How do you url encode a query you want to send to ...

obesechicken13 · ‎08-20-2012

On the splunk dev rest api guide it says that splunk queries sent through curl must first be url encoded.

http://dev.splunk.com/view/SP-CAAADQT

Some url encoders will turn a spacebar into a %20 symbol for instance. The page then goes on to show an example of url encoding with a python built in function. Can you just use the built in curl url encode function?

I have a query that uses rex in a way like this and I'm not sure how to url encode correctly. Although I need to try the query out again on another search head later today.
index=index obscure=keyword earliest=8/5/2012:0:0:0 latest=8/6/2012:0:00:0 date_hour=16 (date_minute>=20 AND date_minute<30) | rex "(?im)^(?:[^:\\n]*:){3}\\d+\\s+(?P[^ ]+) (?P[^ ]+)" | rex "(?i) url: (http://)?(?P[^?]+)" | search method="login" OKurl="this.url.com/means_ok" | stats count AS HIT BY date_mday

You'll notice all the weird characters. I don't think splunk likes it when I url encode the spacebar character, so I'm just wondering what characters need to be url encoded.

kallu · ‎08-20-2012

Curl should take care of encoding for you. There is an option "--data-urlencode" that should do the trick. You don't need to do anything, except escape it for your shell so it doesn't get altered before curl gets it 🙂 If you think you have problem with your shell messing with the data, you can try putting it into file and passing to curl with @filename option for --data-urlencode (see curl man-page). Also this this tutorial can be useful.

If tempted to encode your string manually (not recommended), here is the spec what to do.

How do you url encode a query you want to send to splunk?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!