Stay organized with collections
Save and categorize content based on your preferences.
strings.coalesce
strings.coalesce(a, b, c, ...)
Description
This function takes an unlimited number of arguments and returns the value of the first expression that does not evaluate to an empty string (for example, "non-zero value"). If all arguments evaluate to an empty string, the function call returns an empty string.
The arguments can be literals, event fields, or function calls. All arguments must be of STRING type. If any arguments are event fields, the attributes must be from the same event.
Param data types
STRING
Return type
STRING
Code samples
Example 1
The following example includes string variables as arguments. The condition
evaluates to true when (1) $e.network.email.from is suspicious@gmail.com or
(2) $e.network.email.from is empty and $e.network.email.to is
suspicious@gmail.com.
"suspicious@gmail.com" = strings.coalesce($e.network.email.from, $e.network.email.to)
Example 2
The following example calls the coalesce function with more than two
arguments. This condition compares the first non-null IP address from event $e
against values in the reference list ip_watchlist. The order that the
arguments are coalesced in this call is the same as the order they are
enumerated in the rule condition:
$e.principal.ip is evaluated first.$e.src.ip is evaluated next.$e.target.ip is evaluated next.- Finally, the string "No IP" is returned as a default value if the previous
ip
fields are unset.
strings.coalesce($e.principal.ip, $e.src.ip, $e.target.ip, "No IP") in %ip_watchlist
Example 3
The following example attempts to coalesce principal.hostname from event
$e1 and event $e2. It will return a compiler error because the arguments are
different event variables.
// returns a compiler error
"test" = strings.coalesce($e1.principal.hostname, $e2.principal.hostname)
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-14 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-14 UTC."],[[["\u003cp\u003e\u003ccode\u003estrings.coalesce\u003c/code\u003e returns the first non-empty string from a list of arguments, or an empty string if all arguments are empty.\u003c/p\u003e\n"],["\u003cp\u003eThe function accepts an unlimited number of \u003ccode\u003eSTRING\u003c/code\u003e arguments, which can be literals, event fields, or function calls, as long as they are all of \u003ccode\u003eSTRING\u003c/code\u003e type.\u003c/p\u003e\n"],["\u003cp\u003eWhen using event fields as arguments, all attributes must originate from the same event.\u003c/p\u003e\n"],["\u003cp\u003eThe order of argument evaluation is sequential, as shown in the second example, with the first non-empty string being returned, and if none are met, the last option is returned.\u003c/p\u003e\n"],["\u003cp\u003eThe function is compatible with both Rules and Search functionalities.\u003c/p\u003e\n"]]],[],null,["### strings.coalesce\n\nSupported in: \n[Rules](/chronicle/docs/detection/default-rules) [Search](/chronicle/docs/investigation/udm-search) \n\n strings.coalesce(a, b, c, ...)\n\n#### Description\n\nThis function takes an unlimited number of arguments and returns the value of the first expression that does not evaluate to an empty string (for example, \"non-zero value\"). If all arguments evaluate to an empty string, the function call returns an empty string.\n\nThe arguments can be literals, event fields, or function calls. All arguments must be of `STRING` type. If any arguments are event fields, the attributes must be from the same event.\n\n#### Param data types\n\n`STRING`\n\n#### Return type\n\n`STRING`\n\n#### Code samples\n\n##### Example 1\n\nThe following example includes string variables as arguments. The condition\nevaluates to true when (1) `$e.network.email.from` is `suspicious@gmail.com` or\n(2) `$e.network.email.from` is empty and `$e.network.email.to` is\n`suspicious@gmail.com`. \n\n \"suspicious@gmail.com\" = strings.coalesce($e.network.email.from, $e.network.email.to)\n\n##### Example 2\n\nThe following example calls the `coalesce` function with more than two\narguments. This condition compares the first non-null IP address from event `$e`\nagainst values in the reference list `ip_watchlist`. The order that the\narguments are coalesced in this call is the same as the order they are\nenumerated in the rule condition:\n\n1. `$e.principal.ip` is evaluated first.\n2. `$e.src.ip` is evaluated next.\n3. `$e.target.ip` is evaluated next.\n4. Finally, the string \"No IP\" is returned as a default value if the previous `ip` fields are unset.\n\n strings.coalesce($e.principal.ip, $e.src.ip, $e.target.ip, \"No IP\") in %ip_watchlist\n\n##### Example 3\n\nThe following example attempts to coalesce `principal.hostname` from event\n`$e1` and event `$e2`. It will return a compiler error because the arguments are\ndifferent event variables. \n\n // returns a compiler error\n \"test\" = strings.coalesce($e1.principal.hostname, $e2.principal.hostname)"]]
