array_concat
This page explains how to use the array_concat function in APL.
The array_concat function in APL (Axiom Processing Language) concatenates two or more arrays into a single array. Use this function when you need to merge multiple arrays into a single array structure. It’s particularly useful for situations where you need to handle and combine collections of elements across different fields or sources, such as log entries, OpenTelemetry trace data, or security logs.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL users
Splunk SPL users
In SPL, you typically use the mvappend function to concatenate multiple fields or arrays into a single array. In APL, the equivalent is array_concat, which also combines arrays but requires you to specify each array as a parameter.
ANSI SQL users
ANSI SQL users
ANSI SQL doesn’t natively support an array concatenation function across different arrays. Instead, you typically use UNION to combine results from multiple arrays or collections. In APL, array_concat allows you to directly concatenate multiple arrays, providing a more straightforward approach.
Usage
Syntax
Parameters
array1: The first array to concatenate.array2: The second array to concatenate....: Additional arrays to concatenate.
Returns
An array containing all elements from the input arrays in the order they are provided.
Use case examples
In log analysis, you can use array_concat to merge collections of user requests into a single array to analyze request patterns across different endpoints.
Query
Output
| _time | uri | method | combined_requests |
|---|---|---|---|
| 2024-10-28T12:30:00 | /api/v1/textdata/cnfigs | POST | [“/api/v1/textdata/cnfigs”, “POST”] |
This example concatenates the uri and method values into a single array for each log entry, allowing for combined analysis of access patterns and request methods in log data.
In log analysis, you can use array_concat to merge collections of user requests into a single array to analyze request patterns across different endpoints.
Query
Output
| _time | uri | method | combined_requests |
|---|---|---|---|
| 2024-10-28T12:30:00 | /api/v1/textdata/cnfigs | POST | [“/api/v1/textdata/cnfigs”, “POST”] |
This example concatenates the uri and method values into a single array for each log entry, allowing for combined analysis of access patterns and request methods in log data.
In OpenTelemetry traces, use array_concat to join span IDs and trace IDs for a comprehensive view of trace behavior across services.
Query
Output
| combined_ids |
|---|
| [“span1”, “trace1”, “span2”, …] |
| _time | trace_id | span_id | combined_ids |
|---|---|---|---|
| 2024-10-28T12:30:00 | trace_abc123 | span_001 | [“trace_abc123”, “span_001”] |
This example creates an array containing both span_id and trace_id values, offering a unified view of the trace journey across services.
In security logs, array_concat can consolidate multiple IP addresses or user IDs to detect potential attack patterns involving different locations or users.
Query
Output
| _time | id | geo.city | combined_ids |
|---|---|---|---|
| 2024-10-28T12:30:00 | fc1407f5-04ca-4f4e-ad01-f72063736e08 | Avenal | [“fc1407f5-04ca-4f4e-ad01-f72063736e08”, “Avenal”] |
This query combines failed user IDs and cities where the request originated, allowing security analysts to detect suspicious patterns or brute force attempts from different regions.
List of related functions
- array_length: Returns the number of elements in an array.
- array_index_of: Finds the index of an element in an array.
- array_slice: Extracts a subset of elements from an array.