FYI - these instructions are for the free SplunkforIronportWeb app that was offered from Splunkbase.
These instructions do not apply for the Splunk for Cisco Ironport Advanced Reporting application which is available for purchase from Cisco.
... View more
Assuming you have the WSA app installed that extrapolates the cs_url field, try the following:
"www.google.com/search" "q=" | rex field=cs_url "q=(?P<search>[^&]*)\&" | rex field=search mode=sed "s/\+/ /g" | top search
... View more