The reverse function reverses the order of characters in a string. Use this function to analyze strings from right to left, detect palindromes, or transform data for specific pattern matching requirements.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, reversing strings typically requires custom functions or scripts. APL's reverse provides this functionality natively.
['sample-http-logs']
| extend reversed = reverse(field)In ANSI SQL, string reversal varies by database with different functions. APL's reverse provides standardized string reversal.
['sample-http-logs']
| extend reversed = reverse(field)Usage
Syntax
reverse(value)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| value | string | Yes | The input string to reverse. |
Returns
Returns the input string with its characters in reverse order.
Use case examples
Detect palindromic patterns in URIs or identifiers for data validation.
Query
['sample-http-logs']
| extend reversed_uri = reverse(uri)
| extend is_palindrome = uri == reversed_uri
| summarize palindrome_count = countif(is_palindrome), total_count = count() by method
| extend palindrome_percentage = round(100.0 * palindrome_count / total_count, 2)
| sort by palindrome_count descOutput
| method | palindrome_count | total_count | palindrome_percentage |
|---|---|---|---|
| GET | 12 | 8765 | 0.14 |
| POST | 5 | 2341 | 0.21 |
| PUT | 2 | 987 | 0.20 |
This query detects palindromic URIs by comparing them with their reversed versions, which can help identify unusual or test data patterns.
Analyze trace IDs by examining their reversed format for pattern detection.
Query
['otel-demo-traces']
| extend reversed_trace = reverse(trace_id)
| extend first_char = substring(trace_id, 0, 1)
| extend last_char = substring(reversed_trace, 0, 1)
| extend matches = first_char == last_char
| summarize match_count = countif(matches), total = count() by ['service.name']
| extend match_percentage = round(100.0 * match_count / total, 2)
| sort by match_count desc
| limit 10Output
| service.name | match_count | total | match_percentage |
|---|---|---|---|
| frontend | 287 | 4532 | 6.33 |
| checkout | 216 | 3421 | 6.31 |
| cart | 189 | 2987 | 6.33 |
This query analyzes trace ID patterns by checking if the first and last characters match, which can help validate ID generation algorithms.
Detect reverse proxy attacks or unusual URI patterns by analyzing reversed strings.
Query
['sample-http-logs']
| extend reversed_uri = reverse(uri)
| extend has_reversed_exploit = indexof(reversed_uri, 'drowssap') >= 0 or indexof(reversed_uri, 'nigol') >= 0
| where has_reversed_exploit or status == '403' or status == '401'
| project _time, uri, reversed_uri, has_reversed_exploit, id, status
| limit 10Output
| _time | uri | reversed_uri | has_reversed_exploit | id | status |
|---|---|---|---|---|---|
| 2024-11-06T10:00:00Z | /admin | nimda/ | false | user123 | 403 |
| 2024-11-06T10:01:00Z | /loginpassword | drowssapnigol/ | true | user456 | 401 |
This query detects potentially obfuscated attack patterns by examining reversed URIs for suspicious keywords like 'password' or 'login' spelled backwards.
List of related functions
- substring: Extracts parts of strings. Use this with reverse to extract from the end of strings.
- strlen: Returns string length. Use this with reverse for position calculations from the right.
- strcat: Concatenates strings. Use this to build strings with reversed components.
- split: Splits strings into arrays. Use this with reverse to process tokens in reverse order.