Use the len function in APL (Axiom Processing Language) to determine the length of a string or the number of elements in an array. This function is useful when you want to filter, sort, or analyze data based on the size of a value—whether that’s the number of characters in a request URL or the number of cities associated with a user.
Use len when you need to:
- Measure string lengths (for example, long request URIs).
- Count elements in dynamic arrays (such as tags or multi-value fields).
- Create conditional expressions based on the length of values.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you often use the len function within eval or where expressions to determine string length or array size. In APL, len works similarly, but is used as a standalone scalar function.
['sample-http-logs']
| extend uri_length = len(uri)In ANSI SQL, you use LENGTH() for strings and CARDINALITY() for arrays. In APL, len handles both cases—string and array—depending on the input type.
['sample-http-logs']
| extend uri_length = len(uri)Usage
Syntax
len(value)Parameters
| Name | Type | Description |
|---|---|---|
| value | string or array | The input to measure—either a string or an array. |
Returns
- If
valueis a string, returns the number of characters. - If
valueis an array, returns the number of elements. - Returns
nullif the input isnull.
Use case examples
Use len to find requests with long URIs, which might indicate poorly designed endpoints or potential abuse.
Query
['sample-http-logs']
| extend uri_length = len(uri)
| where uri_length > 100
| project _time, id, uri, uri_lengthOutput
| _time | id | uri | uri_length |
|---|---|---|---|
| 2025-06-18T12:34:00Z | user123 | /api/products/search?query=... | 132 |
| 2025-06-18T12:35:00Z | user456 | /download/file/very/long/path/... | 141 |
The query filters logs for URIs longer than 100 characters and displays their lengths.
Use len to identify traces with IDs of unexpected length, which might indicate instrumentation issues or data inconsistencies.
Query
['otel-demo-traces']
| extend trace_id_length = len(trace_id)
| summarize count() by trace_id_lengthOutput
| trace_id_length | count |
|---|---|
| 32 | 4987 |
| 16 | 12 |
The query summarizes trace IDs by their lengths to find unexpected values.
Use len to analyze request methods and flag unusually short ones (e.g., malformed logs or attack vectors).
Query
['sample-http-logs']
| extend method_length = len(method)
| where method_length < 3
| project _time, id, method, method_lengthOutput
| _time | id | method | method_length |
|---|---|---|---|
| 2025-06-18T13:10:00Z | user789 | P | 1 |
| 2025-06-18T13:12:00Z | user222 | G | 1 |
The query finds suspicious or malformed request methods that are unusually short.
List of related functions
- array_length: Returns the number of elements in an array. Use this when working specifically with arrays.
- array_slice: Returns a subarray like
array_extract, but supports negative indexing. - array_concat: Joins arrays end-to-end. Use before or after slicing arrays with
array_extract.