substring function extracts a substring from a source string starting at a specified position. Use this function to parse fixed-format logs, extract specific segments from structured strings, or truncate text fields.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.Splunk SPL users
Splunk SPL users
In Splunk SPL, you use the Note: Splunk uses 1-based indexing while APL uses 0-based indexing.
substr function. APL’s substring provides similar functionality with zero-based indexing.ANSI SQL users
ANSI SQL users
In ANSI SQL, you use
SUBSTRING with similar syntax. APL’s substring provides the same functionality.Usage
Syntax
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| source | string | Yes | The source string to extract from. |
| startingIndex | int | Yes | The zero-based starting position. |
| length | int | No | The number of characters to extract. If omitted, extracts to the end. |
Returns
Returns the extracted substring. Returns empty string if startingIndex is beyond the string length.Use case examples
- Log analysis
- OpenTelemetry traces
- Security logs
Extract specific segments from fixed-format URIs or identifiers.QueryRun in PlaygroundOutput
This query extracts API endpoints from URIs by taking specific character ranges, enabling analysis of API usage patterns.
| endpoint | method | request_count |
|---|---|---|
| users | GET | 2341 |
| orders | POST | 1987 |
| products | GET | 1654 |
List of related functions
- extract: Extracts substrings using regex. Use this when you need pattern-based extraction rather than position-based.
- split: Splits strings by delimiters. Use this when you need to tokenize rather than extract by position.
- strlen: Returns string length. Use this to calculate positions relative to string length.
- indexof: Finds substring positions. Use this to find dynamic starting positions for substring extraction.