Skip to main content
Sumo Logic

concat

The Concat operator allows you to concatenate or join multiple strings, numbers, and fields into a single user-defined field. It concatenates strings end-to-end and joins them into a new string that you define. For example, to concatenate the words "foot" and "ball" would give you "football". You can also use punctuation and spaces in quotes to concatenate strings in a readable way.

In another example, let’s say a log message has a table with the elements of a mailing address, but separated into different fields such as Street_Number, City, State, and Zip_Code. You can use the concatenate operate to assemble the fields into an a new field called Mailing_Address for a customer.

In another example, if you had a log message of an incident with four fields, such as Signature_Name, Vendor_Signature, Incident Detail_URL, and Analyst_Assessment that you wanted to combine into a single field (a single string) called Event_Detail, the concatenate operator would also allow you to do this.

Syntax:

  • concat(field1, field2) as [fieldname]

Rules:

  • You must define a name for the new [fieldname] to concatenate the named fields. There is no default.
  • You can use punctuation and spaces in quotes to concatenat strings in a readable way.
  • A null field is treated as empty string.
  • The operator allows 2 to 16 inputs. To use more than 16 inputs, you can combine operators. See example.
  • AND and OR are not supported.

Examples

Concatenate fields with and without punctuation.

Let's say you had the following fields: field1 = time, field2 = 4, field3 = logs. Using this query:

concat (field1, field2, field3) as new_string

would return: new_string = time4logs

If you add punctuation and spaces in quotes, like this:

concat (field1, " ", field2, " ", field3) as new_string

you would get: new_string = time 4 logs

 

Concatenate fields to create an IP Address.

In this example, to create an IP address out of separate message log fields, concatenate four number fields with punctuation to complete a new field named ip_address.

... | concat(octet1, ".", octet2, ".",octet3, ".",octet4) as ip_address

 

Concatenate first and last names.

In this example, you could concatenate fields for a first and last name to create a new field called fullName.

... | concat(firstName, " ",lastName) as fullName

 

Formatting dates.

You can use the Concat operator to format dates, as shown:

... | concat (month,"/", day,"/",year) as date

 

Concatenate more than 16 inputs.

To use more than 16 inputs with the concat operator, you can combine operators, using one of the following formats:

  • concat(field1, field2, ...) as b | concat(b, field17, field18,...) as c | …
  • concat( concat(field1, field2, ...), field17, field18,...))

 

See Also:

For information on formatting strings, see Format operator.