The URL Decode (urldecode) operator decodes a URL you include in a query, returning the decoded (unescaped) URL string.
For example, a URL that looks like this:
can be decoded to:
urldecode(<url_field>) [as <field>]
urldecode("<url string>") [as <field>]
Let's say you'd like to decode URLs connecting to your firewall. Running a query like:
http: | parse "Connecting to firewall at URL: *" as url
| urldecode(url) as decoded
returns results of each URL, both in the encoded and decoded state, allowing you to run additional queries on the parsed, decoded URLs.