Use the parse_path function to extract structured components from file paths, URIs, or URLs in your log and trace data. This function is useful when you want to decompose a full path into individual segments such as the directory, filename, extension, or query parameters for easier filtering, aggregation, or analysis.

You typically use parse_path in log analysis, OpenTelemetry traces, and security investigations to understand which resources are being accessed, identify routing patterns, or isolate endpoints with high error rates. It simplifies complex string parsing tasks and helps you normalize paths for comparisons and reporting.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Usage

Syntax

parse_path(source)

Parameters

NameTypeDescription
sourcestringA string representing a path, file URI, or full URL.

Returns

Returns a dynamic object with the following fields:

  • Scheme
  • RootPath
  • DirectoryPath
  • DirectoryName
  • Filename
  • Extension
  • AlternateDataStreamName

Use case example

Extract endpoint directories and file extensions from HTTP request URIs.

Query

['sample-http-logs']
| extend path_parts = parse_path(uri)

Run in Playground

Output

_timepath_parts
Jun 11, 10:39:16{ “Filename”: “users”, “RootPath”: "", “Scheme”: "", “AlternateDataStream”: "", “DirectoryName”: “messages”, “DirectoryPath”: “/api/v1/messages”, “Extension”: "" }
Jun 11, 10:39:16{ “Scheme”: "", “AlternateDataStream”: "", “DirectoryName”: “background”, “DirectoryPath”: “/api/v1/textdata/background”, “Extension”: "", “Filename”: “change”, “RootPath”: "" }
Jun 11, 10:39:16{ “Filename”: “users”, “RootPath”: "", “Scheme”: "", “AlternateDataStream”: "", “DirectoryName”: “textdata”, “DirectoryPath”: “/api/v1/textdata”, “Extension”: "" }

This query helps you identify which directories and file types receive the most traffic.