michaellwest · January 18, 2023 19:52
diff --git a/SplunkQuery.txt b/SplunkQuery.txt
 index=iis sourcetype=ms:iis:auto NOT cs_uri_stem="/sitecore/service/keepalive.aspx" NOT cs_User_Agent="*PRTG+Network+Monitor*" cs_uri_stem="/sxa/search/results*" | rex field=cs_uri_query max_match=0 "[\&]?(?<qkey>[^=]+)=(?<qvalue>[^&]+)?"
 | eval fields = mvzip(qkey,qvalue) 
 | mvexpand fields
 | eval pairs=split(fields,",")
 | eval key=mvindex(pairs,0), value=mvindex(pairs,1)
 | fields cs_host cs_uri_query a g q 
 | eval a=urldecode(a)
 | eval g=urldecode(g)
 | eval q=urldecode(q)  
 | stats values(*) as * by cs_uri_query
	index=iis sourcetype=ms:iis:auto NOT cs_uri_stem="/sitecore/service/keepalive.aspx" NOT cs_User_Agent="PRTG+Network+Monitor" cs_uri_stem="/sxa/search/results*" \| rex field=cs_uri_query max_match=0 "[\&]?(?<qkey>[^=]+)=(?<qvalue>[^&]+)?"
	\| eval fields = mvzip(qkey,qvalue)
	\| mvexpand fields
	\| eval pairs=split(fields,",")
	\| eval key=mvindex(pairs,0), value=mvindex(pairs,1)
	\| fields cs_host cs_uri_query a g q
	\| eval a=urldecode(a)
	\| eval g=urldecode(g)
	\| eval q=urldecode(q)
	\| stats values() as by cs_uri_query