Hello, thanks for the question about filebeat. In your configuration, is filebeat shipping directly to elasticsearch, or does filebeat first ship data to logstash for enrichment or filtering. If you're using logstash, this could be a possible good portion of the pipeline to split about the url.query string.
If you're using logstash, I would recommend looking at the grok filter plugin:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html