The trim_start_regex function removes all leading matches of a regular expression pattern from a string. Use this function to remove complex patterns from string beginnings, clean structured log prefixes, or normalize data with pattern-based trimming.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use rex with mode=sed for pattern-based trimming. APL's trim_start_regex provides a more direct approach.
['sample-http-logs']
| extend cleaned = trim_start_regex('pattern', field)In ANSI SQL, regex-based trimming requires database-specific functions. APL's trim_start_regex provides standardized pattern-based trimming.
['sample-http-logs']
| extend cleaned = trim_start_regex('pattern', field)Usage
Syntax
trim_start_regex(regex, text)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| regex | string | Yes | The regular expression pattern to remove from the beginning. |
| text | string | Yes | The source string to trim. |
Returns
Returns the source string with leading regex matches removed.
Use case examples
Remove protocol and host prefixes from full URLs to extract paths.
Query
['sample-http-logs']
| extend full_url = strcat('https://api.example.com', uri)
| extend path_only = trim_start_regex('https?://[^/]+', full_url)
| summarize request_count = count() by path_only, method
| sort by request_count desc
| limit 10Output
| path_only | method | request_count |
|---|---|---|
| /api/users | GET | 2341 |
| /api/orders | POST | 1987 |
This query strips protocol and host information from URLs to focus on path-based analysis.
Remove environment and instance prefixes from service names using regex.
Query
['otel-demo-traces']
| extend cleaned_service = trim_start_regex('^(prod|dev|staging)-[0-9]+-', ['service.name'])
| summarize span_count = count() by cleaned_service
| sort by span_count desc
| limit 10Output
| cleaned_service | span_count |
|---|---|
| frontend | 4532 |
| checkout | 3421 |
| cart | 2987 |
This query removes environment names and instance numbers from the beginning of service names, enabling service-level aggregation across all deployments.
Remove timestamp or log level prefixes from security event messages.
Query
['sample-http-logs']
| extend simulated_message = strcat('ERROR: ', uri)
| extend cleaned_message = trim_start_regex('^(ERROR|WARN|INFO): ', simulated_message)
| project _time, simulated_message, cleaned_message, id, status
| limit 10Output
| _time | simulated_message | cleaned_message | id | status |
|---|---|---|---|---|
| 2024-11-06T10:00:00Z | ERROR: /admin | /admin | user123 | 403 |
This query removes log level prefixes from security messages, extracting the core message content for analysis.
List of related functions
- trim_start: Removes leading characters. Use this for simple character-based trimming without regex.
- trim_regex: Removes both leading and trailing regex matches. Use this for bidirectional pattern trimming.
- replace_regex: Replaces regex matches. Use this when you need to replace patterns rather than just remove leading ones.
- trim_end_regex: Removes trailing regex matches. Use this to trim patterns from the end.