You might want to compare the performance of multiple web hosts over time when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Splunk Enterprise or Splunk Cloud Platform
- Web server data
In a farm of web servers behind a proxy server, you can reasonably expect near-uniform behavior from each web server. A single server that processes traffic differently than other servers is an indication that something has gone wrong with that server or with the proxy server distributing traffic. You want to monitor your servers for these issues.
To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Splunk Add-on for Apache Web Server. You can replace this source with any other web server data used in your organization.
- Verify you deployed a webs server add-on to the search heads, so that the needed tags and fields are defined. For more information, see About installing Splunk add-ons.
- Run the following search:
tag=web |timechart span=15m count BY host useother=f
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Search for events that are tagged as web events.
|timechart span=15m count BY host
Graph the count of events for each host, excluding other series from the results. Use 15-minute time increments.
An even distribution of traffic across hosts is ideal. If one of the lines in the timechart plots much differently than the others, you might have a load balancing problem. A good next step is to understand the load balancing algorithm to help determine why traffic is not balanced. For example, a round-robin algorithm may indicate dropped connections at the network interfaces, while a least connections algorithm would suggest a server being too slow to handle its fair share of the load.