The strlen function returns the length of a string in characters. Use this function to validate field lengths, filter by size constraints, or analyze text content patterns in your logs.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use the len function. APL's strlen provides the same functionality.
['sample-http-logs']
| extend length = strlen(field)In ANSI SQL, you use LENGTH or LEN depending on the database. APL's strlen provides standardized string length measurement.
['sample-http-logs']
| extend length = strlen(field)Usage
Syntax
strlen(source)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| source | string | Yes | The string to measure. |
Returns
Returns the length of the string in characters (not bytes).
Use case examples
Analyze URI lengths to identify potential long-URL attacks or data exfiltration attempts.
Query
['sample-http-logs']
| extend uri_length = strlen(uri)
| summarize avg_length = avg(uri_length),
max_length = max(uri_length),
long_uri_count = countif(uri_length > 200) by method, status
| sort by max_length desc
| limit 10Output
| method | status | avg_length | max_length | long_uri_count |
|---|---|---|---|---|
| GET | 200 | 45.3 | 512 | 234 |
| POST | 404 | 38.7 | 387 | 89 |
This query analyzes URI length patterns to identify unusually long requests that might indicate attacks or data exfiltration attempts.
Monitor trace ID and span ID length consistency to validate instrumentation correctness.
Query
['otel-demo-traces']
| extend trace_id_length = strlen(trace_id)
| extend span_id_length = strlen(span_id)
| summarize id_length_consistent = countif(trace_id_length == span_id_length),
trace_avg = avg(trace_id_length),
span_avg = avg(span_id_length) by ['service.name']
| sort by id_length_consistent desc
| limit 10Output
| service.name | id_length_consistent | trace_avg | span_avg |
|---|---|---|---|
| frontend | 4532 | 32.0 | 16.0 |
| checkout | 3421 | 32.0 | 16.0 |
This query validates that trace and span IDs have expected lengths, helping identify instrumentation issues where IDs might be malformed.
Detect potential buffer overflow attacks by identifying unusually long user identifiers or input fields.
Query
['sample-http-logs']
| extend id_length = strlen(id)
| extend uri_length = strlen(uri)
| where id_length > 50 or uri_length > 500
| project _time, id, id_length, uri, uri_length, status, ['geo.country']
| sort by id_length desc, uri_length desc
| limit 10Output
| _time | id | id_length | uri | uri_length | status | geo.country |
|---|---|---|---|---|---|---|
| 2024-11-06T10:00:00Z | verylong... | 87 | /api/... | 612 | 403 | Unknown |
This query identifies requests with abnormally long identifiers or URIs, which could indicate buffer overflow attempts or other injection attacks.
List of related functions
- substring: Extracts parts of strings. Use this with strlen to extract specific length substrings.
- isempty: Checks if a string is empty. Use this to test for zero-length strings more explicitly.
- countof: Counts substring occurrences. Use this when you need occurrence counts rather than total length.
- format_bytes: Formats bytes as strings. Use this to format length values for display.