The parse_urlquery function parses a URL query string and returns a dynamic object containing the query parameters as key-value pairs. Use this function to extract and analyze query parameters from URLs in logs, API requests, or web traffic data.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use rex or URL parsing to extract query parameters. APL's parse_urlquery provides structured query string parsing.
['sample-http-logs']
| extend params = parse_urlquery(uri)In ANSI SQL, query string parsing requires complex string manipulation. APL's parse_urlquery provides native parsing.
['sample-http-logs']
| extend params = parse_urlquery(uri)Usage
Syntax
parse_urlquery(query_string)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| query_string | string | Yes | A URL query string (with or without the leading '?') to parse. |
Returns
Returns a dynamic object containing the query parameters as key-value pairs.
Use case examples
Extract and analyze query parameters from API requests to understand search patterns and filter usage.
Query
['sample-http-logs']
| extend parameters = parse_urlquery('page=1&limitation=50&sort=date')
| extend page = toint(parameters.page)
| extend limitation = toint(parameters.limitation)
| extend sort = tostring(parameters.sort)
| summarize request_count = count() by page, limitation, sort
| sort by request_count desc
| limit 10Output
| page | limit | sort | request_count |
|---|---|---|---|
| 1 | 50 | date | 8765 |
This query parses query parameters from API requests to analyze pagination and sorting preferences.
Extract query parameters from HTTP spans to analyze API query patterns.
Query
['otel-demo-traces']
| extend query_string = '?user_id=12345&action=checkout¤cy=USD'
| extend params = parse_urlquery(query_string)
| extend user_id = tostring(params.user_id)
| extend action = tostring(params.action)
| extend currency = tostring(params.currency)
| summarize span_count = count() by action, currency
| sort by span_count desc
| limit 10Output
| action | currency | span_count |
|---|---|---|
| checkout | USD | 8765 |
This query extracts query parameters from span data to analyze user actions and currency usage patterns in a distributed system.
Detect potential SQL injection or XSS attacks by analyzing suspicious query parameters.
Query
['sample-http-logs']
| extend query_params = parse_urlquery('search=<script>&id=1 OR 1=1')
| extend search_param = tostring(query_params.search)
| extend id_param = tostring(query_params.id)
| extend has_script = indexof(search_param, '<script>') >= 0
| extend has_sql = indexof(id_param, 'OR') >= 0
| where has_script or has_sql
| project _time, uri, search_param, id_param, has_script, has_sql, id, ['geo.country']
| limit 10Output
| _time | uri | search_param | id_param | has_script | has_sql | id | geo.country |
|---|---|---|---|---|---|---|---|
| 2024-11-06T10:00:00Z | /search | <script> | 1 OR 1=1 | true | true | user123 | Unknown |
This query parses query parameters from failed requests and checks for injection attack patterns, helping identify potential security threats.
List of related functions
- parse_url: Parses complete URLs into all components. Use this when you need more than just query parameters.
- url_decode: Decodes URL-encoded strings. Use this to decode individual query parameter values.
- split: Splits strings by delimiters. Use this for simpler query string tokenization without key-value parsing.
- parse_json: Parses JSON strings. Use this when working with JSON data rather than URL query strings.