Hi,
We were asked to analyze the parameter usage. It is a POST with JSON body. The target is a set of 30 parameters. Each parameter is optional for that http POST. The final query will be like this: for each parameter, tell me the count of parameters in the post over that period of time. We want to know which parameters interest the customers most. What is the best design, in terms of Splunk performance? I have several ideas about how the log file should be formatted. The basic format is one line for each http request.
body="*k1*"
, body="*k2"
...Thanks for any comments.
Didn't quite understand your question and mostly the bitmap part.
Maybe this helps - if you index those JSONs as events, and then have your events with parameters k1,k2,k3... you can use this easy stats/timechart trick:
... | stats count (k*) as k*
and the timechart one -
... | timechart count (k*) as k*
you will get a count for each field starting with K, overall or over time.