michaellwest/SplunkQuery.txt

## SplunkQuery.txt
index=iis sourcetype=ms:iis:auto NOT cs_uri_stem="/sitecore/service/keepalive.aspx" NOT cs_User_Agent="*PRTG+Network+Monitor*" cs_uri_stem="/sxa/search/results*" | rex field=cs_uri_query max_match=0 "[\&]?(?<qkey>[^=]+)=(?<qvalue>[^&]+)?"
| eval fields = mvzip(qkey,qvalue)
| mvexpand fields
| eval pairs=split(fields,",")
| eval key=mvindex(pairs,0), value=mvindex(pairs,1)
| fields cs_host cs_uri_query a g q
| eval a=urldecode(a)
| eval g=urldecode(g)
| eval q=urldecode(q)
| stats values(*) as * by cs_uri_query
	index=iis sourcetype=ms:iis:auto NOT cs_uri_stem="/sitecore/service/keepalive.aspx" NOT cs_User_Agent="PRTG+Network+Monitor" cs_uri_stem="/sxa/search/results*" \| rex field=cs_uri_query max_match=0 "[\&]?(?<qkey>[^=]+)=(?<qvalue>[^&]+)?"
	\| eval fields = mvzip(qkey,qvalue)
	\| mvexpand fields
	\| eval pairs=split(fields,",")
	\| eval key=mvindex(pairs,0), value=mvindex(pairs,1)
	\| fields cs_host cs_uri_query a g q
	\| eval a=urldecode(a)
	\| eval g=urldecode(g)
	\| eval q=urldecode(q)
	\| stats values() as by cs_uri_query