The replace function replaces all matches of a regular expression pattern with another string. Use this function to clean log data, redact sensitive information, normalize formats, or transform text patterns in your queries.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use rex with mode=sed for replacements. APL's replace provides regex replacement with capture group support.
['sample-http-logs']
| extend cleaned = replace('pattern', 'replacement', uri)In ANSI SQL, you use REGEXP_REPLACE with varying syntax by database. APL's replace provides standardized regex replacement.
['sample-http-logs']
| extend cleaned = replace('pattern', 'replacement', field)Usage
Syntax
replace(regex, rewrite, text)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| regex | string | Yes | The regular expression pattern to search for. Can include capture groups in parentheses. |
| rewrite | string | Yes | The replacement string. Use $0 for the entire match, $1 for the first capture group, $2 for the second, etc. |
| text | string | Yes | The source string to perform replacements on. |
Returns
Returns the text with all regex matches replaced by the rewrite pattern. Matches do not overlap.
Use case examples
Redact sensitive information like email addresses or API keys from logs for privacy compliance.
Query
['sample-http-logs']
| extend cleaned_uri = replace('[a-z0-9._%+-]+@[a-z0-9.-]+[.][a-z]{2,}', '[EMAIL_REDACTED]', uri)
| extend cleaned_uri = replace('apikey=[^&]+', 'apikey=[REDACTED]', cleaned_uri)
| project _time, uri, cleaned_uri, status
| limit 10Output
| _time | uri | cleaned_uri | status |
|---|---|---|---|
| 2024-11-06T10:00:00Z | /api?email=user@example.com | /api?email=[EMAIL_REDACTED] | 200 |
| 2024-11-06T10:01:00Z | /api?apikey=abc123def456 | /api?apikey=[REDACTED] | 200 |
This query redacts email addresses and API keys from URIs using regex patterns, ensuring sensitive data is not exposed in logs or reports.
Normalize service names by replacing version numbers or environment prefixes for consistent grouping.
Query
['otel-demo-traces']
| extend normalized_service = replace('-v[0-9]+[.][0-9]+', '', ['service.name'])
| extend normalized_service = replace('-(dev|staging|prod)$', '', normalized_service)
| summarize span_count = count() by normalized_service
| sort by span_count desc
| limit 10Output
| normalized_service | span_count |
|---|---|
| frontend | 4532 |
| checkout | 3421 |
| cart | 2987 |
This query removes version numbers and environment suffixes from service names to enable aggregation across versions and environments.
Sanitize potentially malicious input by removing or replacing dangerous patterns in URIs.
Query
['sample-http-logs']
| extend sanitized_uri = replace('<[^>]*>', '[HTML_REMOVED]', uri)
| extend sanitized_uri = replace('(union|select|drop|insert|delete) ', '[SQL_REMOVED] ', sanitized_uri)
| project _time, uri, sanitized_uri, id, status, ['geo.country']
| limit 10Output
| _time | uri | sanitized_uri | id | status | geo.country |
|---|---|---|---|---|---|
| 2024-11-06T10:00:00Z | /search?q= | /search?q=[HTML_REMOVED] | user123 | 403 | Unknown |
| 2024-11-06T10:01:00Z | /api?id=1 union select * | /api?id=1 [SQL_REMOVED] * | user456 | 403 | Russia |
This query sanitizes malicious HTML and SQL patterns, making them safe to display and analyze without risk of execution.
List of related functions
- replace_regex: Alias for replace with regex support. Use either name based on preference.
- replace_string: Replaces plain string matches without regex. Use this for simpler, faster replacements when regex is not needed.
- extract: Extracts regex matches without replacement. Use this when you need to capture text rather than modify it.
- split: Splits strings by delimiters. Use this when tokenizing rather than replacing.