We have a fairly complex search page in our web app which has many search field options. We're trying to determine which options are used most frequently (and which are rarely or never used).
Our requests are logged on a line similar to (these are very slimmed-down examples):
...; Request: /xxx/Search.do; Params: address:;area:;siteName:Woodland;state:VA;status:;
...; Request: /xxx/Search.do; Params: address:;area:;siteName:;;state:ID;status:Inactive
The REGEX in my transforms.conf parses out 'address', 'area', etc. as field names. There are (currently) around 40 distinct search fields that could be passed in.
How can I get a result list something like this for the above simple example?
state 2
siteName 1
status 1
address 0
area 0
etc.
Examples I've seen elsewhere in Splunk Answers assume one knows the field names and usually are dealing with only 1 or 2 fields.
... View more