concat search command

This search command concatenates field values (or string values) and assigns the result to the target field that you specify. The string value can consist of a phrase containing non-alphanumeric characters (string literals) that you specify in double quotes ("), or a field name (source field) whose value must be used as the value of the target field. You can specify multiple fields separated by a space. You can also specify a combination of fields and phrases.

This topic contains the following information:

For a list of all search commands, see Search-commands.

Related topics

stats-search-command

Getting-started-with-search

Syntax

concat <Source-Fields+> <Target-Field>

In the preceding syntax, the following definitions apply:

  • + indicates one ore more similar expressions separated by a space.
  • <Source-Fields> refer to a list of fields or a combination of fields and phrases (enclosed in double quotes) to use for concatenating.
  • <target-Field> refers to the target field to which you want to assign the concatenated string of field values and specified phrases. This target field must always be defined after the list of source fields (or phrases).

Short examples

Example 1: Create a target field, email address, that combines the value of the field username, the string "@" and value of the field host.

... | concat username "@" host "email address"

Example 2: Create a target field, address, that combines the HOST and port field values and the string ":" in the format <HOST>:<port>.

... | concat HOST ":" port address


Example 3: Create a target field, message, that combines the string "Request of type," the value of the field RequestType, the string "from client," the value of the field Client Ip, the string "to server," and the value of the field HOST.

... | concat "Request of type" RequestType "from client" ClientIp "to server" HOST
message

Long example

The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the concat command.

Sample data

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

Back to examples ↑

Sample indexed data

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

Back to examples ↑

concat that combines multiple field values and strings

In this example, you use the command to create a field, message, that combines the values of the following specified fields and strings.

Strings

Fields

  • Request of type
  • from client
  • to server
  • RequestType
  • ClientIp
  • HOST

See sample indexed data to understand how this command functions and to correlate the resulting output:

Command

... | concat "Request of type" RequestType "from client" ClientIp "to server" HOST
message

Output

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

COLLECTOR_NAME=u4 |ResponseCode=200 |message=Request of type POST from client 10.1.1.141 to server local.bmc.com|HOST=local.bmc.com |ClientIp=10.1.1.141 |ResponseSize=100 |RequestType=POST |RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

COLLECTOR_NAME=u4 |ResponseCode=201 |message=Request of type PUT from client 10.1.1.141 to server local.bmc.com|HOST=local.bmc.com |ClientIp=10.1.1.141 |ResponseSize=200 |RequestType=PUT |RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

COLLECTOR_NAME=u4 |ResponseCode=201 |message=Request of type GET from client 10.1.1.140 to server local.bmc.com|HOST=local.bmc.com |ClientIp=10.1.1.140 |ResponseSize=150 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

COLLECTOR_NAME=u4 |ResponseCode=404 |message=Request of type GET from client 10.1.1.140 to server local.bmc.com|HOST=local.bmc.com |ClientIp=10.1.1.140 |ResponseSize=100 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png

Back to examples ↑

Notes

  • String literals containing non-aplhanumeric characters must be enclosed in double quotes (").
  • If you use fields that do not exist in the event data, such fields are substituted by an empty string.
  • You cannot use the default field names HOST, COLLECTOR_NAME, or DATA_PATTERN as the value of the target field.