Skip to main content


Splunk Lantern

Web hosts with HTTP error status codes


Recently, the data from your web server has shown an increase in error codes. You want to determine which hosts are generating the errors so you can resolve the problems.

Data required

Web server data


  1. Ensure you are have deployed a web server add-on to the search heads so that web server data tags and fields are defined. This sample search uses the Splunk Add-on for Apache Web Server, but you can replace this source with any other web server data used in your organization. For more information, see About installing Splunk add-ons.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
tag=web status>200 
|stats count AS "Bad Status Codes" BY host
|sort - "Bad Status Codes" 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation


Search for events that are tagged as web events.



Search for events with a status of greater than 200.

|stats count AS "Bad Status Codes" BY host

Count the total number of error codes for each host.

|sort - "Bad Status Codes"

Sort the results with the highest count of error codes first.

Next steps

Knowing which hosts generate the highest number of error codes is useful for focus troubleshooting efforts. After running this search, you can drill into each host and sort by most common error codes to further focus the troubleshooting.  

You might be interested in other processes associated with the Managing web server performance use case.