Introduction
The parse_sql function parses a SQL statement string and returns a structured dictionary representing its components, such as tables, columns, conditions, and clauses. Use it to analyze SQL queries stored in your observability data, validate query structure, or extract specific parts of a SQL statement for further processing.
parse_sql is useful in database monitoring scenarios where SQL queries are captured as strings in audit logs or trace attributes, and you want to understand query patterns, detect anomalies, or inspect query structure at scale.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk doesn't have a native SQL parser function. You would typically use rex with regular expressions to extract parts of a SQL query string. APL's parse_sql provides structured access to every clause of the SQL statement in a single call.
... | project parsed = parse_sql('SELECT id, status FROM logs WHERE status = 500')ANSI SQL has no built-in SQL parsing functions. parse_sql is unique to APL: it accepts a SQL string as input and returns a dictionary of its parsed components, enabling you to inspect and transform SQL statements using APL operators.
... | project parsed = parse_sql('SELECT id, status FROM logs WHERE status = 500')Usage
Syntax
parse_sql(sql_statement)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| sql_statement | string | Yes | The SQL statement to parse. |
Returns
A dictionary representing the structured data model of the SQL statement, including the statement type, selected columns, source tables, conditions, and ordering clauses.
Use case examples
Parse a SQL query that represents a slow-query log entry to inspect its structure.
Query
print parsed_query = parse_sql('SELECT id, status, uri FROM requests WHERE req_duration_ms > 1000 ORDER BY req_duration_ms DESC')Output
{
"parsed_query": {
"columns": [
{
"colname": "id"
},
{
"colname": "status"
},
{
"colname": "uri"
}
],
"from": [
{
"table": "requests"
}
],
"order": [
{
"direction": "desc",
"expr": {
"colname": "req_duration_ms"
}
}
],
"statement": "select",
"where": {
"operator": ">",
"params": [
{
"colname": "req_duration_ms"
},
{
"value": "1000",
"valtype": "integer"
}
]
}
}
}The query parses a slow-query SQL string and returns its structured representation, letting you extract specific clauses with parsed_query.from or parsed_query.columns.
Parse a SQL query that represents a database span to inspect which tables and columns a service queries.
Query
print parsed_query = parse_sql('SELECT trace_id, span_id, duration FROM traces ORDER BY duration DESC')Output
{
"parsed_query": {
"columns": [
{
"colname": "trace_id"
},
{
"colname": "span_id"
},
{
"colname": "duration"
}
],
"from": [
{
"table": "traces"
}
],
"order": [
{
"direction": "desc",
"expr": {
"colname": "duration"
}
}
],
"statement": "select"
}
}The query parses a database span's SQL string and returns its structured representation so you can programmatically inspect which tables and columns the trace's database operations access.
Parse a SQL statement that contains an authorization filter to verify that the expected WHERE clause is present.
Query
print parsed_query = parse_sql('SELECT id, status FROM logs WHERE status = 401 OR status = 403')Output
{
"parsed_query": {
"columns": [
{
"colname": "id"
},
{
"colname": "status"
}
],
"from": [
{
"table": "logs"
}
],
"statement": "select",
"where": {
"operator": "or",
"params": [
{
"params": [
{
"colname": "status"
},
{
"value": "401",
"valtype": "integer"
}
],
"operator": "="
},
{
"operator": "=",
"params": [
{
"colname": "status"
},
{
"valtype": "integer",
"value": "403"
}
]
}
]
}
}
}The query parses a SQL string with an OR condition in its WHERE clause. You can then inspect the where field to confirm that the expected authorization filters are present.
List of related functions
- format_sql: Converts the dictionary produced by
parse_sqlback into a SQL string. Useformat_sqlto normalize or round-trip a parsed query. - parse_json: Parses a JSON string into a dynamic dictionary. Use
parse_jsonwhen your data contains JSON rather than SQL. - extract: Extracts a substring matching a regular expression from a string. Use
extractfor simple pattern matching when you don't need full SQL parsing.