Skip to main content
The extract_all function retrieves all substrings that match a regular expression from a source string. Use this function when you need to capture multiple matches of a pattern, such as extracting all email addresses, URLs, or repeated patterns from log entries.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use rex with max_match=0 to extract all matches. APL’s extract_all provides a more direct approach.
| rex field=message max_match=0 "error_(?<code>\d+)"
| mvexpand code
In ANSI SQL, extracting all regex matches typically requires recursive queries or database-specific functions. APL’s extract_all simplifies this operation.
SELECT REGEXP_EXTRACT_ALL(field, 'pattern') AS matches FROM logs;

Usage

Syntax

extract_all(regex, captureGroups, text)

Parameters

NameTypeRequiredDescription
regexstringYesA regular expression with one or more capture groups.
captureGroupsdynamic arrayYesAn array of capture group numbers to extract (e.g., dynamic([1]) or dynamic([1,2])).
textstringYesThe source string to search.

Returns

Returns a dynamic array containing all matches. For single capture groups, returns a one-dimensional array. For multiple capture groups, returns a two-dimensional array.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
Extract all numeric values from URIs to analyze parameter patterns in API requests.Query
['sample-http-logs']
| extend numbers = extract_all('([0-9]+)', dynamic([1]), uri)
| where array_length(numbers) > 0
| project _time, uri, numbers, method
| limit 10
Run in PlaygroundOutput
_timeurinumbersmethod
2024-11-06T10:00:00Z/api/users/123/posts/456[“123”, “456”]GET
2024-11-06T10:01:00Z/products/789[“789”]GET
2024-11-06T10:02:00Z/orders/111/items/222/details/333[“111”, “222”, “333”]POST
This query extracts all numeric values from URIs, helping analyze how many IDs are typically passed in API requests and their patterns.
  • extract: Extracts only the first match of a regex pattern. Use this when you only need the first occurrence rather than all matches.
  • split: Splits strings by a delimiter into an array. Use this for simpler tokenization without regex complexity.
  • parse_json: Parses JSON strings into dynamic objects. Use this when working with structured JSON data rather than regex patterns.
  • countof_regex: Counts regex pattern occurrences. Use this when you only need the count of matches, not the actual matched text.