Skip to main content
Solved

Data table event enrichment (inner vs left vs outer)

  • February 3, 2026
  • 5 replies
  • 159 views
komajaro
Forum|alt.badge.img+1

Hello,

Is there a way to influcence the type of join operation when using data tables ?

Previously, when working with splunk there was an option to pick one of 3 choices: inner, outer or left.

When working with data tables in secops I see that it behaves like an inner join, which effectively filters results, which is something I want to avoid.

Example:

  • when a data table contains account A and events contain account A enrichment works as expected.
  • when a data table contains account B and events contain account A enrichment does not work and events are filtered out (but I want to see them despite ‘unsuccessful’ enrichment).

Best answer by jstoner

The release notes (https://docs.cloud.google.com/chronicle/docs/secops/release-notes) are the best place for this as they should be rolled out there. I see the initial join release in September but not the subsequent one. I am doing a little research to see if there is an update on this. Your account or partner team may also be able to assist with this for some additional details. 

    5 replies

    jstoner
    Community Manager
    Forum|alt.badge.img+23
    • jstonerCommunity Manager
    • Community Manager
    • February 3, 2026

    There is on-going work on joins with data tables occurring and this question is timely but potentially a little early. I tested this on my internal tenant and was able to get a result but I don’t believe it has been pushed out fully. That said, we can (shortly) do a left join between the events and a data table and the search syntax would look something like this:

     

    $e.metadata.event_type = "USER_LOGIN"
    $e.target.user.userid = $user
    left join $e.target.user.userid = %adhoc_users.userid
    match:
        $user
    outcome:
        $company = array_distinct(%adhoc_users.organization)
        $state = array_distinct(%adhoc_users.state)
        $probationary = array_distinct(%adhoc_users.probationary)

    This would give you all the user login events and then show the org, state and probationary status of the users that exist in both the event and data table but still provide the users in the events even if they are not in the data table.

    Again, this may not be in your tenant yet but should be getting there soon.

      komajaro
      Forum|alt.badge.img+1
      • komajaro
      • Author
      • New Member
      • February 4, 2026

      Hey John,

      Thanks a lot for the explanation and a follow-up question:
      - How can I track this functionality ?
      - Should I just read the release notes or is there a way to verify this from within our Google SecOps instance ?

      jstoner
      Community Manager
      Forum|alt.badge.img+23
      • jstonerCommunity Manager
      • Community Manager
      • Answer
      • February 4, 2026

      The release notes (https://docs.cloud.google.com/chronicle/docs/secops/release-notes) are the best place for this as they should be rolled out there. I see the initial join release in September but not the subsequent one. I am doing a little research to see if there is an update on this. Your account or partner team may also be able to assist with this for some additional details. 

      komajaro
      Forum|alt.badge.img+1
      • komajaro
      • Author
      • New Member
      • February 11, 2026

      As I haven’t received a response from our partner team, I wanted to check whether you were able to obtain any information about that functionality ?

      jstoner
      Community Manager
      Forum|alt.badge.img+23
      • jstonerCommunity Manager
      • Community Manager
      • February 20, 2026

      Just closing the loop on this but the release notes appeared a few days ago https://docs.cloud.google.com/chronicle/docs/secops/release-notes#February_12_2026

        Terms & ConditionsCookie settingsAccessibility statement
        Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

        © 2025 Google. All rights reserved.