Skip to main content

Introduction

The parse_sql function parses a SQL statement string and returns a structured dictionary representing its components, such as tables, columns, conditions, and clauses. Use it to analyze SQL queries stored in your observability data, validate query structure, or extract specific parts of a SQL statement for further processing. parse_sql is useful in database monitoring scenarios where SQL queries are captured as strings in audit logs or trace attributes, and you want to understand query patterns, detect anomalies, or inspect query structure at scale.
parse_sql supports simple SQL queries. It doesn’t support stored procedures, window functions, common table expressions (CTEs), recursive queries, advanced statistical functions, or special join types.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk doesn’t have a native SQL parser function. You would typically use rex with regular expressions to extract parts of a SQL query string. APL’s parse_sql provides structured access to every clause of the SQL statement in a single call.
... | rex field=sql_query "FROM\s+(?<table_name>\w+)"
ANSI SQL has no built-in SQL parsing functions. parse_sql is unique to APL: it accepts a SQL string as input and returns a dictionary of its parsed components, enabling you to inspect and transform SQL statements using APL operators.
-- No direct SQL equivalent; you would use application-level string parsing

Usage

Syntax

parse_sql(sql_statement)

Parameters

NameTypeRequiredDescription
sql_statementstringYesThe SQL statement to parse.

Returns

A dictionary representing the structured data model of the SQL statement, including the statement type, selected columns, source tables, conditions, and ordering clauses.

Use case examples

Parse a SQL query that represents a slow-query log entry to inspect its structure.Query
print parsed_query = parse_sql('SELECT id, status, uri FROM requests WHERE req_duration_ms > 1000 ORDER BY req_duration_ms DESC')
Run in PlaygroundOutput
{
    "parsed_query": {
        "columns": [
            {
                "colname": "id"
            },
            {
                "colname": "status"
            },
            {
                "colname": "uri"
            }
        ],
        "from": [
            {
                "table": "requests"
            }
        ],
        "order": [
            {
                "direction": "desc",
                "expr": {
                    "colname": "req_duration_ms"
                }
            }
        ],
        "statement": "select",
        "where": {
            "operator": ">",
            "params": [
                {
                    "colname": "req_duration_ms"
                },
                {
                    "value": "1000",
                    "valtype": "integer"
                }
            ]
        }
    }
}
The query parses a slow-query SQL string and returns its structured representation, letting you extract specific clauses with parsed_query.from or parsed_query.columns.
  • format_sql: Converts the dictionary produced by parse_sql back into a SQL string. Use format_sql to normalize or round-trip a parsed query.
  • parse_json: Parses a JSON string into a dynamic dictionary. Use parse_json when your data contains JSON rather than SQL.
  • extract: Extracts a substring matching a regular expression from a string. Use extract for simple pattern matching when you don’t need full SQL parsing.