Skip to main content
The replace function replaces all matches of a regular expression pattern with another string. Use this function to clean log data, redact sensitive information, normalize formats, or transform text patterns in your queries.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use rex with mode=sed for replacements. APL’s replace provides regex replacement with capture group support.
| rex field=message mode=sed "s/pattern/replacement/g"
In ANSI SQL, you use REGEXP_REPLACE with varying syntax by database. APL’s replace provides standardized regex replacement.
SELECT REGEXP_REPLACE(field, 'pattern', 'replacement') AS cleaned FROM logs;

Usage

Syntax

replace(regex, rewrite, text)

Parameters

NameTypeRequiredDescription
regexstringYesThe regular expression pattern to search for. Can include capture groups in parentheses.
rewritestringYesThe replacement string. Use 0fortheentirematch,0 for the entire match, 1 for the first capture group, $2 for the second, etc.
textstringYesThe source string to perform replacements on.

Returns

Returns the text with all regex matches replaced by the rewrite pattern. Matches do not overlap.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
Redact sensitive information like email addresses or API keys from logs for privacy compliance.Query
['sample-http-logs']
| extend cleaned_uri = replace('[a-z0-9._%+-]+@[a-z0-9.-]+\\.[a-z]{2,}', '[EMAIL_REDACTED]', uri)
| extend cleaned_uri = replace('apikey=[^&]+', 'apikey=[REDACTED]', cleaned_uri)
| project _time, uri, cleaned_uri, status
| limit 10
Run in PlaygroundOutput
_timeuricleaned_uristatus
2024-11-06T10:00:00Z/api?email=user@example.com/api?email=[EMAIL_REDACTED]200
2024-11-06T10:01:00Z/api?apikey=abc123def456/api?apikey=[REDACTED]200
This query redacts email addresses and API keys from URIs using regex patterns, ensuring sensitive data is not exposed in logs or reports.
  • replace_regex: Alias for replace with regex support. Use either name based on preference.
  • replace_string: Replaces plain string matches without regex. Use this for simpler, faster replacements when regex is not needed.
  • extract: Extracts regex matches without replacement. Use this when you need to capture text rather than modify it.
  • split: Splits strings by delimiters. Use this when tokenizing rather than replacing.