The url_decode function converts a URL-encoded string back to its original format. Use this function to decode query parameters, analyze encoded URIs, or extract readable text from URL-encoded log data.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

In Splunk SPL, you use urldecode. APL's url_decode provides the same functionality.

```sql Splunk example | eval decoded=urldecode(field) ``` 
['sample-http-logs']
| extend decoded = url_decode(field)

In ANSI SQL, URL decoding varies by database. APL's url_decode provides standardized URL decoding.

```sql SQL example SELECT URL_DECODE(field) AS decoded FROM logs; ``` 
['sample-http-logs']
| extend decoded = url_decode(field)

Usage

Syntax

url_decode(encoded_url)

Parameters

Name Type Required Description
encoded_url string Yes The URL-encoded string to decode.

Returns

Returns the decoded string in regular representation.

Use case examples

Decode URL-encoded query parameters to analyze user search terms and inputs.

Query

['sample-http-logs']
| extend decoded_uri = url_decode(uri)
| where decoded_uri != uri
| project _time, uri, decoded_uri, method, status
| limit 10

Run in Playground

Output

_time uri decoded_uri method status
2024-11-06T10:00:00Z /search?q=hello%20world /search?q=hello world GET 200
2024-11-06T10:01:00Z /api?name=John%20Doe /api?name=John Doe GET 200

This query decodes URL-encoded URIs to reveal the actual search terms and parameters used by users.

Decode URL-encoded span attributes or metadata.

Query

['otel-demo-traces']
| extend encoded_attr = 'service%3Dfrontend%26version%3D1.0'
| extend decoded_attr = url_decode(encoded_attr)
| project _time, ['service.name'], encoded_attr, decoded_attr
| limit 10

Run in Playground

Output

_time service.name encoded_attr decoded_attr
2024-11-06T10:00:00Z frontend service%3Dfrontend%26version%3D1.0 service=frontend&version=1.0

This query decodes URL-encoded attributes in traces, making them readable for analysis.

Decode potentially malicious URL-encoded payloads to identify attack patterns.

Query

['sample-http-logs']
| extend decoded_uri = url_decode(uri)
| extend has_injection = indexof(decoded_uri, 'select') >= 0 or indexof(decoded_uri, '<script>') >= 0
| where has_injection
| project _time, uri, decoded_uri, has_injection, id, ['geo.country']
| limit 10

Run in Playground

Output

_time uri decoded_uri has_injection id geo.country
2024-11-06T10:00:00Z /api?id=1%20union%20select /api?id=1 union select true user123 Unknown

This query decodes URL-encoded injection attempts, revealing obfuscated SQL injection or XSS attacks for security analysis.
  • url_encode: Encodes strings for URL transmission. Use this to reverse the decoding operation.
  • parse_url: Parses URLs into components. Use this after url_decode for full URL analysis.
  • parse_urlquery: Parses URL query strings. Use this with url_decode to extract query parameters.
  • base64_decode_tostring: Decodes Base64 strings. Use this for Base64 encoding rather than URL encoding.

Good morning

I'm here to help you with the docs.

I
AIBased on your context