Re: Remove the query string from a Url field

gassershaun · ‎12-06-2012

Need to exclude the query parameters from a URL field.
For e.g. the field contains http://www.google.com/india?search=splunk. I need to substring this such that result field only contains http://www.google.com/india i.e. remove the part following "?" character. Tried using the eval and the replace functions but did not work...

zsteinkamp_splu · ‎03-14-2018

Ayn's answer fails if the URL does not include a question mark. Here is a regex that works for URLs with and without a question mark:

| rex field=your_url_field "^(?<your_new_url_field>[^?]+)

Ayn · ‎12-06-2012

... | rex field=your_url_field "^(?<your_new_url_field>.+?)\?"

Ayn · ‎12-06-2012

Ah. Updated my answer with a corrected regex.

gassershaun · ‎12-06-2012

Thanks it works.. however one small problem I get the result as http://www.google.com/india? and not as http://www.google.com/india I also need to get rid of the ending ?

Remove the query string from a Url field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation