Skip to main content
The indexof function reports the zero-based index of the first occurrence of a specified string within an input string. Use this function to find the position of substrings, validate string formats, or extract parts of strings based on delimiter positions.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you might use searchmatch or string manipulation. APL’s indexof provides a direct way to find substring positions.
| eval pos=if(match(field, "search"), strpos(field, "search"), -1)
In ANSI SQL, you use POSITION() or INSTR() to find substring positions. APL’s indexof provides similar functionality with additional parameters.
SELECT POSITION('search' IN field) - 1 AS pos FROM logs;

Usage

Syntax

indexof(source, lookup, start_index, length, occurrence)

Parameters

NameTypeRequiredDescription
sourcestringYesThe input string to search within.
lookupstringYesThe string to search for.
start_indexintNoThe position to start searching from (default: 0).
lengthintNoNumber of character positions to examine. Use -1 for unlimited (default: -1).
occurrenceintNoThe occurrence number to find (default: 1 for first occurrence).

Returns

Returns the zero-based index position of the first occurrence of the lookup string, or -1 if not found.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
Find the position of API version indicators in URIs to categorize and analyze API usage patterns.Query
['sample-http-logs']
| extend api_pos = indexof(uri, '/api/')
| where api_pos >= 0
| extend has_version = indexof(uri, '/v', api_pos)
| project _time, uri, api_pos, has_version, method, status
| limit 10
Run in PlaygroundOutput
_timeuriapi_poshas_versionmethodstatus
2024-11-06T10:00:00Z/api/v2/users04GET200
2024-11-06T10:01:00Z/api/products0-1GET200
2024-11-06T10:02:00Z/api/v1/orders04POST201
This query finds the position of API indicators in URIs, helping identify versioned versus unversioned API endpoints.
  • substring: Extracts a substring from a source string. Use this together with indexof to extract parts of strings based on found positions.
  • strlen: Returns the length of a string. Use this with indexof to calculate positions relative to string length.
  • extract: Extracts substrings using regular expressions. Use this when you need pattern matching instead of simple substring positions.
  • split: Splits strings by delimiters. Use this when you want to tokenize rather than find positions.