Re: URL Decoding

yonphang · ‎10-29-2019

i tried all splunk answers and doesn't seems like working for me.

i have this

search | rex mode=sed field=message.UA "s/%2f///g" | table message.UA

sample message.UA
Mozilla%2f5.0%20(X11%3b%20Linux%20x86_64)%20AppleWebKit%2f537.36%20(KHTML,%20like%20Gecko)%20Chrome%2f70.0.3538.77%20Safari%2f537.36

i got this error after ran the search above.

Error in 'rex' command: Failed to initialize sed. Invalid option string: /g

I tried urldecode function, doesn't work, and also tried almost every solutions from splunk answer, i just could not decode the encoded UA field. please help.

jkat54 · ‎06-29-2023

How about eval's urldecode?

| eval decoded=urldecode(yourEncodedField)

or

| eval decoded=urldecode("yourEncodedString")

https://docs.splunk.com/Documentation/SCS/current/SearchReference/TextFunctions#urldecode.28.26lt.3B...

rafamss · ‎12-08-2020

I used your example, and it worked for me. Did you try this way?

| makeresults 
| eval ua = "Mozilla%2f5.0%20(X11%3b%20Linux%20x86_64)%20AppleWebKit%2f537.36%20(KHTML,%20like%20Gecko)%20Chrome%2f70.0.3538.77%20Safari%2f537.36"
| eval uadecoded = urldecode(ua)

renjith_nair · ‎10-29-2019

@yonphang ,

Try

 |rex mode=sed field=url "s/%2f/\//g"

---
What goes around comes around. If it helps, hit it with Karma 🙂

yonphang · ‎10-29-2019

yes that was intentional, i want to find %2f and replace into /

renjith_nair · ‎10-29-2019

Ok updated the answer

---
What goes around comes around. If it helps, hit it with Karma 🙂

URL Decoding- How to resolve error?

rex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?