The trim_start function removes all leading occurrences of specified characters from a string. Use this function to clean log data, remove leading whitespace or special characters, or standardize string formats by removing unwanted prefixes.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use ltrim for leading whitespace. APL's trim_start provides more flexibility with custom character sets.
['sample-http-logs']
| extend cleaned = trim_start(' ', field)In ANSI SQL, you use LTRIM for leading characters. APL's trim_start provides similar functionality.
['sample-http-logs']
| extend cleaned = trim_start(' ', field)Usage
Syntax
trim_start(cutset, text)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| cutset | string | Yes | A string containing characters to remove from the beginning. |
| text | string | Yes | The source string to trim. |
Returns
Returns the source string with all leading characters in the cutset removed.
Use case examples
Remove leading slashes from URIs for consistent path analysis.
Query
['sample-http-logs']
| extend cleaned_uri = trim_start('/', uri)
| summarize request_count = count() by cleaned_uri, method
| sort by request_count desc
| limit 10Output
| cleaned_uri | method | request_count |
|---|---|---|
| api/users | GET | 2341 |
| api/orders | POST | 1987 |
| api/products | GET | 1654 |
This query removes leading slashes from URIs, standardizing path formats for consistent grouping and analysis.
Remove environment prefixes from service names for cross-environment analysis.
Query
['otel-demo-traces']
| extend cleaned_service = trim_start('prod-dev-staging-', ['service.name'])
| summarize span_count = count() by cleaned_service
| sort by span_count desc
| limit 10Output
| cleaned_service | span_count |
|---|---|
| frontend | 4532 |
| checkout | 3421 |
| cart | 2987 |
This query removes common environment prefix characters from service names, enabling aggregation across different deployment environments.
Remove leading special characters from URIs to detect obfuscated attack patterns.
Query
['sample-http-logs']
| extend cleaned_uri = trim_start('./', uri)
| extend is_traversal = indexof(cleaned_uri, '..') >= 0
| where is_traversal
| project _time, uri, cleaned_uri, is_traversal, id, ['geo.country']
| limit 10Output
| _time | uri | cleaned_uri | is_traversal | id | geo.country |
|---|---|---|---|---|---|
| 2024-11-06T10:00:00Z | ./../../etc/passwd |
../../etc/passwd |
true | user123 | Unknown |
This query cleans leading dot and slash characters to reveal path traversal patterns that might be obfuscated with leading characters.
List of related functions
- trim_end: Removes trailing characters. Use this to trim from the end instead of the beginning.
- trim: Removes both leading and trailing characters. Use this when you need to clean both ends.
- trim_start_regex: Removes leading matches using regex. Use this for pattern-based trimming.
- replace_string: Replaces strings. Use this when you need to remove characters from anywhere, not just the start.