The urldecode operator decodes a URL you include in a query, returning the decoded (unescaped) URL string.
For example, a URL that looks like this:
can be decoded to:
urldecode(<url_field>) [as <field>]
urldecode("<url string>") as <field>
Let's say you'd like to decode URLs connecting to your firewall. Running a query like:
| parse "Connecting to firewall at URL: *" as url
| urldecode(url) as decoded
returns results of each URL, both in the encoded and decoded state, allowing you to run additional queries on the parsed, decoded URLs.