, we have successfully combined the data from the Alerts and Devices data collections. The merged results return the Device IDs and Hostnames of users triggering DLP alerts.

If you are familiar with SQL, Merge Query in Advanced Analytics is very similar to SQL Left Join. In this sample use case, the query detects users triggering DLP alerts in the Alerts data collection first. Then, for each of these users, the query checks if the user shows up in the Devices data collection. If so, the corresponding Device ID and Hostname info will be merged based on the user identity.

For more details about Merge Query, watch this video.