# This is a simple script to take the results of Splunk search, perform URL decoding on
# each event's content field, then return the results back to Splunk for further processing.

import splunk.Intersplunk, string, urllib

# populate 'results' variable with all events passed into search script
results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

for r in results:

  # find the content field
  rawEvent = r["_raw"]
  content = rawEvent[string.find(rawEvent," content=")+8:len(rawEvent)-1]

  # url decode the url encoded value of the content field
  decodedContent = urllib.unquote(content)

  # replace original _raw field with new decoded _raw + include original host as a new field
  newRawEvent = rawEvent[0:string.find(rawEvent," content=")+8] + decodedContent + " orig_host=" + r["host"]
  r["_raw"] = newRawEvent

# return results back to Splunk
splunk.Intersplunk.outputResults(results)