Skip to main content
The extract function retrieves the first substring that matches a regular expression from a source string. Use this function when you need to pull out specific patterns from log messages, URLs, or any text field using regex capture groups.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use rex with named or numbered groups. APL’s extract is similar but uses a numbered capture group parameter.
| rex field=message "user=(?<username>\w+)"
In ANSI SQL, regex extraction varies by database. APL’s extract provides a consistent approach across all data.
SELECT REGEXP_SUBSTR(field, 'pattern', 1, 1, NULL, 1) AS extracted FROM logs;

Usage

Syntax

extract(regex, captureGroup, text)

Parameters

NameTypeRequiredDescription
regexstringYesA regular expression pattern with optional capture groups.
captureGroupintYesThe capture group to extract. Use 0 for the entire match, 1 for the first group, 2 for the second, etc.
textstringYesThe source string to search.

Returns

Returns the substring matched by the specified capture group, or null if no match is found.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
Extract user IDs from HTTP request URIs to identify which users are accessing specific endpoints.Query
['sample-http-logs']
| extend user_id = extract('/users/([0-9]+)', 1, uri)
| where isnotempty(user_id)
| summarize request_count = count() by user_id, method
| sort by request_count desc
| limit 10
Run in PlaygroundOutput
user_idmethodrequest_count
12345GET234
67890POST187
11111GET156
22222PUT98
This query extracts numeric user IDs from URIs like ‘/users/12345’ using a regex capture group, helping analyze per-user API usage patterns.
  • extract_all: Extracts all matches of a regex pattern. Use this when you need multiple matches instead of just the first one.
  • parse_json: Parses JSON strings into dynamic objects. Use this when working with structured JSON data rather than regex patterns.
  • split: Splits strings by a delimiter. Use this for simpler tokenization without regex complexity.
  • replace_regex: Replaces regex matches with new text. Use this when you need to modify matched patterns rather than extract them.