regex_quote
This page explains how to use the regex_quote function in APL.
Use the regex_quote function in APL when you need to safely insert arbitrary string values into regular expression patterns. This function escapes all special characters in the input string so that it is interpreted as a literal sequence, rather than as part of a regular expression syntax.
regex_quote is especially useful when your APL query constructs regular expressions dynamically using user input or field values. Without escaping, strings like .* or [a-z] would behave like regex wildcards or character classes, potentially leading to incorrect results or vulnerabilities. With regex_quote, you can ensure the string is treated exactly as-is.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL users
Splunk SPL users
In Splunk, the re.escape() function is not available natively in SPL, so you often handle escaping in external scripts or manually. In APL, regex_quote provides built-in support for quoting regular expression metacharacters.
ANSI SQL users
ANSI SQL users
ANSI SQL lacks a standard function to escape regular expression strings. Escaping is typically handled manually or with vendor-specific features. In APL, regex_quote handles all necessary escaping for you, making regex construction safer and more convenient.
Usage
Syntax
Parameters
| Name | Type | Description |
|---|---|---|
| value | string | The input string to be escaped for regex safety. |
Returns
A string where all regular expression metacharacters are escaped so that the result can be used safely in regex patterns.
Use case examples
You want to find requests where the uri contains an exact match of a user-provided pattern, such as /api/v1/users[1], which includes regex metacharacters. Use regex_quote to safely escape the pattern before matching.
Query
Output
| _time | id | uri | status |
|---|---|---|---|
| 2025-06-10T15:42:00Z | user-293 | /api/v1/users[1] | 200 |
This query searches for logs where the uri exactly matches the string /api/v1/users[1], without interpreting [1] as a character class.
You want to find requests where the uri contains an exact match of a user-provided pattern, such as /api/v1/users[1], which includes regex metacharacters. Use regex_quote to safely escape the pattern before matching.
Query
Output
| _time | id | uri | status |
|---|---|---|---|
| 2025-06-10T15:42:00Z | user-293 | /api/v1/users[1] | 200 |
This query searches for logs where the uri exactly matches the string /api/v1/users[1], without interpreting [1] as a character class.
You want to isolate spans whose trace_id includes a literal substring that happens to resemble a regex pattern, such as abc.def[0]. Using regex_quote ensures the pattern is treated literally.
Query
Output
| _time | trace_id | span_id | [‘service.name’] | duration |
|---|---|---|---|---|
| 2025-06-10T13:20:00Z | abc.def[0] | span-91 | frontend | 00:00:01 |
This query avoids misinterpretation of [0] as a regex character class and treats the whole trace_id literally.
You want to scan for potential path traversal attempts where a user’s input includes strings like ..\..\windows\system32. To search this string safely, you use regex_quote.
Query
Output
| _time | id | uri | status | [‘geo.country’] |
|---|---|---|---|---|
| 2025-06-11T10:15:00Z | user-103 | …\windows\system32 | 403 | DE |
This query detects malicious-looking strings literally, without treating . as a wildcard.