So, "product" is just the last segment of PATH_INFO. Here is a general method to process URI field semantically. | eval uri = split(urldecode(uri), "?")
| eval PATH_INFO = mvindex(uri, 0)
| eval product = mvindex(split(PATH_INFO, "/"), -1) ``` last segment ```
| eval QUERY_STRING = mvindex(uri, 1)
| rename _raw AS temp, QUERY_STRING AS _raw
| kv kvdelim="=" pairdelim="&"
| rename temp AS _raw Here, you not only get "product", but also parameters in QUERY_STRING. To find top "product", then, is just an exercise of counting. | eval uri = split(urldecode(uri), "?")
| eval PATH_INFO = mvindex(uri, 0)
| eval product = replace(mvindex(split(PATH_INFO, "/"), -1), "\.do$", "")
| top 5 product ``` replace 5 with however many you want ``` Here, we drop ".do" from "product" name. This is just cosmetic. Two additional points: When you ask a question, always illustrate your data (anonymize as needed), but in text. This is a Splunk search forum, not an F5 forum. Explain how the data should logically lead to your desired results. Another pointer is about anonymization. Public IP address can reveal a great deal about the business. (Even private IP address should be altered as a general rule.)
... View more