The indexof function reports the zero-based index of the first occurrence of a specified string within an input string. Use this function to find the position of substrings, validate string formats, or extract parts of strings based on delimiter positions.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you might use searchmatch or string manipulation. APL's indexof provides a direct way to find substring positions.
['sample-http-logs']
| extend pos = indexof(field, 'search')In ANSI SQL, you use POSITION() or INSTR() to find substring positions. APL's indexof provides similar functionality with additional parameters.
['sample-http-logs']
| extend pos = indexof(field, 'search')Usage
Syntax
indexof(source, lookup, start_index, length, occurrence)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| source | string | Yes | The input string to search within. |
| lookup | string | Yes | The string to search for. |
| start_index | int | No | The position to start searching from (default: 0). |
| length | int | No | Number of character positions to examine. Use -1 for unlimited (default: -1). |
| occurrence | int | No | The occurrence number to find (default: 1 for first occurrence). |
Returns
Returns the zero-based index position of the first occurrence of the lookup string, or -1 if not found.
Use case examples
Find the position of API version indicators in URIs to categorize and analyze API usage patterns.
Query
['sample-http-logs']
| extend api_pos = indexof(uri, '/api/')
| where api_pos >= 0
| extend has_version = indexof(uri, '/v', api_pos)
| project _time, uri, api_pos, has_version, method, status
| limit 10Output
| _time | uri | api_pos | has_version | method | status |
|---|---|---|---|---|---|
| 2024-11-06T10:00:00Z | /api/v2/users | 0 | 4 | GET | 200 |
| 2024-11-06T10:01:00Z | /api/products | 0 | -1 | GET | 200 |
| 2024-11-06T10:02:00Z | /api/v1/orders | 0 | 4 | POST | 201 |
This query finds the position of API indicators in URIs, helping identify versioned versus unversioned API endpoints.
Locate service name delimiters to extract service identifiers from composite names.
Query
['otel-demo-traces']
| extend dash_pos = indexof(['service.name'], '-')
| where dash_pos >= 0
| extend service_prefix = substring(['service.name'], 0, dash_pos)
| summarize span_count = count() by service_prefix
| sort by span_count desc
| limit 10Output
| service_prefix | span_count |
|---|---|
| otel | 8765 |
| service | 4321 |
| app | 2345 |
This query uses indexof to find delimiter positions in service names, enabling extraction of service prefixes for grouping and analysis.
Detect SQL injection attempts by finding the position of SQL keywords in URIs.
Query
['sample-http-logs']
| extend union_pos = indexof(tolower(uri), 'union'),
select_pos = indexof(tolower(uri), 'select'),
drop_pos = indexof(tolower(uri), 'drop')
| where union_pos >= 0 or select_pos >= 0 or drop_pos >= 0
| project _time, uri, union_pos, select_pos, drop_pos, id, status, ['geo.country']
| sort by _time desc
| limit 10Output
| _time | uri | union_pos | select_pos | drop_pos | id | status | geo.country |
|---|---|---|---|---|---|---|---|
| 2024-11-06T10:00:00Z | /api?id=1'union select | -1 | 11 | -1 | user123 | 403 | Unknown |
| 2024-11-06T10:01:00Z | /search?q=drop table | -1 | -1 | 10 | user456 | 403 | Russia |
This query identifies potential SQL injection attempts by finding the position of SQL keywords in URIs, helping security teams detect and respond to attacks.
List of related functions
- substring: Extracts a substring from a source string. Use this together with indexof to extract parts of strings based on found positions.
- strlen: Returns the length of a string. Use this with indexof to calculate positions relative to string length.
- extract: Extracts substrings using regular expressions. Use this when you need pattern matching instead of simple substring positions.
- split: Splits strings by delimiters. Use this when you want to tokenize rather than find positions.