The replace_string function replaces all occurrences of a plain string with another string. Use this function when you need exact string matching without regular expression patterns, which makes it faster and simpler than regex-based replacement.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use replace for simple string replacements. APL's replace_string provides the same functionality.
['sample-http-logs']
| extend cleaned = replace_string('old_text', 'new_text', field)In ANSI SQL, you use REPLACE for string replacements. APL's replace_string provides similar functionality.
['sample-http-logs']
| extend cleaned = replace_string('old_text', 'new_text', field)Usage
Syntax
replace_string(lookup, rewrite, text)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| lookup | string | Yes | The plain string to search for and replace. |
| rewrite | string | Yes | The replacement string. |
| text | string | Yes | The source string to perform replacements on. |
Returns
Returns the text with all occurrences of the lookup string replaced by the rewrite string. Matches do not overlap.
Use case examples
Normalize HTTP methods by replacing abbreviations with full names for consistency.
Query
['sample-http-logs']
| extend normalized_method = replace_string('GET', 'Retrieve', method)
| extend normalized_method = replace_string('POST', 'Create', normalized_method)
| extend normalized_method = replace_string('PUT', 'Update', normalized_method)
| extend normalized_method = replace_string('DELETE', 'Remove', normalized_method)
| summarize request_count = count() by normalized_method, status
| sort by request_count desc
| limit 10Output
| normalized_method | status | request_count |
|---|---|---|
| Retrieve | 200 | 5432 |
| Create | 201 | 2341 |
| Retrieve | 404 | 1234 |
| Update | 200 | 987 |
This query replaces HTTP method abbreviations with descriptive action names, making logs more readable for non-technical audiences.
Standardize service names by replacing environment-specific prefixes.
Query
['otel-demo-traces']
| extend clean_service = replace_string('prod-', '', ['service.name'])
| extend clean_service = replace_string('staging-', '', clean_service)
| extend clean_service = replace_string('dev-', '', clean_service)
| summarize span_count = count() by clean_service, kind
| sort by span_count desc
| limit 10Output
| clean_service | kind | span_count |
|---|---|---|
| frontend | server | 4532 |
| checkout | client | 3421 |
| cart | internal | 2987 |
This query removes environment prefixes from service names to enable cross-environment analysis and aggregation.
Anonymize IP addresses by replacing specific segments for privacy compliance.
Query
['sample-http-logs']
| extend simulated_ip = '192.168.1.100'
| extend anonymized_ip = replace_string('.100', '.XXX', simulated_ip)
| extend anonymized_ip = replace_string('.1.', '.X.', anonymized_ip)
| project _time, uri, simulated_ip, anonymized_ip, status, ['geo.country']
| limit 10Output
| _time | uri | simulated_ip | anonymized_ip | status | geo.country |
|---|---|---|---|---|---|
| 2024-11-06T10:00:00Z | /admin | 192.168.1.100 | 192.168.X.XXX | 403 | United States |
| 2024-11-06T10:01:00Z | /api/secret | 192.168.1.100 | 192.168.X.XXX | 401 | Unknown |
This query anonymizes IP addresses by replacing specific octets with placeholders, enabling security analysis while maintaining privacy compliance.
List of related functions
- replace: Replaces strings using regular expressions. Use this when you need pattern matching capabilities.
- replace_regex: Alias for replace with regex support. Use this for pattern-based replacements.
- strcat: Concatenates strings. Use this when building new strings rather than replacing parts of existing ones.
- substring: Extracts parts of strings. Use this when you need to extract rather than replace text.