Try this:
index=ndx sourcetype=srctp msg=*
| rex field=msg "factType=(?<facttype>\w+).(?<params>.+)"
| stats count by facttype params
| fields - count
| search facttype="commercial"
The rex will extract the facttype and any following parameters (note – if the URL is submitted with the arguments in a different order, you’ll need to adjust the regular expression)
Then use a | stats count by to bin them together
Lastly, search only where there is both a facttype="commercial" and the URL has additional parameters
from User warren – Stack Overflow https://stackoverflow.com/questions/68886885/splunk-count-specific-string-in-a-field/73128369#73128369
via IFTTT