Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search urlencoded string not working

stephen1h
New Member
‎11-07-2013 12:52 PM

I have created a regex search that can search strings in a field, but it is slow. Is there a way that I can search a string without having to use regex for specific urlencoded data?

For instance. I can do:

*| regex "\%[0-9a-fA-F]{2}"

night and day, but a combination of that regex is slow.

I know specific strings of urlencoded data that I want to match on. When I do a search on that data (for instance "%2F%63%67%69%2D%62%69%6E%2F" or "\%2F\%63\%67\%69\%2D\%62\%69\%6E\%2F", I see in the inspector that my search has been changed. The percent signs are now spaces like the following: "[ AND 2d 2f 62 63 67 69 6e index::main ]" ... It looks like my urlencoded data is being split on the percent sign, sorted, and then searched.... How do I get it to treat it like a string and leave it alone and search for my explicit string?

Thanks...

Tags (3)
0 Karma
Reply

stephen1h
New Member
‎11-07-2013 01:17 PM

The answer is to do CASE("%2F%63%67%69%2D%62%69%6E%2F") ... then splunk stops doing odd things with the text and matches strings in fields quickly. I think this is a hack though. It is also blazingly fast to use in a search compared to using the | regex ....

0 Karma
Reply

Ayn
Legend
‎11-07-2013 01:25 PM

I'm guessing you meant TERM()?

0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-07-2013 01:23 PM

CASE() is often a speed killer on a search, so use it with caution. Unless the regex is looking at the url encoding format specifically, it's not the best plan really.

--
Jesse Trucks
Minister of Magic
0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-07-2013 01:06 PM

Look at the docs for Functions for eval and where. Second to the last entry in the table is urldecode(). The description is:

This function takes one URL string argument X and returns the unescaped or decoded URL string.

The example is:

... | eval n=urldecode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader")

The result would be that n is "http://www.splunk.com/download?r=header".

For your use, insert

… | eval newfield=urldecode(yourfield) | …

and then do your regex.

--
Jesse Trucks
Minister of Magic
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...