The string_size function returns the number of bytes in a string. You use it when you want to measure the length of text fields such as user IDs, URLs, or status codes. This function is useful for detecting anomalies, filtering out unusually long values, or analyzing patterns in textual data. For example, you can use string_size to detect requests with excessively long URIs, identify outlier user IDs, or monitor payload lengths in traces.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically use the len function to calculate the number of characters in a string. In APL, you use string_size to calculate the number of bytes in a string.
... | eval uri_length=len(uri)
In ANSI SQL, you use the LENGTH or CHAR_LENGTH function to calculate string length. In APL, the equivalent is string_size to calculate the number of bytes in a string.
SELECT LENGTH(uri) AS uri_length
FROM sample_http_logs;

Usage

Syntax

string_size(source)

Parameters

ParameterTypeDescription
sourcestringThe input string expression.

Returns

An integer representing the number of bytes in the string. If the string is empty, the function returns 0.

Use case examples

You can use string_size to detect unusually long URIs that might indicate an attempted exploit or malformed request.Query
['sample-http-logs']
| extend uri_length = string_size(uri)
| where uri_length > 100
| project _time, method, uri, uri_length, status
Run in PlaygroundOutput
_timemethoduriuri_lengthstatus
2025-09-11T10:01:45ZGET/search/products?q=…142200
2025-09-11T10:02:13ZPOST/checkout/submit/order/details…187400
This query finds all HTTP requests with URIs longer than 10 characters and lists their details.