Skip to main content
Splunk Lantern

Trends in web server response codes

You might want to find trends in http response codes from a web server over time when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Subtle problems introduced by regular software releases, system patching, configuration changes, and other production changes often go undetected if not monitored. You want to graph the distribution of response codes over time in order to perform long-term trending of site performance to identify problems. Additionally, you want a visualization to validate that a major production change hasn't inadvertently increased the overall number of errors or decreased the overall number of successes users experience.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Splunk Add-on for Apache Web Server. You can replace this source with any other web server data used in your organization. 

  1. Verify you deployed a web server add-on to the search heads, so that the needed tags and fields are defined. For more information, see About installing Splunk add-ons.
  2. Run the following search: 
tag=web status=*
|eval status_group=case(status<300, "2xx", status<400, "3xx", status<500, "4xx", status<600, "5xx", true(), unknown)
|timechart span=1h count BY status_group 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

tag=web 

Search for events that are tagged as web events.

status=*


 

Return all page requests that have an HTTP status.

|eval status_group=case(status<300, "2xx", status<400, "3xx", status<500, "4xx", status<600, "5xx", true(), unknown)

Group status codes together by 200s, 300s, 400s, and 500s. 

|timechart span=1h count BY status_group 

Graph the trend of status codes over time in 1-hour increments.

Result

If the majority of status codes are in the 2xx range, your web server is performing well. An increase in 4xx and 5xx codes, which indicate errors, would warrant further investigation.

A good next step is to search for error codes and count by server, url, or other term that could help isolate the cause of the error.

  • Was this article helpful?