Skip to main content
Splunk Lantern

Web hosts with HTTP error status codes

You might want to know which web hosts are generating http error codes when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Recently, the data from your web server has shown an increase in error codes. You want to determine which hosts are generating the errors so you can resolve the problems.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Splunk Add-on for Apache Web Server. You can replace this source with any other web server data used in your organization. 

  1. Verify you deployed a web server add-on to the search heads, so that the needed tags and fields are defined. For more information, see About installing Splunk add-ons.
  2. Run the following search: 
tag=web status>200 
|stats count AS "Bad Status Codes" BY host
|sort - "Bad Status Codes" 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

tag=web 

Search for events that are tagged as web events.

status>200 



 

Search for events with a status of greater than 200.

|stats count AS "Bad Status Codes" BY host

Count the total number of error codes for each host.

|sort - "Bad Status Codes"

Sort the results with the highest count of error codes first.

Result

Knowing which hosts generate the highest number of error codes is useful for focus troubleshooting efforts. After running this search, you can drill into each host and sort by most common error codes to further focus the troubleshooting.  

  • Was this article helpful?