strcat
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
strcat
Synopsis
Concatenates string values.
Syntax
strcat [allrequired=bool] srcfields field
Arguments
- allrequired
- Syntax: allrequired=<bool>
- Description: Specifies whether or not all source fields need to exist in each event before values are written to the destination field. By default, allrequired=f, meaning that the destination field is always written and source fields that do not exist are treated as empty strings. If allrequired=t, the values are written to destination field only if all source fields exist.
- field
- Syntax: <string>
- Description: A destination field to save the concatenated string values defined by srcfields.
- srcfields
- Syntax: (<field>|<quoted-str>) (<field>|<quoted-str>) (<field>|<quoted-str> )*
- Description: Fields should either be key names or quoted literals.
- quoted-str
- Syntax: "<string>"
- Description: Quoted literals.
Description
Stitch together fields and/or strings to create a new field. Quoted tokens are assumed to be literals and the rest field names. The destination field name is always at the end.
Examples
Example 1: Add the field, comboIP, which combines the source and destination IP addresses and separates them with a front slash character.
... | strcat sourceIP "/" destIP comboIPExample 2: Add the field, comboIP, and then create a chart of the number of occurrences of the field values.
host="mailserver" | strcat sourceIP "/" destIP comboIP | chart count by comboIPExample 3: Add a field, address, which combines the host and port values into the format <host>::<port>.
... | strcat host "::" port addressSee also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.