Skip to main content


Splunk Lantern

Application error tracing

You might want to chart key metrics related to application performance when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:

  • Splunk Enterprise or Splunk Cloud Platform
  • Data normalized to the following CIM model: Web


Your application support team wants to use the Splunk platform with web access logs to see what errors occur. You need to make sure your deployment is configured correctly and create a search they can use.

To optimize the search shown below, you should specify an index and a time range. 

  1. To verify you are searching for normalized web data, run the following search: 
    earliest=-1day index=* tag=web
    | head 10
  2. Do one of the following:

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
tag=web Search for events that are tagged as web events.
status>=400 Search for statuses greater than or equal to 400.
| stats count BY uri_path, status Count the number of events and group them by URI and status.
| sort limit=20 -count Sort the top 20 results with the largest count first.


You can also use this information to troubleshoot production issues for users and identify areas to improve navigation or performance.

  • Was this article helpful?