Splunk Search

URL Encoding in fields and values

DanielFordWA
Contributor

There are a number of fields that contain values that have had certain characters encoded.

I would like the below URL Encoding reference table applied to all fields and values, what would be the best way to go about this?

http://www.w3schools.com/tags/ref_urlencode.asp

Tags (2)
0 Karma
1 Solution

chris
Motivator

You can use the urldecode function for eval if you want to apply this to searches:

basesearch | eval decoded_field=urldecode(encoded_field)

Or you can also set this up in props.conf to do it automatically (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf):
EVAL-decoded_field=urldecode(encoded_field)

I do not think, that there is an easy way to apply this to all fields though

View solution in original post

chris
Motivator

You can use the urldecode function for eval if you want to apply this to searches:

basesearch | eval decoded_field=urldecode(encoded_field)

Or you can also set this up in props.conf to do it automatically (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf):
EVAL-decoded_field=urldecode(encoded_field)

I do not think, that there is an easy way to apply this to all fields though

View solution in original post

DanielFordWA
Contributor

Thanks for the response.

The data is imported in iis-2 format. During search I use “extract auto=true” to get each field from the cs_uri_stem as these fields are not automatically captured when indexing.

If I alter the props config will it change all encoding in the cs_uri_stem?

There are two parameters in the cs_uri_stem I would not want to decode.

The eval function in search does work but I would like to do it at the indexing stage.

0 Karma

DanielFordWA
Contributor

Before (current)

DocTitle
You%20all%20ready%20for%20this%20%3F

After (desired result)

DocTitle
You all ready for this ?

Nearly all fields that search returns I would want this sort of conversion applied, there are only two exceptions I can think of.

0 Karma

barakreeves
Splunk Employee
Splunk Employee

Sorry, kindda confused. Could you please provide a simple before and after picture of what you want to accomplish? I think I know but I don't want to make any assumptions with your use case.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!