Skip to main content
The strlen function returns the length of a string in characters. Use this function to validate field lengths, filter by size constraints, or analyze text content patterns in your logs.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use the len function. APL’s strlen provides the same functionality.
| eval length=len(field)
In ANSI SQL, you use LENGTH or LEN depending on the database. APL’s strlen provides standardized string length measurement.
SELECT LENGTH(field) AS length FROM logs;

Usage

Syntax

strlen(source)

Parameters

NameTypeRequiredDescription
sourcestringYesThe string to measure.

Returns

Returns the length of the string in characters (not bytes).

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
Analyze URI lengths to identify potential long-URL attacks or data exfiltration attempts.Query
['sample-http-logs']
| extend uri_length = strlen(uri)
| summarize avg_length = avg(uri_length),
            max_length = max(uri_length),
            long_uri_count = countif(uri_length > 200) by method, status
| sort by max_length desc
| limit 10
Run in PlaygroundOutput
methodstatusavg_lengthmax_lengthlong_uri_count
GET20045.3512234
POST40438.738789
This query analyzes URI length patterns to identify unusually long requests that might indicate attacks or data exfiltration attempts.
  • substring: Extracts parts of strings. Use this with strlen to extract specific length substrings.
  • isempty: Checks if a string is empty. Use this to test for zero-length strings more explicitly.
  • countof: Counts substring occurrences. Use this when you need occurrence counts rather than total length.
  • format_bytes: Formats bytes as strings. Use this to format length values for display.