Good afternoon, 

Can I ask more around your use case for having URL's part of grouped fields? Grouped fields are aliases for groups of related UDM fields that allow you to query multiple UDM fields simultaneously, without needing to type each field individually.

That being said you can search all or part of URL's within SeCops using the 'group' function or a standard search using OR statements or a reference list / data table to search through your data. 

If I know more about your use case I can help a little further. 

​@darrenswift Its like you said, the grouped field functionality is very useful because of the ability to save space when crafting SIEM queries via API and not having to fear making a mistake and forget a field. 

The workarounds you suggest are certainly also applicable for other fields that are grouped like domain and ip, but they have grouped fields - hence my question on why grouped fields dont exist for url?