Concatenates the values of a list of fields into a single value in a new field.

ParameterTypeRequiredDefault ValueDescription
asstringoptional[a]_concat The output name of the field to set.
field[b]Array of stringsrequired  Fields to concatenate.

[a] Optional parameters use their default value unless explicitly set.

[b] The argument name field can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

For example:

logscale
concat([aidValue, cidValue], as=checkMe2)

The function is not capable of combining arbitrary strings, or concatenating strings and fields together. The following will not work:

logscale
concat([field1,"/",field2], as=combined)

Instead, you can use the format() function:

logscale
format("%s/%s",field=[field1,field2],as=combined)

concat() Examples

Concatenate Fields and Strings Together

Query
logscale
format("%s/%s",field=[dirname,filename],as=pathname)
Introduction

The concat() is not able to concatenate fields and strings together. For example to create a pathname based on the directory and filename it is not possible to do:

logscale
concat([dirname,"/",filename],as=pathname)

This will raise an error. Instead, we can use format().

Step-by-Step
  1. Starting with the source repository events.

  2. logscale
    format("%s/%s",field=[dirname,filename],as=pathname)

    Formats a value separating the two by a forward slash, creating the field pathname

  3. Event Result set.

Summary and Results

The format() function provides a flexible method of formatting data, including encapsulating or combining strings and fields together.

Concatenate Multiple Values From Nested Array Elements - Example 1

Query
logscale
objectArray:eval("foo[]", var=x, function={_mapped := concat([x.key.value, "x.key.others[0]", "x.key.others[1]"])}, asArray="_mapped[]")
Introduction

The objectArray:eval() function is a structured array query function that follows normal array syntax. The array syntax is similar to the one used by JSON, where [ and ] are used for indexing and . for selecting members in objects. For more information, see Array Syntax. The objectArray:eval() function operates on arrays of objects using a function that supports a special pattern to access sub-selections of array entries.

The special pattern that allows the function to operate on arrays of objects, and arrays of arrays, and other arrays of structured data is: "in" (the input array) followed by:

.subselection

or

[number]

or any combination of the above. For example:

in.key, 
in.others[0].foo
in[0][1]

Semantically, given the input array in, an array index i, and an access in.subselection this will be translated to the field name in[i].subselection. Similarly, in[2] is translated to in[i][2].

The objectArray:eval() function can be combined with other array functions (or itself), in order to support processing nested arrays. When used with nested arrays, multiple values can be accessed and processed.

In this example, the objectArray:eval() function is used with the concat() function to concatenate multiple deeply nested arrays of objects values in the array foo[] and return the concatenated values in the output field _mapped[]

Example incoming data might look like this:

JSON
"foo[0].key.value": y
"foo[0].key.others[0]": 1
"foo[0].key.others[1]": 2
"foo[1].nothing": 355
Step-by-Step
  1. Starting with the source repository events.

  2. logscale
    objectArray:eval("foo[]", var=x, function={_mapped := concat([x.key.value, "x.key.others[0]", "x.key.others[1]"])}, asArray="_mapped[]")

    Notice that a var parameter can be used to give a different name to the input array variable inside the function argument. This is particularly useful whenever the input array name is very long.

  3. Event Result set.

Summary and Results

The query is used to concatenate multiple deeply nested arrays of objects values.

Sample output from the incoming example data:

_mapped[0]: y12
"foo[0].key.value": y
"foo[0].key.others[0]": 1
"foo[0].key.others[1]": 2

Concatenate Values From Nested Array Elements - Example 2

Query
logscale
objectArray:eval("in[]", asArray="out[]", function={out := concat(["in.a", "in.b.c", "in.others[1].d"])})
Introduction

The objectArray:eval()function is a structured array query function that follows normal array syntax. The array syntax is similar to the one used by JSON, where [ and ] are used for indexing and . for selecting members in objects. For more information, see Array Syntax. The objectArray:eval() function operates on arrays of objects using a function that supports a special pattern to access sub-selections of array entries.

The special pattern that allows the function to operate on arrays of objects, and arrays of arrays, and other arrays of structured data is: "in" (the input array) followed by:

.subselection

or

[number]

or any combination of the above. For example:

in.key, 
in.others[0].foo
in[0][1]

Semantically, given the input array in, an array index i, and an access in.subselection this will be translated to the field name in[i].subselection. Similarly, in[2] is translated to in[i][2].

The objectArray:eval() function can be combined with other array functions (or itself), in order to support processing nested arrays. When used with nested arrays, multiple values can be accessed and processed.

In this example, the objectArray:eval() function is used with the concat() function to concatenate deeply nested arrays of objects values in the array in[] and return the concatenated values in the output field out[].

Example incoming data might look like this:

JSON
in[0].a: 1
in[0].b.c: 2
in[0].others[0].d: 3
in[0].others[1].d: 4
Step-by-Step
  1. Starting with the source repository events.

  2. logscale
    objectArray:eval("in[]", asArray="out[]", function={out := concat(["in.a", "in.b.c", "in.others[1].d"])})

    Iterates over the array from start to end (or to the first empty index in the array), applies the given function, and returns the concatenated results in a new output array name field out[].

  3. Event Result set.

Summary and Results

The query is used to concatenate deeply nested arrays of objects.

Sample output from the incoming example data:

out[0]: 124

Concatenate Values From Two Nested Array Elements

Query
logscale
objectArray:eval("arr[]", var=x, function={_mapped := concat([x.a, x.b])}, asArray="_mapped[]")
Introduction

The objectArray:eval() function is a structured array query function that follows normal array syntax. The array syntax is similar to the one used by JSON, where [ and ] are used for indexing and . for selecting members in objects. For more information, see Array Syntax. The objectArray:eval() function operates on arrays of objects. In this example, the objectArray:eval() function is used with the variable x to concatenate the values a and b from each array element. The concat() function is used to return the concatenated output into a new array.

Example incoming data might look like this:

JSON
arr[0]: machine
arr[0].a: a0
arr[0].b: b0
arr[1].a: a1
arr[1].b: b1
arr[1].c: c1
arr[2].a: a2
arr[4].b: b2
other: abc

Step-by-Step
  1. Starting with the source repository events.

  2. logscale
    objectArray:eval("arr[]", var=x, function={_mapped := concat([x.a, x.b])}, asArray="_mapped[]")

    Concatenates the values a and b from each array element and returns the results in a new array named _mapped. In this example, objectArray:eval() iterates over each element of the array and assigns each element to the variable x which is then used as an alias. The new field _mapped is created by concatenating the value using the alias x to extract each object value from each element of the array. Notice that the output in this example is a flat array.

    For example, this array element:

    Raw Events
    arr[0].a: a0
    arr[0].b: b0

    is translated to:

    _mapped[0]: a0b0
  3. Event Result set.

Summary and Results

The query is used to concatenate values of two array elements.

Sample output from the incoming example data, the original values have not been removed:

_mapped[0]: a0b0
_mapped[1]: a1b1
_mapped[2]: a2
_mapped[3]: b2

arr[0]: machine

arr[0].a: a0
arr[0].b: b0

arr[1].a: a1
arr[1].b: b1

arr[1].c: c1

arr[2].a: a2

arr[4].b: b2

other: abc