parse
This page explains how to use the parse operator function in APL.
The parse
operator in APL enables you to extract and structure information from unstructured or semi-structured text data, such as log files or strings. You can use the operator to specify a pattern for parsing the data and define the fields to extract. This is useful when analyzing logs, tracing information from text fields, or extracting key-value pairs from message formats.
You can find the parse
operator helpful when you need to process raw text fields and convert them into a structured format for further analysis. It’s particularly effective when working with data that doesn’t conform to a fixed schema, such as log entries or custom messages.
Importance of the parse operator
- Data extraction: It allows you to extract structured data from unstructured or semi-structured string fields, enabling you to transform raw data into a more usable format.
- Flexibility: The parse operator supports different parsing modes (simple, relaxed, regex) and provides various options to define parsing patterns, making it adaptable to different data formats and requirements.
- Performance: By extracting only the necessary information from string fields, the parse operator helps optimize query performance by reducing the amount of data processed and enabling more efficient filtering and aggregation.
- Readability: The parse operator provides a clear and concise way to define parsing patterns, making the query code more readable and maintainable.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Usage
Syntax
Parameters
kind
: Optional parameter to specify the parsing mode. Its value can besimple
for exact matches,regex
for regular expressions, orrelaxed
for relaxed parsing. The default issimple
.Expression
: The string expression to parse.StringConstant
: A string literal or regular expression pattern to match against.FieldName
: The name of the field to assign the extracted value.FieldType
: Optional parameter to specify the data type of the extracted field. The default isstring
.*
: Wildcard to match any characters before or after theStringConstant
....
: You can specify additionalStringConstant
andFieldName
pairs to extract multiple values.
Returns
The parse operator returns the input dataset with new fields added based on the specified parsing pattern. The new fields contain the extracted values from the parsed string expression. If the parsing fails for a particular row, the corresponding fields have null values.
Use case examples
For log analysis, you can extract the HTTP request duration from the uri
field using the parse
operator.
Query
Output
_time | req_duration_ms | uri |
---|---|---|
2024-10-18T12:00:00 | 200 | /api/v1/resource?duration=200 |
2024-10-18T12:00:05 | 300 | /api/v1/resource?duration=300 |
This query extracts the req_duration_ms
from the uri
field and projects the time and duration for each HTTP request.
Other examples
Parse content type
This example parses the content_type
field to extract the datatype
and format
values separated by a /
. The extracted values are projected as separate fields.
Original string
Query
Output
Parse user agent
This example parses the user_agent
field to extract the operating system name (os_name
) and version (os_version
) enclosed within parentheses. The extracted values are projected as separate fields.
Original string
Query
Output
Parse URI endpoint
This example parses the uri
field to extract the endpoint
value that appears after /api/v1/
. The extracted value is projected as a new field.
Original string
Query
Output
Parse ID into region, tenant, and user ID
This example demonstrates how to parse the id
field into three parts: region
, tenant
, and userId
. The id
field is structured with these parts separated by hyphens (-
). The extracted parts are projected as separate fields.
Original string
Query
Output
Parse in relaxed mode
The parse operator supports a relaxed mode that allows for more flexible parsing. In relaxed mode, Axiom treats the parsing pattern as a regular string and matches results in a relaxed manner. If some parts of the pattern are missing or do not match the expected type, Axiom assigns null values.
This example parses the log
field into four separate parts (method
, url
, status
, and responseTime
) based on a structured format. The extracted parts are projected as separate fields.
Original string
Query
Output
Parse in regex mode
The parse operator supports a regex mode that allows you to parse use regular expressions. In regex mode, Axiom treats the parsing pattern as a regular expression and matches results based on the specified regex pattern.
This example demonstrates how to parse Kubernetes pod log entries using regex mode to extract various fields such as podName
, namespace
, phase
, startTime
, nodeName
, hostIP
, and podIP
. The parsing pattern is treated as a regular expression, and the extracted values are assigned to the respective fields.
Original string
Query
Output
Best practices
When using the parse operator, consider the following best practices:
- Use appropriate parsing modes: Choose the parsing mode (simple, relaxed, regex) based on the complexity and variability of the data being parsed. Simple mode is suitable for fixed patterns, while relaxed and regex modes offer more flexibility.
- Handle missing or invalid data: Consider how to handle scenarios where the parsing pattern does not match or the extracted values do not conform to the expected types. Use the relaxed mode or provide default values to handle such cases.
- Project only necessary fields: After parsing, use the project operator to select only the fields that are relevant for further querying. This helps reduce the amount of data transferred and improves query performance.
- Use parse in combination with other operators: Combine parse with other APL operators like where, extend, and summarize to filter, transform, and aggregate the parsed data effectively.
By following these best practices and understanding the capabilities of the parse operator, you can effectively extract and transform data from string fields in APL, enabling powerful querying and insights.
List of related operators
Was this page helpful?