replace_string function replaces all occurrences of a plain string with another string. Use this function when you need exact string matching without regular expression patterns, which makes it faster and simpler than regex-based replacement.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.Splunk SPL users
Splunk SPL users
In Splunk SPL, you use
replace for simple string replacements. APL’s replace_string provides the same functionality.ANSI SQL users
ANSI SQL users
In ANSI SQL, you use
REPLACE for string replacements. APL’s replace_string provides similar functionality.Usage
Syntax
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| lookup | string | Yes | The plain string to search for and replace. |
| rewrite | string | Yes | The replacement string. |
| text | string | Yes | The source string to perform replacements on. |
Returns
Returns the text with all occurrences of the lookup string replaced by the rewrite string. Matches do not overlap.Use case examples
- Log analysis
- OpenTelemetry traces
- Security logs
Normalize HTTP methods by replacing abbreviations with full names for consistency.QueryRun in PlaygroundOutput
This query replaces HTTP method abbreviations with descriptive action names, making logs more readable for non-technical audiences.
| normalized_method | status | request_count |
|---|---|---|
| Retrieve | 200 | 5432 |
| Create | 201 | 2341 |
| Retrieve | 404 | 1234 |
| Update | 200 | 987 |
List of related functions
- replace: Replaces strings using regular expressions. Use this when you need pattern matching capabilities.
- replace_regex: Alias for replace with regex support. Use this for pattern-based replacements.
- strcat: Concatenates strings. Use this when building new strings rather than replacing parts of existing ones.
- substring: Extracts parts of strings. Use this when you need to extract rather than replace text.