Your application support team wants to use the Splunk platform with web access logs to see what errors occur. You need to make sure your deployment is configured correctly and create a search they can use.
- To verify you are searching for normalized web data, run the following search. You can optimize it by specifying an index and adjusting the time range.
earliest=-1day index=* tag=web | head 10
- Do one of the following:
- If you do not receive results, check that you have correctly installed and configured a web data add-on, such as Splunk Add-on for Apache Web Server or Splunk Add-on for Microsoft IIS.
- If you receive results, run the following search:
tag=web status>=400 | stats count BY uri_path, status | sort limit=20 -count
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|tag=web||Search for events that are tagged as web events.|
|status>=400||Search for statuses greater than or equal to 400.|
|| stats count BY uri_path, status||Count the number of events and group them by URI and status.|
|| sort limit=20 -count||Sort the top 20 results with the largest count first.|
You can use this information to troubleshoot production issues for users and identify areas to improve navigation or performance.
You might want to chart key metrics related to application performance when monitoring web application performance.