Use the regex_quote function in APL when you need to safely insert arbitrary string values into regular expression patterns. This function escapes all special characters in the input string so that it is interpreted as a literal sequence, rather than as part of a regular expression syntax. regex_quote is especially useful when your APL query constructs regular expressions dynamically using user input or field values. Without escaping, strings like .* or [a-z] would behave like regex wildcards or character classes, potentially leading to incorrect results or vulnerabilities. With regex_quote, you can ensure the string is treated exactly as-is.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk, the re.escape() function is not available natively in SPL, so you often handle escaping in external scripts or manually. In APL, regex_quote provides built-in support for quoting regular expression metacharacters.
| eval pattern="hello.*world"
| eval safe_pattern=replace(pattern, "\.", "\\.")
ANSI SQL lacks a standard function to escape regular expression strings. Escaping is typically handled manually or with vendor-specific features. In APL, regex_quote handles all necessary escaping for you, making regex construction safer and more convenient.
SELECT REGEXP_LIKE(col, 'hello\\.*world') FROM table;

Usage

Syntax

regex_quote(value)

Parameters

NameTypeDescription
valuestringThe input string to be escaped for regex safety.

Returns

A string where all regular expression metacharacters are escaped so that the result can be used safely in regex patterns.

Use case examples

You want to find requests where the uri contains an exact match of a user-provided pattern, such as /api/v1/users[1], which includes regex metacharacters. Use regex_quote to safely escape the pattern before matching.Query
let pattern = '/api/v1/users[1]';
['sample-http-logs']
| where uri matches regex regex_quote(pattern)
| project _time, id, uri, status
Run in PlaygroundOutput
_timeiduristatus
2025-06-10T15:42:00Zuser-293/api/v1/users[1]200
This query searches for logs where the uri exactly matches the string /api/v1/users[1], without interpreting [1] as a character class.