Skip to main content
The countof_regex function counts occurrences of a regular expression pattern within a string. Use this function when you need to count complex patterns or character classes in log messages, requiring more flexibility than simple substring matching.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use rex with max_match to count regex matches. APL’s countof_regex provides a more straightforward approach.
| rex field=message max_match=0 "error|warning"
| eval pattern_count=mvcount(rex)
In ANSI SQL, counting regex matches typically requires database-specific functions. APL’s countof_regex provides a standard approach.
SELECT REGEXP_COUNT(field, 'pattern') AS count FROM logs;

Usage

Syntax

countof_regex(text, regex)

Parameters

NameTypeRequiredDescription
textstringYesThe source string where pattern occurrences are counted.
regexstringYesThe regular expression pattern to search for within the text.

Returns

Returns the number of times the regex pattern matches in the text.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
Count numeric patterns in URIs to identify parameterized endpoint usage.Query
['sample-http-logs']
| extend numeric_params = countof_regex(uri, '[0-9]+')
| where numeric_params > 0
| summarize avg_params = avg(numeric_params), request_count = count() by method
| sort by request_count desc
Run in PlaygroundOutput
methodavg_paramsrequest_count
GET1.83421
POST1.21876
PUT2.1654
DELETE1.5234
This query counts numeric parameters in request URIs using regex, helping identify how frequently parameterized endpoints are accessed by different HTTP methods.
  • countof: Counts plain substring occurrences. Use this when you need exact string matching without regex complexity.
  • extract: Extracts the first substring matching a regex. Use this when you need to capture the matched text, not just count occurrences.
  • extract_all: Extracts all substrings matching a regex. Use this when you need both the count and the actual matched values.
  • replace_regex: Replaces all regex matches with another string. Use this when you need to modify matched patterns rather than count them.