concat Search Operator
concat operator allows you to concatenate or join multiple strings, numbers, and fields into a single user-defined field. It concatenates strings end-to-end and joins them into a new string that you define. For example, to concatenate the words "foot" and "ball" would give you "football". You can also use punctuation and spaces in quotes to concatenate strings in a readable way.
In another example, a log message has a table with the elements of a mailing address, but separated into different fields such as
Zip_Code. You can use the concatenate operate to assemble the fields into a new field called
Mailing_Address for a customer.
In another example, if you had a log message of an incident with four fields, such as
Incident Detail_URL, and
Analyst_Assessment that you wanted to combine into a single field (a single string) called
Event_Detail, the concatenate operator would also allow you to do this.
concat(<field1>, <field2>[, <field3>, ...]) as <field>
- You must define a name for the new field to concatenate the named fields. There is no default.
- You can use punctuation and spaces in quotes to concatenate strings in a readable way.
- A null field is treated as an empty string.
- The operator allows 2 to 16 input fields. To use more than 16 inputs, you can combine operators. See example.
- AND and OR are not supported.
Concatenate fields with and without punctuation
If you had the following fields: field1 = time, field2 = 4, field3 = logs.
Using this query:
... | concat(field1, field2, field3) as new_string
new_string = time4logs
If you add punctuation and spaces in quotes, like this:
... | concat(field1, " ", field2, " ", field3) as new_string
new_string = time 4 logs
Concatenate fields to create an IP Address
In this example, to create an IP address out of separate message log
fields, concatenate four number fields with punctuation to complete a
new field named
... | concat(octet1, ".", octet2, ".", octet3, ".", octet4) as ip_address
Concatenate first and last names
In this example, you'd concatenate fields for a first and last name to create a new field called fullName.
... | concat(firstName, " ", lastName) as fullName
You can use the Concat operator to format dates, as shown:
... | concat(month, "/", day, "/", year) as date
Concatenate more than 16 inputs
To use more than 16 inputs with the concat operator, you can combine operators, using one of the following formats:
... | concat(field1, field2, ...) as b
| concat(b, field17, field18,...) as c
... | concat(concat(field1, field2, ...), field17, field18,...) as concatenated_fields
For information on formatting strings, see the