The string_size function returns the number of bytes in a string. You use it when you want to measure the length of text fields such as user IDs, URLs, or status codes. This function is useful for detecting anomalies, filtering out unusually long values, or analyzing patterns in textual data.
For example, you can use string_size to detect requests with excessively long URIs, identify outlier user IDs, or monitor payload lengths in traces.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically use the len function to calculate the number of characters in a string. In APL, you use string_size to calculate the number of bytes in a string.
['sample-http-logs']
| extend uri_length = string_size(uri)In ANSI SQL, you use the LENGTH or CHAR_LENGTH function to calculate string length. In APL, the equivalent is string_size to calculate the number of bytes in a string.
['sample-http-logs']
| extend uri_length = string_size(uri)Usage
Syntax
string_size(source)Parameters
| Parameter | Type | Description |
|---|---|---|
source |
string |
The input string expression. |
Returns
An integer representing the number of bytes in the string. If the string is empty, the function returns 0.
Use case examples
You can use string_size to detect unusually long URIs that might indicate an attempted exploit or malformed request.
Query
['sample-http-logs']
| extend uri_length = string_size(uri)
| where uri_length > 100
| project _time, method, uri, uri_length, statusOutput
| _time | method | uri | uri_length | status |
|---|---|---|---|---|
| 2025-09-11T10:01:45Z | GET | /search/products?q=... | 142 | 200 |
| 2025-09-11T10:02:13Z | POST | /checkout/submit/order/details... | 187 | 400 |
This query finds all HTTP requests with URIs longer than 10 characters and lists their details.
You can measure the length of trace IDs or span IDs to ensure data consistency and identify malformed identifiers.
Query
['otel-demo-traces']
| extend trace_length = string_size(trace_id)
| summarize avg_length = avg(trace_length) by ['service.name']Output
| service.name | avg_length |
|---|---|
| frontend | 32 |
| checkoutservice | 32 |
| loadgenerator | 31.8 |
This query calculates the average trace ID length per service to verify identifier consistency across the system.
You can check for anomalous user IDs by looking at the length of the id field. Very short or very long IDs may signal invalid or suspicious activity.
Query
['sample-http-logs']
| extend id_length = string_size(id)
| where id_length < 5 or id_length > 20
| project _time, id, id_length, status, ['geo.country']Output
| _time | id | id_length | status | geo.country |
|---|---|---|---|---|
| 2025-09-11T09:55:01Z | a12 | 3 | 401 | US |
| 2025-09-11T09:58:42Z | user_long_id_example_test | 24 | 200 | DE |
This query detects requests with suspiciously short or long user IDs, which might indicate invalid credentials or malicious activity.