Solved: Re: URLDECODE

erlindemberg · ‎01-24-2020

I would like to know how can I use the urldecorder command for all URLs in the reqHdr.referer field (Akamai)

index=akamai
| eval newfield = urldecode("https%3a%2f%2fwww....................%2f")
| table newfield

jkat54 · ‎01-24-2020

 ... | eval newField=urldecode('reqHdr.referer') | table newField

View solution in original post

jkat54 · ‎01-24-2020

 ... | eval newField=urldecode('reqHdr.referer') | table newField

erlindemberg · ‎01-24-2020

I've tried and the field doesn't show the URLs, just the name reqHdr.referer

jkat54 · ‎01-24-2020

Tried it with single quotes around it?

snallam123 · ‎01-24-2020

index=c4_akamai
| eval newfield = urldecode('reqHdr.referer')
| table newfield

richgalloway · ‎01-24-2020

Don't use double quotes "around the field name. Try without quotes. If that doesn't work, use single quotes '.

---
If this reply helps you, Karma would be appreciated.

erlindemberg · ‎01-24-2020

Thanks for the help, with single quotes it worked.

erlindemberg · ‎01-24-2020

Using this query:

index=c4_akamai
| eval newfield = urldecode("reqHdr.referer")
| table newfield

o resultado é:

newfield
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer

Eu usando apenas uma URL de referencia dentro do campo reqHdr.referer o resultado é:

index=c4_akamai
| eval newfield = urldecode("https%3a%2f%2fwww.*******.com.br%2f")
| table newfield

newfield
https://www.**********.com.br/
https://www.**********.com.br/
https://www.**********.com.br/
https://www.**********.com.br/
https://www.**********.com.br/
https://www.**********.com.br/
https://www.**********.com.br/

richgalloway · ‎01-24-2020

What results do you get and what results do you expect?

---
If this reply helps you, Karma would be appreciated.

erlindemberg · ‎01-24-2020

Using this query:

index=c4_akamai
| eval newfield = urldecode("reqHdr.referer")
| table newfield

o resultado é:

newfield
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer
reqHdr.referer

Eu usando apenas uma URL de referencia dentro do campo reqHdr.referer o resultado é:

index=c4_akamai
| eval newfield = urldecode("https%3a%2f%2fwww.*******.com.br%2f")
| table newfield

newfield
https://www.**********.com.br/
https://www.**********.com.br/
https://www.**********.com.br/
https://www.**********.com.br/
https://www.**********.com.br/
https://www.**********.com.br/
https://www.**********.com.br/

erlindemberg · ‎01-24-2020

In this case, if I specify a single URL in this field it will bring me the result of the decoded URL.
However, the field has thousands of other URLs.

The result I hope is that all URLs are shown decrypted.

richgalloway · ‎01-24-2020

Can you share some sample data?

---
If this reply helps you, Karma would be appreciated.

URLDECODE

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services