Skip to main content
The genai_extract_system_prompt function extracts the system prompt from a GenAI messages array. The system prompt typically contains instructions that define the AI assistant’s behavior, personality, and capabilities. It’s usually the first message with role ‘system’. You can use this function to audit AI behavior configurations, monitor prompt changes, analyze consistency across conversations, or validate that correct system instructions are being used.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you would need to filter messages by role and extract the first system message.
| eval system_msgs=mvfilter(match(role, "system"))
| eval system_prompt=mvindex(system_msgs, 0)
In ANSI SQL, you would unnest the array and filter for the first system role message.
SELECT 
  conversation_id,
  content as system_prompt
FROM (
  SELECT *, ROW_NUMBER() OVER (PARTITION BY conversation_id ORDER BY msg_index) as rn
  FROM conversations
  CROSS JOIN UNNEST(messages) WITH OFFSET AS msg_index
  WHERE role = 'system'
) WHERE rn = 1

Usage

Syntax

genai_extract_system_prompt(messages)

Parameters

  • messages (dynamic, required): An array of message objects from a GenAI conversation. Each message typically contains role and content fields.

Returns

Returns a string containing the content of the system message, or an empty string if no system message is found.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
Extract system prompts to verify that AI assistants are using the correct configuration and behavior instructions.Query
['sample-http-logs']
| where uri contains '/api/chat'
| extend system_prompt = genai_extract_system_prompt(todynamic(request_body)['messages'])
| where isnotempty(system_prompt)
| summarize conversation_count = count() by system_prompt
Run in PlaygroundOutput
system_promptconversation_count
You are a helpful customer service assistant.1250
You are a technical support expert specializing in software troubleshooting.845
This query helps you understand which system prompts are most commonly used and track prompt variations.
  • genai_extract_user_prompt: Extracts the user’s prompt. Use this to analyze what users are asking, while system prompts define AI behavior.
  • genai_extract_assistant_response: Extracts the assistant’s response. Use this to see how the AI responded based on the system prompt.
  • genai_get_content_by_role: Gets content by any role. Use this for more flexible extraction when you need other specific roles.
  • genai_message_roles: Lists all message roles. Use this to understand conversation structure and verify system message presence.