I would like to know how can I use the urldecorder command for all URLs in the reqHdr.referer field (Akamai)
index=akamai | eval newfield = urldecode("https%3a%2f%2fwww....................%2f") | table newfield
... | eval newField=urldecode('reqHdr.referer') | table newField
View solution in original post
I've tried and the field doesn't show the URLs, just the name reqHdr.referer
Tried it with single quotes around it?
index=c4_akamai | eval newfield = urldecode('reqHdr.referer') | table newfield
Don't use double quotes "around the field name. Try without quotes. If that doesn't work, use single quotes '.
"
'
Thanks for the help, with single quotes it worked.
Using this query:
index=c4_akamai | eval newfield = urldecode("reqHdr.referer") | table newfield
o resultado é:
newfield reqHdr.referer reqHdr.referer reqHdr.referer reqHdr.referer reqHdr.referer reqHdr.referer reqHdr.referer reqHdr.referer reqHdr.referer reqHdr.referer reqHdr.referer reqHdr.referer reqHdr.referer
Eu usando apenas uma URL de referencia dentro do campo reqHdr.referer o resultado é:
index=c4_akamai | eval newfield = urldecode("https%3a%2f%2fwww.*******.com.br%2f") | table newfield
newfield https://www.**********.com.br/ https://www.**********.com.br/ https://www.**********.com.br/ https://www.**********.com.br/ https://www.**********.com.br/ https://www.**********.com.br/ https://www.**********.com.br/
What results do you get and what results do you expect?
In this case, if I specify a single URL in this field it will bring me the result of the decoded URL. However, the field has thousands of other URLs.
The result I hope is that all URLs are shown decrypted.
Can you share some sample data?
