The countof function counts the occurrences of a plain substring within a string. Use this function when you need to find how many times a specific text pattern appears in log messages, user input, or any string field without using regular expressions.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you might use a combination of rex and counting operations. APL's countof provides a simpler approach for counting plain string occurrences.
['sample-http-logs']
| extend error_count = countof('GET', method)In ANSI SQL, you typically calculate string occurrences using length differences. APL's countof provides a more direct approach.
['sample-http-logs']
| extend count = countof('search', field)Usage
Syntax
countof(search, text)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| search | string | Yes | The plain substring to search for within the text. |
| text | string | Yes | The source string where occurrences are counted. |
Returns
Returns the number of times the search string appears in the text.
Use case examples
Count how many times specific HTTP methods appear in URIs to identify API usage patterns.
Query
['sample-http-logs']
| extend api_segments = countof('/', uri)
| summarize avg_depth = avg(api_segments), request_count = count() by method
| sort by request_count descOutput
| method | avg_depth | request_count |
|---|---|---|
| GET | 3.2 | 5432 |
| POST | 2.8 | 2341 |
| PUT | 2.5 | 876 |
| DELETE | 2.1 | 234 |
This query counts the number of forward slashes in URIs to determine the average API endpoint depth by HTTP method, helping identify API structure complexity.
Count occurrences of specific terms in span names to analyze service operation patterns.
Query
['otel-demo-traces']
| extend has_http = countof('frontend', ['service.name'])
| summarize services_with_frontend = sum(has_http), total_spans = count()
| extend percentage = round(100.0 * services_with_frontend / total_spans, 2)Output
| services_with_frontend | total_spans | percentage |
|---|---|---|
| 1234 | 8765 | 14.08 |
This query counts how many spans contain 'frontend' in their service name to understand the proportion of frontend-related operations in your traces.
Count slashes in URIs to analyze URL structure and detect unusual patterns that might indicate security threats.
Query
['sample-http-logs']
| extend slash_count = countof('/', uri)
| where slash_count > 5
| project _time, uri, slash_count, id, status, ['geo.country']
| sort by slash_count desc
| limit 10Output
| _time | uri | slash_count | id | status | geo.country |
|---|---|---|---|---|---|
| 2024-11-06T10:00:00Z | /api/v1/users/12345/posts/67890/comments | 6 | user123 | 200 | US |
| 2024-11-06T10:01:00Z | /admin/config/settings/advanced/security | 5 | user456 | 200 | UK |
This query identifies URIs with unusually high slash counts, which can help detect complex or potentially suspicious URL patterns that might warrant further investigation.
List of related functions
- countof_regex: Counts substring occurrences using regular expressions. Use this when you need pattern matching instead of exact string matching.
- strlen: Returns the length of a string. Use this when you need the total character count rather than occurrence counting.
- indexof: Finds the position of the first occurrence of a substring. Use this when you need to know where a substring appears, not how many times.
- extract: Extracts substrings using regular expressions. Use this when you need to capture matched text rather than count occurrences.