Skip to main content
The replace_regex function replaces all matches of a regular expression pattern with another string. This function is an alias for replace and provides the same functionality for regex-based text replacement.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use rex with mode=sed for regex replacements. APL’s replace_regex provides the same functionality with simpler syntax.
| rex field=message mode=sed "s/error_([0-9]+)/ERROR-\\1/g"
In ANSI SQL, you use REGEXP_REPLACE for regex replacements. APL’s replace_regex provides similar functionality with consistent syntax.
SELECT REGEXP_REPLACE(field, 'pattern', 'replacement', 'g') AS result FROM logs;

Usage

Syntax

replace_regex(regex, rewrite, text)

Parameters

NameTypeRequiredDescription
regexstringYesThe regular expression pattern to search for. Can include capture groups.
rewritestringYesThe replacement string. Use 0fortheentirematch,0 for the entire match, 1 for the first capture group, etc.
textstringYesThe source string to perform replacements on.

Returns

Returns the text with all regex matches replaced by the rewrite pattern. Non-overlapping matches.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
Standardize HTTP status codes by adding descriptive prefixes for better readability.Query
['sample-http-logs']
| extend formatted_status = replace_regex('^(2[0-9]{2})$', 'SUCCESS-$1', status)
| extend formatted_status = replace_regex('^(4[0-9]{2})$', 'CLIENT_ERROR-$1', formatted_status)
| extend formatted_status = replace_regex('^(5[0-9]{2})$', 'SERVER_ERROR-$1', formatted_status)
| summarize request_count = count() by formatted_status
| sort by request_count desc
| limit 10
Run in PlaygroundOutput
formatted_statusrequest_count
SUCCESS-2008765
CLIENT_ERROR-4042341
SERVER_ERROR-5001234
CLIENT_ERROR-403987
This query adds descriptive prefixes to status codes using regex capture groups, making log analysis more intuitive.
  • replace: Alias for replace_regex. Use either name based on preference.
  • replace_string: Replaces plain string matches without regex. Use this for faster replacement when regex patterns are not needed.
  • extract: Extracts the first regex match. Use this when you need to capture text rather than modify it.
  • extract_all: Extracts all regex matches. Use this when you need multiple captured values without replacement.