The substring function extracts a substring from a source string starting at a specified position. Use this function to parse fixed-format logs, extract specific segments from structured strings, or truncate text fields.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use the substr function. APL's substring provides similar functionality with zero-based indexing.
['sample-http-logs']
| extend extracted = substring(field, 4, 10)Note: Splunk uses 1-based indexing while APL uses 0-based indexing.
In ANSI SQL, you use SUBSTRING with similar syntax. APL's substring provides the same functionality.
['sample-http-logs']
| extend extracted = substring(field, 4, 10)Usage
Syntax
substring(source, startingIndex, length)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| source | string | Yes | The source string to extract from. |
| startingIndex | int | Yes | The zero-based starting position. |
| length | int | No | The number of characters to extract. If omitted, extracts to the end. |
Returns
Returns the extracted substring. Returns empty string if startingIndex is beyond the string length.
Use case examples
Extract specific segments from fixed-format URIs or identifiers.
Query
['sample-http-logs']
| extend api_version = substring(uri, 1, 4)
| where api_version == 'api/'
| extend endpoint = substring(uri, 5, 20)
| summarize request_count = count() by endpoint, method
| sort by request_count desc
| limit 10Output
| endpoint | method | request_count |
|---|---|---|
| users | GET | 2341 |
| orders | POST | 1987 |
| products | GET | 1654 |
This query extracts API endpoints from URIs by taking specific character ranges, enabling analysis of API usage patterns.
Extract prefixes from trace IDs for partitioning or routing analysis.
Query
['otel-demo-traces']
| extend trace_prefix = substring(trace_id, 0, 4)
| extend trace_suffix = substring(trace_id, strlen(trace_id) - 4, 4)
| summarize span_count = count() by trace_prefix
| sort by span_count desc
| limit 10Output
| trace_prefix | span_count |
|---|---|
| abcd | 1234 |
| ef12 | 1123 |
| 89ab | 987 |
This query extracts trace ID prefixes to analyze trace distribution patterns, which can help with load balancing and trace routing strategies.
Extract and analyze specific segments of suspicious URIs or user identifiers.
Query
['sample-http-logs']
| extend uri_start = substring(uri, 0, 10)
| extend uri_has_exploit = indexof(uri_start, '..') >= 0 or indexof(uri_start, '<script') >= 0
| where uri_has_exploit
| project _time, uri, uri_start, uri_has_exploit, id, status, ['geo.country']
| limit 10Output
| _time | uri | uri_start | uri_has_exploit | id | status | geo.country |
|---|---|---|---|---|---|---|
| 2024-11-06T10:00:00Z | ../../etc/passwd |
../../etc/ |
true | user123 | 403 | Unknown |
| 2024-11-06T10:01:00Z | <script>alert(1) |
<script>al |
true | user456 | 403 | Russia |
This query extracts the beginning of URIs to quickly identify common attack patterns like path traversal or XSS attempts.
List of related functions
- extract: Extracts substrings using regex. Use this when you need pattern-based extraction rather than position-based.
- split: Splits strings by delimiters. Use this when you need to tokenize rather than extract by position.
- strlen: Returns string length. Use this to calculate positions relative to string length.
- indexof: Finds substring positions. Use this to find dynamic starting positions for substring extraction.