Skip to main content
Use the translate function in APL (Axiom Processing Language) to substitute characters in a string, one by one, based on their position in two input lists. For every character in the input string that matches a character in the first list, translate replaces it with the character at the same position in the second list. This function is useful when you want to:
  • Replace specific characters without using complex regular expressions.
  • Normalize text by mapping characters to a consistent format.
  • Obfuscate or scrub data by transforming characters to placeholders.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you often use replace or gsub to transform string values. These functions support regular expressions and substring replacements, but they don’t directly support fixed-position character substitution.In APL, translate lets you replace multiple characters in a string at once, based on positionally aligned character sets.
... | eval masked_id=replace(id, "[abc]", "x")
If you’re familiar with ANSI SQL, APL’s translate function works like SQL’s TRANSLATE. Both functions take a character source set, a target set, and a string to process.
SELECT TRANSLATE(id, 'abc', 'xyz') FROM sample_http_logs;

Usage

Syntax

translate(searchList, replacementList, source)

Parameters

NameTypeDescription
searchListstringCharacters to search for in the input string.
replacementListstringCharacters to replace each match in searchList.
sourcestringThe input string to evaluate.

Returns

A string with characters from searchList replaced by corresponding characters in replacementList. If replacementList is shorter than searchList, Axiom repeatedly uses the last character of replacementList to match the length of the search.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
Use translate to mask user IDs by replacing all lowercase letters with asterisks.Query
['sample-http-logs']
| extend masked_id = translate('0123456789abcdefghijklmnopqrstuvwxyz', '##########*', id)
| project _time, id, masked_id
Run in PlaygroundOutput
_timeidmasked_id
2025-07-28T12:34:56Zbd6d8f17-2b8d-4b71-af20-f23dc8d20202**#*#*##-#*#*-#*##-**##-*##**#*#####
2025-07-28T12:35:01Z1e317368-9ed4-4e8c-b535-b59a68ffda05#*######-#**#-#*#*-*###-*##*##****##
This query masks characters in the id field by replacing numbers with hashes and letters with asterisks.
I