Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Remove the query string from a Url field

gassershaun
Engager
‎12-06-2012 04:18 AM

Need to exclude the query parameters from a URL field.
For e.g. the field contains http://www.google.com/india?search=splunk. I need to substring this such that result field only contains http://www.google.com/india i.e. remove the part following "?" character. Tried using the eval and the replace functions but did not work...

Tags (1)
0 Karma
Reply

zsteinkamp_splu
Splunk Employee
Splunk Employee
‎03-14-2018 11:04 AM

Ayn's answer fails if the URL does not include a question mark. Here is a regex that works for URLs with and without a question mark:

| rex field=your_url_field "^(?<your_new_url_field>[^?]+)

Reply

Ayn
Legend
‎12-06-2012 04:20 AM 
... | rex field=your_url_field "^(?<your_new_url_field>.+?)\?"
Reply

Ayn
Legend
‎12-06-2012 04:37 AM

Ah. Updated my answer with a corrected regex.

Reply

gassershaun
Engager
‎12-06-2012 04:35 AM

Thanks it works.. however one small problem I get the result as http://www.google.com/india? and not as http://www.google.com/india I also need to get rid of the ending ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...