Skip to main content
Splunk Lantern

Application error tracing

 

Your application support team wants to use the Splunk platform with web access logs to see what errors occur. You need to make sure your deployment is configured correctly and create a search they can use.

Data required 

Application server data

To complete this process, your deployment needs to ingest normalized data, populating the Web data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.

Procedure

  1. To verify you are searching for normalized web data, run the following search. You can optimize it by specifying an index and adjusting the time range.
    earliest=-1day index=* tag=web
    | head 10
    
  2. Do one of the following:
tag=web status>=400 
| stats count BY uri_path, status 
| sort limit=20 -count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
tag=web Search for events that are tagged as web events.
status>=400 Search for statuses greater than or equal to 400.
| stats count BY uri_path, status Count the number of events and group them by URI and status.
| sort limit=20 -count Sort the top 20 results with the largest count first.

Result

You can use this information to troubleshoot production issues for users and identify areas to improve navigation or performance.

You might want to chart key metrics related to application performance when monitoring web application performance.