The split function splits a string into an array of substrings based on a delimiter. Use this function to tokenize log messages, parse delimited data, or break down structured text into individual components for analysis.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use the split function similarly. APL's split provides the same functionality.
['sample-http-logs']
| extend parts = split(field, ',')In ANSI SQL, string splitting varies by database. APL's split provides standardized string splitting.
['sample-http-logs']
| extend parts = split(field, ',')Usage
Syntax
split(source, delimiter)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| source | string | Yes | The source string to split. |
| delimiter | string | Yes | The delimiter string to split on. |
Returns
Returns a string array containing the substrings separated by the delimiter.
Use case examples
Split URI paths into segments for hierarchical analysis of API endpoint structure.
Query
['sample-http-logs']
| extend path_segments = split(uri, '/')
| extend segment_count = array_length(path_segments)
| extend first_segment = tostring(path_segments[1])
| summarize request_count = count() by first_segment, segment_count
| sort by request_count desc
| limit 10Output
| first_segment | segment_count | request_count |
|---|---|---|
| api | 4 | 5432 |
| users | 3 | 2341 |
| products | 3 | 1987 |
This query splits URIs by forward slashes to analyze API endpoint hierarchy and identify the most accessed top-level paths.
Parse dot-notation service names into components for hierarchical analysis.
Query
['otel-demo-traces']
| extend service_parts = split(['service.name'], '-')
| extend service_type = tostring(service_parts[0])
| extend part_count = array_length(service_parts)
| summarize span_count = count() by service_type, part_count
| sort by span_count desc
| limit 10Output
| service_type | part_count | span_count |
|---|---|---|
| frontend | 1 | 4532 |
| checkout | 1 | 3421 |
| cart | 1 | 2987 |
This query splits service names by hyphens to extract service type prefixes and analyze service naming patterns.
Parse comma-separated attack indicators from security headers or URIs.
Query
['sample-http-logs']
| extend simulated_threats = 'sql_injection,xss,path_traversal'
| extend threat_list = split(simulated_threats, ',')
| extend threat_count = array_length(threat_list)
| extend has_multiple_threats = threat_count > 1
| project _time, uri, threat_list, threat_count, has_multiple_threats, id, status
| limit 10Output
| _time | uri | threat_list | threat_count | has_multiple_threats | id | status |
|---|---|---|---|---|---|---|
| 2024-11-06T10:00:00Z | /admin | ["sql_injection","xss","path_traversal"] | 3 | true | user123 | 403 |
This query splits comma-separated threat indicators to analyze the types and combinations of security threats.
List of related functions
- parse_csv: Parses CSV strings with proper quote handling. Use this for CSV data instead of split.
- extract_all: Extracts multiple regex matches. Use this when you need pattern-based tokenization.
- strcat_delim: Concatenates strings with delimiters. Use this to reverse the split operation.
- indexof: Finds delimiter positions. Use this when you need to know where splits would occur.