Filter a request string from a specific character/string to another character to get the contents

LangHolloman · August 3, 2016, 9:05pm

This question is in relation to Visualizations. The purpose is to get insight into the search terms of an application that has a request.raw string exampled as: search?q=philadelphia&page=1. 'philadelphia' is the search term field portion of the string that I would like to get insight into what users are inputting in that field for search terms. Any suggestions for Discover to Visualizations of how to accomplish this, would be greatly appreciated.

One thought is:
to filter/aggregate specifically on the terms in a request.raw string from a specific character(s) to a specific character(s) later in the string. Here's an example of a string I would like to aggregate specifically on the terms from the 'q=' characters to the '&page' characters:
search?q=news&page=1
search?q=philadelphia&page=1

Suggestions?

shaunak · August 3, 2016, 9:37pm

Honestly, I'd suggest doing this sort of parsing before the data gets into Elasticsearch so that each document has a field q whose value is philadelphia, etc. Then you can run whatever aggregations on the q field.

Given that you referred to request.raw in your post, I assume you are using Logstash. You can use the kv filter with its field_split parameter set to & to generate fields from query string parameters in your request URIs.

LangHolloman · August 3, 2016, 10:16pm

makes sense, I'll try that with the logs in logstash