concat - Learn more about the Cortex Query Language concat() function joins multiple strings into a single string. - Administrator Guide - Cortex XDR - Cortex

concat - Learn more about the Cortex Query Language concat() function joins multiple strings into a single string. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation

Product

Cortex XDR

License

Prevent

Pro

Creation date

2024-03-06

Last date published

2025-12-24

Syntax

concat (<string1>, <string2>, ...)

Description

The concat() function joins multiple strings into a single string. When using the concat() function with multiple fields and any of the fields have a null/empty value, the function returns empty.

Example

Display the first non-NULL action_boot_time field value. In a second column called abt_string, use the concat() function to prepend "str: " to the value, and then display it.

dataset = xdr_data 
| fields action_boot_time as abt 
| filter abt != null 
| alter abt_string = concat("str: ", to_string(abt)) 
| limit 1