Skip to main content
The split function splits a string into an array of substrings based on a delimiter. Use this function to tokenize log messages, parse delimited data, or break down structured text into individual components for analysis.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use the split function similarly. APL’s split provides the same functionality.
| eval parts=split(field, ",")
In ANSI SQL, string splitting varies by database. APL’s split provides standardized string splitting.
SELECT STRING_SPLIT(field, ',') AS parts FROM logs;

Usage

Syntax

split(source, delimiter)

Parameters

NameTypeRequiredDescription
sourcestringYesThe source string to split.
delimiterstringYesThe delimiter string to split on.

Returns

Returns a string array containing the substrings separated by the delimiter.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
Split URI paths into segments for hierarchical analysis of API endpoint structure.Query
['sample-http-logs']
| extend path_segments = split(uri, '/')
| extend segment_count = array_length(path_segments)
| extend first_segment = tostring(path_segments[1])
| summarize request_count = count() by first_segment, segment_count
| sort by request_count desc
| limit 10
Run in PlaygroundOutput
first_segmentsegment_countrequest_count
api45432
users32341
products31987
This query splits URIs by forward slashes to analyze API endpoint hierarchy and identify the most accessed top-level paths.
  • parse_csv: Parses CSV strings with proper quote handling. Use this for CSV data instead of split.
  • extract_all: Extracts multiple regex matches. Use this when you need pattern-based tokenization.
  • strcat_delim: Concatenates strings with delimiters. Use this to reverse the split operation.
  • indexof: Finds delimiter positions. Use this when you need to know where splits would occur.