URL-decodes the contents of a string field.
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscale SyntaxurlDecode("value")and:
logscale SyntaxurlDecode(field="value")These examples show basic structure only.
urlDecode() Syntax Examples
With an event with a field
Bar=https%3A%2F%2Fwww.example.com,
you get https://www.example.com in the
_urldecode field:
urlDecode("Bar")
With an event with a field
Bar=https%3A%2F%2Fwww.example.com,
you get https://www.example.com
in the Foo field:
Foo:=urlDecode("Bar")
With an event with a field
Bar=https%3A%2F%2Fwww.example.com,
you get https://www.example.com
in the Foo field:
urlDecode("Bar", as="Foo")urlDecode() Examples
Click next to an example below to get the full details.
Decode Redirect URLs in Authentication Logs
Decode Redirect URLs in Authentication Logs to analyze
authentication flows using the urlDecode() function with
as parameter
Query
redirect_url = *
| urlDecode(field=redirect_url, as=decoded_redirect)
| auth_status="success"Introduction
In this example, the urlDecode() function is used
to decode URL-encoded redirect URLs in authentication logs to analyze
user authentication flows and potential security issues. Using the
as parameter, you can
specify a custom field name for the decoded result.
Example incoming data might look like this:
| @timestamp | auth_status | redirect_url | user_id | source_ip |
|---|---|---|---|---|
| 1683000000000 | success | https%3A%2F%2Fapp.example.com%2Fdashboard%3Ftoken%3Dabc123 | user1 | 10.0.0.1 |
| 1683000001000 | failed | https%3A%2F%2Fmalicious.com%2Fphish%3Ftoken%3Dxyz789 | user2 | 192.168.1.100 |
| 1683000002000 | success | https%3A%2F%2Fapp.example.com%2Freports%3Fid%3D456%26view%3Dfull | user3 | 10.0.0.2 |
| 1683000003000 | success | https%3A%2F%2Fapp.example.com%2Fsettings%3Fmode%3Dadmin | user4 | 10.0.0.3 |
Step-by-Step
Starting with the source repository events.
- logscale
redirect_url = *Filters for events containing the redirect_url field.
- logscale
| urlDecode(field=redirect_url, as=decoded_redirect)Decodes the URL-encoded values in the redirect_url field and stores the result in a new field named decoded_redirect using the
asparameter. - logscale
| auth_status="success"Filters to include only successful authentication attempts.
Event Result set.
Summary and Results
The query is used to analyze post-authentication redirect patterns by decoding redirect URLs from authentication logs.
This query is useful, for example, to monitor authentication flows, detect suspicious redirect patterns, or track which application areas users access after authentication.
Sample output from the incoming example data:
| @timestamp | auth_status | decoded_redirect | redirect_url | source_ip | user_id |
|---|---|---|---|---|---|
| 1.683E+12 | success | https://app.example.com/dashboard?token=abc123 | https%3A%2F%2Fapp.example.com%2Fdashboard%3Ftoken%3Dabc123 | 10.0.0.1 | user1 |
| 1.683E+12 | success | https://app.example.com/reports?id=456&view=full | https%3A%2F%2Fapp.example.com%2Freports%3Fid%3D456%26view%3Dfull | 10.0.0.2 | user3 |
| 1.683E+12 | success | https://app.example.com/settings?mode=admin | https%3A%2F%2Fapp.example.com%2Fsettings%3Fmode%3Dadmin | 10.0.0.3 | user4 |
Note that the decoded URL is stored in the specified field decoded_redirect and special characters (&, =, ?) are properly decoded.
Decode Referrer URLs in Web Access Logs
Decode Referrer URLs in Web Access Logs to analyze traffic sources
using the urlDecode() function with
assignment operator
Query
referrer = *
| decodedUrl := urlDecode(field=referrer)
| conversion=trueIntroduction
In this example, the urlDecode() function is used
to decode URL-encoded referrer URLs to analyze traffic sources and
marketing campaign effectiveness. Using the assignment operator (:=),
you can specify a custom field name for the decoded result.
Example incoming data might look like this:
| @timestamp | referrer | campaign_id | conversion | revenue |
|---|---|---|---|---|
| 1683000000000 | https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dbest%20cloud%20security | camp_001 | true | 199.99 |
| 1683000001000 | https%3A%2F%2Fwww.facebook.com%2Fads%3Fcampaign%3Dsecurity2023 | camp_002 | false | 0.00 |
| 1683000002000 | https%3A%2F%2Ftwitter.com%2Fstatus%3Fpromo%3Dspring50 | camp_003 | true | 299.99 |
| 1683000003000 | https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dantivirus%20enterprise | camp_001 | false | 0.00 |
Step-by-Step
Starting with the source repository events.
- logscale
referrer = *Filters for events containing the referrer field.
- logscale
| decodedUrl := urlDecode(field=referrer)Decodes the URL-encoded values in the referrer field and assigns the result to a new field named decodedUrl.
- logscale
| conversion=trueFilters to include only successful conversions.
Event Result set.
Summary and Results
The query is used to analyze traffic sources that led to successful conversions by decoding referrer URLs.
This query is useful, for example, to track which search terms or social media campaigns are driving successful conversions, or to analyze the effectiveness of different marketing channels.
Sample output from the incoming example data:
| @timestamp | campaign_id | conversion | decodedUrl | referrer | revenue |
|---|---|---|---|---|---|
| 1.683E+12 | camp_001 | TRUE | https://www.google.com/search?q=best cloud security | https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dbest%20cloud%20security | 199.99 |
| 1.683E+12 | camp_003 | TRUE | https://twitter.com/status?promo=spring50 | https%3A%2F%2Ftwitter.com%2Fstatus%3Fpromo%3Dspring50 | 299.99 |
Note that the original encoded referrer field remains unchanged.
Decode URL-Encoded Strings
Decode URL-Encoded Web Request Parameters using the
urlDecode() function
Query
request_url = *
| urlDecode(field=request_url)
| status_code=200Introduction
In this example, the urlDecode() function is used
to decode URL-encoded parameters from web requests to analyze user
interactions. When used without specifying an output field, the decoded
result is automatically stored in a field named
_urldecode.
Example incoming data might look like this:
| @timestamp | request_url | status_code | bytes_sent | response_time |
|---|---|---|---|---|
| 1683000000000 | /products?category=electronics&filter=price%3E100%20AND%20brand%3DApple | 200 | 2048 | 0.23 |
| 1683000001000 | /search?q=wireless%20headphones%20with%20noise%20cancelling | 200 | 1536 | 0.15 |
| 1683000002000 | /products?id=12345&return_url=%2Fcart%3Fcheckout%3Dtrue | 500 | 512 | 1.45 |
| 1683000003000 | /search?q=bluetooth%20speakers%20under%20%24100 | 200 | 1024 | 0. |
Step-by-Step
Starting with the source repository events.
- logscale
request_url = *Filters for events containing the request_url field.
- logscale
| urlDecode(field=request_url)Decodes the URL-encoded values in the request_url field, and returns the result in the default output field _urldecode.
- logscale
| status_code=200Filters to include only successful requests with status code
200. Event Result set.
Summary and Results
The query is used to decode URL-encoded web request parameters to analyze user behavior and application patterns.
This query is useful, for example, to monitor user search patterns, analyze product filtering preferences, or troubleshoot issues with specific URL parameters.
Sample output from the incoming example data:
| @timestamp | _urldecode | bytes_sent | request_url | response_time | status_code |
|---|---|---|---|---|---|
| 1.683E+12 | /products?category=electronics&filter=price>100 AND brand=Apple | 2048 | /products?category=electronics&filter=price%3E100%20AND%20brand%3DApple | 0.23 | 200 |
| 1.683E+12 | /search?q=wireless headphones with noise cancelling | 1536 | /search?q=wireless%20headphones%20with%20noise%20cancelling | 0.15 | 200 |
| 1.683E+12 | /search?q=bluetooth speakers under $100 | 1024 | /search?q=bluetooth%20speakers%20under%20%24100 | 0.18 | 200 |
Note that special characters (>, $, spaces) are properly decoded and
failed requests (status_code != 200) are excluded.