I am trying to utilize a log that has url values that have been percent encoded. I want to replace these encoding characters with their decoded meanings. Example: We%20alerted%20our%20team%20to%20the%20issue.%20We%20apologize%20for%20this%20inconvenience.%20Please%20try%20again%20later.
Based on the above link's examples, I tried the following:
| replace "%20" with " " in errorMessage | top errorMessage
The search runs but I still have these characters in my errorMessage field. Eventually I'll want something like this:
| replace "%20" with " ", "%2C" with ",", "%27" with "'" in field1 field2 field3
I've figured out another solution that works for this specific example. using eval and the urldecode() function.
I did a ... | eval field1=urldecode(field1) and this works perfectly fine for me. Only issue is that I have to explicitly identify fields rather than have all fields taken care of at once. I tried doing a ... | eval _raw=urldecode(_raw) but this only works for the raw results and doesn't get updated to the splunk auto or manually extracted fields. D'oh!