Histogram of a natural number field NOTE: the x-axis ends up being ordinal instead of linear so it can look like 1 2 3 5 6 8 12 instead of 1 2 3 4 5 6 7 ...
| stats count AS attempts by url_path
| rex field=url_path mode=sed "s/.*/1/"
| stats sum(url_path) by attempts
| sort num(attempts)
Get IP from X-Forwarded-For header
| rex field=http_x_forwarded_for "(?<client_ip>\S+),"
Follow request_id
| transaction request_id maxspan=5s keepevicted=1
Change status to status group
| rex field=status mode=sed "s/(\d)\d\d/\1xx/"
Strip query params off url_path
| rex field=url_path mode=sed "s/\?(.+)//"
Fill in "undefined" value that got stripped
| eval recentAuthProvider=coalesce(recentAuthProvider, "undefined")
collapse UUIDs
| rex field=url_path mode=sed "s/([a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12})/<UUID>/"
| eval request_uri=replace(request_uri, "u0026", "&")
| rex field=request_uri max_match=0 "[\?\&](?<params>[^=]+)=(?<values>[^&]+)"
| eval params=mvzip(params,values)
| mvexpand params
| eval params=split(params,",")
| eval param=urldecode(mvindex(params,0)), {param}=mvindex(params,1)
| fields - param values params punct
https://community.splunk.com/t5/Splunk-Search/parse-query-string-parameters/m-p/504944