Articles

    Search Field Concatenation

    Search field concatentation allows you to search using the concatenation of fields. This is useful for

    • Creating on-the-fly unique ids without reediting a type
    • Create new fields based off discovered fields.

    The concatenation syntax has the following format

    | fieldA.count(fieldB+fieldC, )

    Here's an example search that counts the number of download services across multiple websites.

    | service+site.count() service.equal(download-svc)

    The next example tells us the number of unique clients accessing different web services. A clientIp that accesses the same service A but on different sites

    | clientIp.countUnique(service+site)
    recieves a different count in this example. The new syntax is useful since it avoids reediting a datatype to achieve the same effect.