SPL 到 APL 转换指南：语法差异、命令映射与类型安全实践

spl-to-apl by axiomhq/skills

127 周安装量

6 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/axiomhq/skills --skill spl-to-apl

数据分析监控数据处理

🇨🇳中文介绍

SPL 到 APL 翻译器

类型安全： 像 status 这样的字段通常以字符串形式存储。在进行数值比较前务必进行类型转换：toint(status) >= 500，而不是 status >= 500。

关键差异

APL 中时间需显式指定： SPL 时间选择器不会自动翻译 —— 需要手动添加 where _time between (ago(1h) .. now())
结构： SPL index=... | command → APL ['dataset'] | operator
Join 是预览功能： 限制为 5 万行，仅支持 inner/innerunique/leftouter
cidrmatch 参数顺序相反： SPL cidrmatch(cidr, ip) → APL ipv4_is_in_range(ip, cidr)

核心命令映射

SPL

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

SPL	APL	说明
`if(c, t, f)`	`iff(c, t, f)`	双 'f'
`case(c1,v1,...)`	`case(c1,v1,...,default)`	需要 default
`len(str)`	`strlen(str)`
`lower/upper`	`tolower/toupper`
`substr`	`substring`	APL 中从 0 开始索引
`replace`	`replace_string`
`tonumber`	`toint/tolong/toreal`	显式类型
`match(s,r)`	`s matches regex "r"`	操作符
`split(s, d)`	`split(s, d)`	相同
`mvjoin(mv, d)`	`strcat_array(arr, d)`	连接数组
`mvcount(mv)`	`array_length(arr)`	数组长度

Rex → Parse/Extract

# SPL
| rex field=message "user=(?<username>\w+)"

# APL - 使用正则表达式解析
| parse kind=regex message with @"user=(?P<username>\w+)"

# APL - extract 函数  
| extend username = extract("user=(\\w+)", 1, message)

简单模式（非正则表达式）

# SPL
| rex field=uri "^/api/(?<version>v\d+)/(?<endpoint>\w+)"

# APL
| parse uri with "/api/" version "/" endpoint

SPL 时间选择器不会自动翻译。始终添加显式的时间范围：

# SPL (时间选择器：最近 24 小时)
index=logs

# APL
['logs'] | where _time between (ago(24h) .. now())

# SPL
| timechart span=5m count by status

# APL
| summarize count() by bin(_time, 5m), status

# SPL
| stats count(eval(status>=500)) as errors, count as total by host
| eval error_rate = errors/total*100

# APL
| summarize errors = countif(status >= 500), total = count() by host
| extend error_rate = toreal(errors) / total * 100

# SPL
index=logs [search index=errors | fields user_id | format]

# APL
let error_users = ['errors'] | where _time between (ago(1h) .. now()) | distinct user_id;
['logs']
| where _time between (ago(1h) .. now())
| where user_id in (error_users)

# SPL
| join user_id [search index=users | fields user_id, name]

# APL
| join kind=inner (['users'] | project user_id, name) on user_id

类似 Transaction 的分组

# SPL
| transaction session_id maxspan=30m

# APL (无直接等效项 — 使用 summarize 重构)
| summarize 
    start_time = min(_time),
    end_time = max(_time),
    events = make_list(pack("time", _time, "action", action)),
    duration = max(_time) - min(_time)
  by session_id
| where duration <= 30m

字符串匹配性能

SPL	APL	速度
`field="value"`	`field == "value"`	最快
`field="value"`	`field contains "value"`	中等
`field="value*"`	`field startswith "value"`	快
`match(field, regex)`	`field matches regex "..."`	最慢

优先使用 has 而非 contains（单词边界匹配更快）。使用 _cs 变体进行区分大小写匹配（更快）。

reference/command-mapping.md — 完整命令列表
reference/function-mapping.md — 完整函数列表
reference/examples.md — 完整查询翻译示例
APL 文档：https://axiom.co/docs/apl/introduction

2026 年 1 月 24 日

🇺🇸English

SPL to APL Translator

Type safety: Fields like status are often stored as strings. Always cast before numeric comparison: toint(status) >= 500, not status >= 500.

Critical Differences

Time is explicit in APL: SPL time pickers don't translate — add where _time between (ago(1h) .. now())
Structure: SPL index=... | command → APL ['dataset'] | operator
Join is preview: limited to 50k rows, inner/innerunique/leftouter only
cidrmatch args reversed: SPL cidrmatch(cidr, ip) → APL ipv4_is_in_range(ip, cidr)

Core Command Mappings

SPL	APL	Notes
`search index=...`	`['dataset']`	Dataset replaces index
`search field=value`	`where field == "value"`	Explicit where
`where`	`where`	Same
`stats`	`summarize`	Different aggregation syntax

Complete mappings: reference/command-mapping.md

Stats → Summarize

# SPL
| stats count by status

# APL  
| summarize count() by status

Key function mappings

SPL	APL
`count`	`count()`
`count(field)`	`countif(isnotnull(field))`
`dc(field)`	`dcount(field)`
`avg/sum/min/max`	Same
`median(field)`

Conditional count pattern

# SPL
| stats count(eval(status>=500)) as errors by host

# APL
| summarize errors = countif(status >= 500) by host

Complete function list: reference/function-mapping.md

Eval → Extend

# SPL
| eval new_field = old_field * 2

# APL
| extend new_field = old_field * 2

Key function mappings

SPL	APL	Notes
`if(c, t, f)`	`iff(c, t, f)`	Double 'f'
`case(c1,v1,...)`	`case(c1,v1,...,default)`	Requires default
`len(str)`	`strlen(str)`
`lower/upper`

Case statement pattern

# SPL
| eval level = case(
    status >= 500, "error",
    status >= 400, "warning",
    1==1, "ok"
  )

# APL  
| extend level = case(
    status >= 500, "error",
    status >= 400, "warning",
    "ok"
  )

Note: SPL's 1==1 catch-all becomes implicit default in APL.

Rex → Parse/Extract

# SPL
| rex field=message "user=(?<username>\w+)"

# APL - parse with regex
| parse kind=regex message with @"user=(?P<username>\w+)"

# APL - extract function  
| extend username = extract("user=(\\w+)", 1, message)

Simple pattern (non-regex)

# SPL
| rex field=uri "^/api/(?<version>v\d+)/(?<endpoint>\w+)"

# APL
| parse uri with "/api/" version "/" endpoint

Time Handling

SPL time pickers don't translate. Always add explicit time range:

# SPL (time picker: Last 24 hours)
index=logs

# APL
['logs'] | where _time between (ago(24h) .. now())

Timechart translation

# SPL
| timechart span=5m count by status

# APL
| summarize count() by bin(_time, 5m), status

Common Patterns

Error rate calculation

# SPL
| stats count(eval(status>=500)) as errors, count as total by host
| eval error_rate = errors/total*100

# APL
| summarize errors = countif(status >= 500), total = count() by host
| extend error_rate = toreal(errors) / total * 100

Subquery (subsearch)

# SPL
index=logs [search index=errors | fields user_id | format]

# APL
let error_users = ['errors'] | where _time between (ago(1h) .. now()) | distinct user_id;
['logs']
| where _time between (ago(1h) .. now())
| where user_id in (error_users)

Join datasets

# SPL
| join user_id [search index=users | fields user_id, name]

# APL
| join kind=inner (['users'] | project user_id, name) on user_id

Transaction-like grouping

# SPL
| transaction session_id maxspan=30m

# APL (no direct equivalent — reconstruct with summarize)
| summarize 
    start_time = min(_time),
    end_time = max(_time),
    events = make_list(pack("time", _time, "action", action)),
    duration = max(_time) - min(_time)
  by session_id
| where duration <= 30m

String Matching Performance

SPL	APL	Speed
`field="value"`	`field == "value"`	Fastest
`field="value"`	`field contains "value"`	Moderate
`field="value*"`	`field startswith "value"`	Fast
`match(field, regex)`

Prefer has over contains (word-boundary matching is faster). Use _cs variants for case-sensitive (faster).

Reference

reference/command-mapping.md — complete command list
reference/function-mapping.md — complete function list
reference/examples.md — full query translation examples
APL docs: https://axiom.co/docs/apl/introduction

Weekly Installs

Repository

axiomhq/skills

GitHub Stars

First Seen

Jan 24, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

codex85

opencode85

gemini-cli82

claude-code79

github-copilot78

cursor73

Excel财务建模规范与xlsx文件处理指南：专业格式、零错误公式与数据分析

44,500 周安装

`search index=...`	`['dataset']`	Dataset 替代 index
`search field=value`	`where field == "value"`	显式 where
`where`	`where`	相同
`stats`	`summarize`	不同的聚合语法
`eval`	`extend`	创建/修改字段
`table` / `fields`	`project`	选择列
`fields -`	`project-away`	移除列
`rename x as y`	`project-rename y = x`	重命名
`sort` / `sort -`	`order by ... asc/desc`	排序
`head N`	`take N`	限制行数
`top N field`	`summarize count() by field	top N by count_`
`dedup field`	`summarize arg_max(_time, *) by field`	保留最新
`rex`	`parse` 或 `extract()`	正则表达式提取
`join`	`join`	预览功能
`append`	`union`	合并数据集
`mvexpand`	`mv-expand`	展开数组
`timechart span=X`	`summarize ... by bin(_time, X)`	手动分箱
`rare N field`	`summarize count() by field	order by count_ asc
`spath`	`parse_json()` 或 `json['path']`	JSON 访问
`transaction`	无直接等效项	使用 summarize + make_list

SPL	APL
`count`	`count()`
`count(field)`	`countif(isnotnull(field))`
`dc(field)`	`dcount(field)`
`avg/sum/min/max`	相同
`median(field)`	`percentile(field, 50)`
`perc95(field)`	`percentile(field, 95)`
`first/last`	`arg_min/arg_max(_time, field)`
`list(field)`	`make_list(field)`
`values(field)`	`make_set(field)`

SPL 到 APL 转换指南：语法差异、命令映射与类型安全实践

🇨🇳中文介绍

SPL 到 APL 翻译器

关键差异

核心命令映射

相关 Skills

Stats → Summarize

关键函数映射

条件计数模式

Eval → Extend

关键函数映射

Case 语句模式

Rex → Parse/Extract

简单模式（非正则表达式）

时间处理

Timechart 翻译

常用模式

错误率计算

子查询

连接数据集

类似 Transaction 的分组

字符串匹配性能

参考

🇺🇸English

SPL to APL Translator

Critical Differences

Core Command Mappings

Stats → Summarize

Key function mappings

Conditional count pattern

Eval → Extend

Key function mappings

Case statement pattern

Rex → Parse/Extract

Simple pattern (non-regex)

Time Handling

Timechart translation

Common Patterns

Error rate calculation

Subquery (subsearch)

Join datasets

Transaction-like grouping

String Matching Performance

Reference

最新 Skills