The strcat function concatenates between 1 and 64 string arguments into a single string. Use this function to combine multiple fields, build composite identifiers, or construct formatted messages from log data.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you concatenate strings using the . operator or the concat function. APL's strcat provides similar functionality.
['sample-http-logs']
| extend combined = strcat(field1, '-', field2, '-', field3)In ANSI SQL, you use CONCAT to join strings. APL's strcat provides the same functionality.
['sample-http-logs']
| extend combined = strcat(field1, '-', field2, '-', field3)Usage
Syntax
strcat(arg1, arg2, ..., argN)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| arg1, arg2, ..., argN | any | Yes | Between 1 and 64 expressions to concatenate. Non-string values are converted to strings. |
Returns
Returns all arguments concatenated into a single string.
Use case examples
Build composite keys from multiple fields for unique request identification.
Query
['sample-http-logs']
| extend request_key = strcat(method, '-', status, '-', ['geo.country'])
| summarize request_count = count() by request_key
| sort by request_count desc
| limit 10Output
| request_key | request_count |
|---|---|
| GET-200-United States | 3456 |
| POST-201-United States | 2341 |
| GET-404-Unknown | 1987 |
This query concatenates HTTP method, status, and country to create composite keys for analyzing request patterns by multiple dimensions.
Build formatted trace identifiers combining service and span information.
Query
['otel-demo-traces']
| extend trace_identifier = strcat(['service.name'], ':', kind, ':', trace_id)
| project _time, trace_identifier, duration
| limit 10Output
| _time | trace_identifier | duration |
|---|---|---|
| 2024-11-06T10:00:00Z | frontend:server:abc123 | 125ms |
| 2024-11-06T10:01:00Z | checkout:client:def456 | 234ms |
This query creates formatted trace identifiers by concatenating service name, span kind, and trace ID for comprehensive trace referencing.
Build security event descriptions combining multiple threat indicators.
Query
['sample-http-logs']
| extend event_description = strcat('Failed ', method, ' request to ', uri, ' from ', id, ' (', ['geo.country'], ')')
| project _time, event_description, status
| limit 10Output
| _time | event_description | status |
|---|---|---|
| 2024-11-06T10:00:00Z | Failed GET request to /admin from user123 (United States) | 403 |
| 2024-11-06T10:01:00Z | Failed POST request to /api from user456 (Unknown) | 401 |
This query builds human-readable security event descriptions by concatenating multiple fields into informative alert messages.
List of related functions
- strcat_delim: Concatenates strings with a delimiter. Use this when you want consistent separators between all arguments.
- split: Splits strings into arrays. Use this to reverse concatenation operations.
- replace_string: Replaces parts of strings. Use this when you need to modify concatenated strings.
- format_url: Formats URL components. Use this specifically for URL construction rather than general concatenation.