Skip to main content
Splunk Lantern の記事が日本語で利用できるようになりました。.
Splunk Lantern

Distribution of web traffic across servers


In a farm of web servers behind a proxy server, you can reasonably expect near-uniform behavior from each web server. A single server that processes traffic differently than other servers is an indication that something has gone wrong with that server or with the proxy server distributing traffic. You want to monitor your servers for these issues.

Data required

Web server data


  1. Ensure you are have deployed a web server add-on to the search heads so that web server data tags and fields are defined. This sample search uses the Splunk Add-on for Apache Web Server, but you can replace this source with any other web server data used in your organization. For more information, see About installing Splunk add-ons.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
|timechart span=15m count BY host 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation


Search for events that are tagged as web events.

|timechart span=15m count BY host

Graph the count of events for each host, using 15-minute time increments.

Next steps

An even distribution of traffic across hosts is ideal. If one of the lines in the timechart plots much differently than the others, you might have a load balancing problem. A good next step is to understand the load balancing algorithm to help determine why traffic is not balanced. For example, a round-robin algorithm may indicate dropped connections at the network interfaces, while a least connections algorithm would suggest a server being too slow to handle its fair share of the load.

Finally, you might be interested in other processes associated with the Managing web server performance use case.