The strcat_delim function concatenates between 2 and 64 arguments with a specified delimiter between each argument. Use this function to build delimited strings like CSV rows, create formatted lists, or join fields with consistent separators.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically concatenate with repeated delimiters. APL's strcat_delim provides a more concise approach.
['sample-http-logs']
| extend combined = strcat_delim(',', field1, field2, field3)In ANSI SQL, you use CONCAT_WS (concat with separator) for delimited concatenation. APL's strcat_delim provides similar functionality.
['sample-http-logs']
| extend combined = strcat_delim(',', field1, field2, field3)Usage
Syntax
strcat_delim(delimiter, arg1, arg2, ..., argN)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| delimiter | string | Yes | The separator string to insert between arguments. |
| arg1, arg2, ..., argN | any | Yes | Between 2 and 64 expressions to concatenate. Non-string values are converted to strings. |
Returns
Returns all arguments concatenated with the delimiter between each argument.
Use case examples
Create CSV-formatted log records for export or integration with external systems.
Query
['sample-http-logs']
| extend csv_record = strcat_delim(',', method, status, uri, req_duration_ms, ['geo.country'])
| project _time, csv_record
| limit 10Output
| _time | csv_record |
|---|---|
| 2024-11-06T10:00:00Z | GET,200,/api/users,145,United States |
| 2024-11-06T10:01:00Z | POST,201,/api/orders,234,United Kingdom |
This query formats log fields as CSV records with comma delimiters, making them ready for export to spreadsheet applications or data warehouses.
Build pipe-delimited trace summaries for log aggregation systems.
Query
['otel-demo-traces']
| extend trace_summary = strcat_delim(' | ', ['service.name'], kind, tostring(duration), trace_id)
| project _time, trace_summary
| limit 10Output
| _time | trace_summary |
|---|---|
| 2024-11-06T10:00:00Z | frontend | server | 125ms | abc123 |
| 2024-11-06T10:01:00Z | checkout | client | 234ms | def456 |
This query creates pipe-delimited trace summaries that are easy to read and parse, combining service, kind, duration, and trace ID.
Format security alerts with structured field separators for SIEM integration.
Query
['sample-http-logs']
| extend alert = strcat_delim(' :: ', 'SECURITY_EVENT', status, method, uri, id, ['geo.country'])
| project _time, alert
| limit 10Output
| _time | alert |
|---|---|
| 2024-11-06T10:00:00Z | SECURITY_EVENT :: 403 :: GET :: /admin :: user123 :: United States |
| 2024-11-06T10:01:00Z | SECURITY_EVENT :: 401 :: POST :: /api :: user456 :: Unknown |
This query creates structured security alerts with double-colon delimiters, making them easy to parse in SIEM systems while remaining human-readable.
List of related functions
- strcat: Concatenates strings without delimiters. Use this when you want direct concatenation or need custom separators for each position.
- split: Splits strings by delimiters. Use this to reverse strcat_delim operations and extract individual fields.
- parse_csv: Parses CSV strings. Use this to parse the output of strcat_delim with comma delimiters.
- format_url: Formats URLs from components. Use this specifically for URL construction rather than general delimited concatenation.