This page explains how to use the len function in APL.
Use the len function in APL (Axiom Processing Language) to determine the length of a string or the number of elements in an array. This function is useful when you want to filter, sort, or analyze data based on the size of a value—whether that’s the number of characters in a request URL or the number of cities associated with a user.
Use len when you need to:
- Measure string lengths (for example, long request URIs).
- Count elements in dynamic arrays (such as tags or multi-value fields).
- Create conditional expressions based on the length of values.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL users
Splunk SPL users
In Splunk SPL, you often use the len function within eval or where expressions to determine string length or array size. In APL, len works similarly, but is used as a standalone scalar function.
ANSI SQL users
ANSI SQL users
In ANSI SQL, you use LENGTH() for strings and CARDINALITY() for arrays. In APL, len handles both cases—string and array—depending on the input type.
Usage
Syntax
Parameters
| Name | Type | Description |
|---|---|---|
| value | string or array | The input to measure—either a string or an array. |
Returns
- If
valueis a string, returns the number of characters. - If
valueis an array, returns the number of elements. - Returns
nullif the input isnull.
Use case examples
Use len to find requests with long URIs, which might indicate poorly designed endpoints or potential abuse.
Query
Output
| _time | id | uri | uri_length |
|---|---|---|---|
| 2025-06-18T12:34:00Z | user123 | /api/products/search?query=… | 132 |
| 2025-06-18T12:35:00Z | user456 | /download/file/very/long/path/… | 141 |
The query filters logs for URIs longer than 100 characters and displays their lengths.
Use len to find requests with long URIs, which might indicate poorly designed endpoints or potential abuse.
Query
Output
| _time | id | uri | uri_length |
|---|---|---|---|
| 2025-06-18T12:34:00Z | user123 | /api/products/search?query=… | 132 |
| 2025-06-18T12:35:00Z | user456 | /download/file/very/long/path/… | 141 |
The query filters logs for URIs longer than 100 characters and displays their lengths.
Use len to identify traces with IDs of unexpected length, which might indicate instrumentation issues or data inconsistencies.
Query
Output
| trace_id_length | count |
|---|---|
| 32 | 4987 |
| 16 | 12 |
The query summarizes trace IDs by their lengths to find unexpected values.
Use len to analyze request methods and flag unusually short ones (e.g., malformed logs or attack vectors).
Query
Output
| _time | id | method | method_length |
|---|---|---|---|
| 2025-06-18T13:10:00Z | user789 | P | 1 |
| 2025-06-18T13:12:00Z | user222 | G | 1 |
The query finds suspicious or malformed request methods that are unusually short.
List of related functions
- array_length: Returns the number of elements in an array. Use this when working specifically with arrays.
- array_slice: Returns a subarray like
array_extract, but supports negative indexing. - array_concat: Joins arrays end-to-end. Use before or after slicing arrays with
array_extract.