Related Answers
Download topic as PDF
strcat
Description
Concatenates string values from 2 or more fields. Combines together string values and literals into a new field. A destination field name is specified at the end of the strcat command.
Syntax
strcat [allrequired=<bool>] <source-fields> <dest-field>
Required arguments
- <dest-field>
- Syntax: <string>
- Description: A destination field to save the concatenated string values in, as defined by the <source-fields> argument. The destination field is always at the end of the series of source fields.
- <source-fields>
- Syntax: (<field> | <quoted-str>)...
- Description: Specify the field names and literal string values that you want to concatenate. Literal values must be enclosed in quotation marks.
- quoted-str
- Syntax: "<string>"
- Description: Quoted string literals.
- Examples: "/" or ":"
Optional arguments
- allrequired
- Syntax: allrequired=<bool>
- Description: Specifies whether or not all source fields need to exist in each event before values are written to the destination field. If
allrequired=f, the destination field is always written and source fields that do not exist are treated as empty strings. Ifallrequired=t, the values are written to destination field only if all source fields exist. - Default: false
Usage
The strcat command is a distributable streaming command. See Command types.
Examples
Example 1:
Add a field called comboIP, which combines the source and destination IP addresses. Separate the addresses with a forward slash character.
... | strcat sourceIP "/" destIP comboIP
Example 2:
Add a field called comboIP, which combines the source and destination IP addresses. Separate the addresses with a forward slash character. Create a chart of the number of occurrences of the field values.
host="mailserver" | strcat sourceIP "/" destIP comboIP | chart count by comboIP
Example 3:
Add a field called address, which combines the host and port values into the format <host>::<port>.
... | strcat host "::" port address
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the strcat command.
|
PREVIOUS stats |
NEXT streamstats |
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.10, 6.3.11, 6.3.12, 6.3.14, 4.3.1, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0, 6.3.2, 6.3.3, 6.3.4
Feedback submitted, thanks!