In id:stanaka's blog post on LTSV, he wrote they use %r for req key to record request methods, request uri, and protocol. I think the value %r provides, for example "GET /foo/bar?hoge=fuga HTTP1.1", is not easy to treat. I'd rather propose to use the format below:

For Apache:

method:%m\tpath:%U%q\tprotocol:%H

For nginx:

method:$request_method\tpath:$request_uri\tprotocol:$server_protocol

Using this format, the log will be emitted as below:

method:GET path:/foo/bar?hoge=fuga protocol:HTTP1.1

It's more convenient to do with by some unix toolkits or fluentd, isn't it? I strongly recommend you choose it.

Besides, you can use my fluent plugin named fluent-plugin-extract_query_params if you adopt the format described above.

<match access_log>
  type extract_query_params

  key                   path
  add_tag_prefix extracted.
  only                  hoge
</match>

With this configuration, the log will be emitted as below:

extracted.access_log => {
  "method"  : "GET",
  "path"       : "/foo/bar?hoge=fuga",
  "protocol" : "HTTP1.1",
  "hoge"      : "fuga"
}

I think this is really innovative for fluent world.