Skip to main content
Use the indexof_regex function to find the position of the first match of a regular expression in a string. The function is helpful when you want to locate a pattern within a larger text field and take action based on its position. For example, you can use indexof_regex to extract fields from semi-structured logs, validate string formats, or trigger alerts when specific patterns appear in log data. The function returns the zero-based index of the first match. If no match is found, it returns -1. Use indexof_regex when you need more flexibility than simple substring search (indexof), especially when working with dynamic or non-fixed patterns.
All regex functions of APL use the RE2 regex syntax.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Use match() in Splunk SPL to perform regular expression matching. However, match() returns a Boolean, not the match position. APL’s indexof_regex is similar to combining match() with additional logic to extract position, which isn’t natively supported in SPL.
... | eval match_index=if(match(field, "pattern"), 0, -1)
ANSI SQL doesn’t have a built-in function to return the index of a regex match. You typically use REGEXP_LIKE for Boolean evaluation. indexof_regex provides a more direct and powerful way to find the exact match position in APL.
SELECT CASE WHEN REGEXP_LIKE(field, 'pattern') THEN 0 ELSE -1 END FROM table;

Usage

Syntax

indexof_regex(string, match [, start [, occurrence [, length]]])

Parameters

NameTypeRequiredDescription
stringstringYesThe input text to inspect.
matchstringYesThe regular expression pattern to search for.
startintThe index in the string where to begin the search. If negative, the function starts that many characters from the end.
occurrenceintWhich instance of the pattern to match. Defaults to 1 if not specified.
lengthintThe number of characters to search through. Use -1 to search to the end of the string.

Returns

The function returns the position (starting at zero) where the pattern first matches within the string. If the pattern isn’t found, the result is -1. The function returns null in the following cases:
  • The start value is negative.
  • The occurrence value is less than 1.
  • The length is set to a value below -1.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
Use indexof_regex to detect whether the URI in a log entry contains an encoded user ID by checking for patterns like user-[0-9]+.Query
['sample-http-logs']
| extend user_id_pos = indexof_regex(uri, 'user-[0-9]+')
| where user_id_pos != -1
| project _time, id, uri, user_id_pos
Run in PlaygroundOutput
_timeiduriuser_id_pos
2025-06-10T12:34:56Zuser42/api/user-12345/settings5
2025-06-10T12:35:07Zuser91/v2/user-6789/dashboard4
The query finds log entries where the URI contains a user ID pattern and shows the position of the match in the URI string.