Need to exclude the query parameters from a URL field.
For e.g. the field contains http://www.google.com/india?search=splunk. I need to substring this such that result field only contains http://www.google.com/india i.e. remove the part following "?" character. Tried using the eval and the replace functions but did not work...
Ayn's answer fails if the URL does not include a question mark. Here is a regex that works for URLs with and without a question mark:
| rex field=your_url_field "^(?<your_new_url_field>[^?]+)
... | rex field=your_url_field "^(?<your_new_url_field>.+?)\?"
Ah. Updated my answer with a corrected regex.
Thanks it works.. however one small problem I get the result as http://www.google.com/india? and not as http://www.google.com/india I also need to get rid of the ending ?