Splunk Search

URL Encoding in fields and values

DanielFordWA
Contributor

There are a number of fields that contain values that have had certain characters encoded.

I would like the below URL Encoding reference table applied to all fields and values, what would be the best way to go about this?

http://www.w3schools.com/tags/ref_urlencode.asp

Tags (2)
0 Karma
1 Solution

chris
Motivator

You can use the urldecode function for eval if you want to apply this to searches:

basesearch | eval decoded_field=urldecode(encoded_field)

Or you can also set this up in props.conf to do it automatically (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf):
EVAL-decoded_field=urldecode(encoded_field)

I do not think, that there is an easy way to apply this to all fields though

View solution in original post

chris
Motivator

You can use the urldecode function for eval if you want to apply this to searches:

basesearch | eval decoded_field=urldecode(encoded_field)

Or you can also set this up in props.conf to do it automatically (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf):
EVAL-decoded_field=urldecode(encoded_field)

I do not think, that there is an easy way to apply this to all fields though

DanielFordWA
Contributor

Thanks for the response.

The data is imported in iis-2 format. During search I use “extract auto=true” to get each field from the cs_uri_stem as these fields are not automatically captured when indexing.

If I alter the props config will it change all encoding in the cs_uri_stem?

There are two parameters in the cs_uri_stem I would not want to decode.

The eval function in search does work but I would like to do it at the indexing stage.

0 Karma

DanielFordWA
Contributor

Before (current)

DocTitle
You%20all%20ready%20for%20this%20%3F

After (desired result)

DocTitle
You all ready for this ?

Nearly all fields that search returns I would want this sort of conversion applied, there are only two exceptions I can think of.

0 Karma

barakreeves
Splunk Employee
Splunk Employee

Sorry, kindda confused. Could you please provide a simple before and after picture of what you want to accomplish? I think I know but I don't want to make any assumptions with your use case.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...