The strcmp function compares two strings lexicographically and returns an integer indicating their relationship. Use this function to sort strings, validate string ordering, or implement custom comparison logic in your queries.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

In Splunk SPL, you typically use comparison operators. APL's strcmp provides explicit lexicographic comparison with numeric return values.

```sql Splunk example | eval result=case(str1str2, 1, true(), 0) ``` 
['sample-http-logs']
| extend result = strcmp(str1, str2)

In ANSI SQL, string comparison varies. APL's strcmp provides C-style string comparison returning -1, 0, or 1.

```sql SQL example SELECT CASE WHEN str1 < str2 THEN -1 WHEN str1 > str2 THEN 1 ELSE 0 END AS result FROM logs; ``` 
['sample-http-logs']
| extend result = strcmp(str1, str2)

Usage

Syntax

strcmp(string1, string2)

Parameters

Name Type Required Description
string1 string Yes The first string to compare.
string2 string Yes The second string to compare.

Returns

Returns an integer: -1 if string1 is less than string2, 0 if they are equal, 1 if string1 is greater than string2.

Use case examples

Compare HTTP methods to establish custom ordering for request type analysis.

Query

['sample-http-logs']
| extend method_order = strcmp(method, 'GET')
| summarize get_requests = countif(method_order == 0),
            before_get = countif(method_order < 0),
            after_get = countif(method_order > 0) by status
| limit 10

Run in Playground

Output

status get_requests before_get after_get
200 5432 1234 2109
404 1987 234 120

This query uses strcmp to categorize HTTP methods relative to 'GET', enabling analysis of request type distribution by status code.

Compare service names to establish ordering for service dependency analysis.

Query

['otel-demo-traces']
| extend name_comparison = strcmp(['service.name'], 'frontend')
| extend is_frontend = name_comparison == 0
| extend before_frontend = name_comparison < 0
| extend after_frontend = name_comparison > 0
| summarize span_count = count() by is_frontend, before_frontend, after_frontend

Run in Playground

Output

is_frontend before_frontend after_frontend span_count
true false false 4532
false true false 3421
false false true 6012

This query categorizes services based on their lexicographic position relative to 'frontend', helping organize service hierarchies.
  • tolower: Converts strings to lowercase. Use this before strcmp for case-insensitive comparison.
  • toupper: Converts strings to uppercase. Use this before strcmp for case-insensitive comparison.
  • strlen: Returns string length. Use this to compare strings by length rather than lexicographically.
  • indexof: Finds substring positions. Use this for substring comparison rather than full string comparison.

Good afternoon

I'm here to help you with the docs.

I
AIBased on your context