Skip to main content

concat Search Operator

The concat operator allows you to concatenate or join multiple strings, numbers, and fields into a single user-defined field. It concatenates strings end-to-end and joins them into a new string that you define. For example, to concatenate the words "foot" and "ball" would give you "football". You can also use punctuation and spaces in quotes to concatenate strings in a readable way.

In another example, a log message has a table with the elements of a mailing address, but separated into different fields such as Street_Number, City, State, and Zip_Code. You can use the concatenate operate to assemble the fields into a new field called Mailing_Address for a customer.

In another example, if you had a log message of an incident with four fields, such as Signature_Name, Vendor_Signature, Incident Detail_URL, and Analyst_Assessment that you wanted to combine into a single field (a single string) called Event_Detail, the concatenate operator would also allow you to do this.

Syntax

concat(<field1>, <field2>[, <field3>, ...]) as <field>

Rules

  • You must define a name for the new field to concatenate the named fields. There is no default.
  • You can use punctuation and spaces in quotes to concatenate strings in a readable way.
  • A null field is treated as an empty string.
  • The operator allows 2 to 16 input fields. To use more than 16 inputs, you can combine operators. See example.
  • AND and OR are not supported.

Examples

Concatenate fields with and without punctuation

If you had the following fields: field1 = time, field2 = 4, field3 = logs.

Using this query:

... | concat(field1, field2, field3) as new_string

would return: new_string = time4logs

If you add punctuation and spaces in quotes, like this:

... | concat(field1, " ", field2, " ", field3) as new_string

you'd get: new_string = time 4 logs

Concatenate fields to create an IP Address

In this example, to create an IP address out of separate message log fields, concatenate four number fields with punctuation to complete a new field named ip_address.

... | concat(octet1, ".", octet2, ".", octet3, ".", octet4) as ip_address

Concatenate first and last names

In this example, you'd concatenate fields for a first and last name to create a new field called fullName.

... | concat(firstName, " ", lastName) as fullName

Formatting dates

You can use the Concat operator to format dates, as shown:

... | concat(month, "/", day, "/", year) as date

Concatenate more than 16 inputs

To use more than 16 inputs with the concat operator, you can combine operators, using one of the following formats:

... | concat(field1, field2, ...) as b
| concat(b, field17, field18,...) as c
| ...
... | concat(concat(field1, field2, ...), field17, field18,...) as concatenated_fields

Formatting strings

For information on formatting strings, see the format operator.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.