Remove the query string from a Url field

gassershaun · ‎12-06-2012

Need to exclude the query parameters from a URL field.
For e.g. the field contains http://www.google.com/india?search=splunk. I need to substring this such that result field only contains http://www.google.com/india i.e. remove the part following "?" character. Tried using the eval and the replace functions but did not work...

zsteinkamp_splu · ‎03-14-2018

Ayn's answer fails if the URL does not include a question mark. Here is a regex that works for URLs with and without a question mark:

| rex field=your_url_field "^(?<your_new_url_field>[^?]+)

Ayn · ‎12-06-2012

... | rex field=your_url_field "^(?<your_new_url_field>.+?)\?"

Ayn · ‎12-06-2012

Ah. Updated my answer with a corrected regex.

gassershaun · ‎12-06-2012

Thanks it works.. however one small problem I get the result as http://www.google.com/india? and not as http://www.google.com/india I also need to get rid of the ending ?

Remove the query string from a Url field

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?

Remove the query string from a Url field

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI