All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SQL Language - Pull all URLs with specific query string parameters.

alagiriv
New Member
‎01-10-2019 12:22 PM

I need help pulling URLs that have a specific query string.

For example, I get all URLs for the matching query strings. Query string can be in any order.

abc.com/?a=1&b=2
abc.com/?c=1
abc.com/?d=1&a=2
List all that have a=? or b=? in the URL

abc.com/?a=1&b=2
abc.com/?d=1&a=2

Tags (1)
0 Karma
Reply

John2
New Member
‎01-10-2022 04:00 PM

Could it be as simple as this?

A search with an implied "AND", using a space:

 

"abc.com" ("a=" OR "b=")

0 Karma
Reply

msivill_splunk
Splunk Employee
Splunk Employee
‎01-16-2019 08:41 AM

Another example, which is self-contained. Everything up to and including the eval url is generating the test data.

| makeresults count=4 
| streamstats count 
| eval url = case( count==1, "http://abc.com/?a=1&b=2&c=3", count==2, "http://abc.com/?d=1&e=2&a=3", count==3, "http://abc.com/?f=1&g=2&h=3", count==4, "http://abc.com/?C=1&b=2&a=3") 
| rex field=url "[^?]*\?(?<url_path>.*)" 
| eval key_values = split(url_path, "&") 
| eval matching_keys=mvfilter(match(key_values, "a=") OR match(key_values, "b=")) 
| where isnotnull(matching_keys) 
| table url, url_path, matching_keys
0 Karma
Reply

seegeekrun
Path Finder
‎01-10-2019 12:48 PM

There are several ways that it could be approached, but one rough way would be as follows:

| makeresults 
| eval path = "abc.com/?a=1&b=2 abc.com/?c=1 abc.com/?d=1&a=2" 
| makemv path 
| mvexpand path 
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution" 
| makemv path delim="?"
| eval params=mvindex(path,1)
| makemv params delim="&"
| mvexpand params | stats values(path) as Paths by params
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...