The replace_regex function replaces all matches of a regular expression pattern with another string. This function is an alias for replace and provides the same functionality for regex-based text replacement.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use rex with mode=sed for regex replacements. APL's replace_regex provides the same functionality with simpler syntax.
['sample-http-logs']
| extend formatted = replace_regex('error_([0-9]+)', 'ERROR-$1', uri)In ANSI SQL, you use REGEXP_REPLACE for regex replacements. APL's replace_regex provides similar functionality with consistent syntax.
['sample-http-logs']
| extend result = replace_regex('pattern', 'replacement', field)Usage
Syntax
replace_regex(regex, rewrite, text)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| regex | string | Yes | The regular expression pattern to search for. Can include capture groups. |
| rewrite | string | Yes | The replacement string. Use $0 for the entire match, $1 for the first capture group, etc. |
| text | string | Yes | The source string to perform replacements on. |
Returns
Returns the text with all regex matches replaced by the rewrite pattern. Non-overlapping matches.
Use case examples
Standardize HTTP status codes by adding descriptive prefixes for better readability.
Query
['sample-http-logs']
| extend formatted_status = replace_regex('^(2[0-9]{2})$', 'SUCCESS-$1', status)
| extend formatted_status = replace_regex('^(4[0-9]{2})$', 'CLIENT_ERROR-$1', formatted_status)
| extend formatted_status = replace_regex('^(5[0-9]{2})$', 'SERVER_ERROR-$1', formatted_status)
| summarize request_count = count() by formatted_status
| sort by request_count desc
| limit 10Output
| formatted_status | request_count |
|---|---|
| SUCCESS-200 | 8765 |
| CLIENT_ERROR-404 | 2341 |
| SERVER_ERROR-500 | 1234 |
| CLIENT_ERROR-403 | 987 |
This query adds descriptive prefixes to status codes using regex capture groups, making log analysis more intuitive.
Extract and reformat duration values in span attributes by normalizing units.
Query
['otel-demo-traces']
| extend duration_str = strcat(tostring(duration / 1ms), 'ms')
| extend normalized = replace_regex('([0-9]+)ms', '$1 milliseconds', duration_str)
| project _time, ['service.name'], duration, duration_str, normalized
| limit 10Output
| _time | service.name | duration | duration_str | normalized |
|---|---|---|---|---|
| 2024-11-06T10:00:00Z | frontend | 125ms | 125ms | 125 milliseconds |
| 2024-11-06T10:01:00Z | checkout | 234ms | 234ms | 234 milliseconds |
This query normalizes duration format using regex capture groups to ensure consistent unit representation across different services.
Mask sensitive data patterns like credit card numbers or SSNs using regex capture groups.
Query
['sample-http-logs']
| extend masked_uri = replace_regex('([0-9]{4})[0-9]{8}([0-9]{4})', '$1********$2', uri)
| extend masked_uri = replace_regex('([0-9]{3})-[0-9]{2}-([0-9]{4})', '$1-XX-$2', masked_uri)
| project _time, uri, masked_uri, id, status
| limit 10Output
| _time | uri | masked_uri | id | status |
|---|---|---|---|---|
| 2024-11-06T10:00:00Z | /api?cc=1234567890123456 | /api?cc=1234********3456 | user123 | 403 |
| 2024-11-06T10:01:00Z | /api?ssn=123-45-6789 | /api?ssn=123-XX-6789 | user456 | 401 |
This query masks sensitive personally identifiable information like credit card numbers and SSNs using regex capture groups to preserve format while hiding sensitive digits.
List of related functions
- replace: Alias for replace_regex. Use either name based on preference.
- replace_string: Replaces plain string matches without regex. Use this for faster replacement when regex patterns are not needed.
- extract: Extracts the first regex match. Use this when you need to capture text rather than modify it.
- extract_all: Extracts all regex matches. Use this when you need multiple captured values without replacement.