Skip to main content
 
Splunk Lantern

Most used assets of a web application

 

Your application support team wants to use the Splunk platform with web access logs to see which web assets are used most. You need to make sure your deployment is configured correctly and create a search they can use.

Data required 

Application server data

To complete this process, your deployment needs to ingest normalized data, populating the Web data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.

Procedure

  1. To verify you are searching for normalized web data, run the following search. You can optimize it by specifying an index and adjusting the time range.
    earliest=-1day index=* tag=web
    | head 10
    
  2. Do one of the following:
tag=web  
| stats count BY uri_path, status 
| sort limit=20 -count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
tag=web Search for events that are tagged as web events.
| stats count BY uri_path, status Count the number of events and group them by URI and status.
| sort limit=20 -count Sort the top 20 results with the largest count first.

Next steps

You can use this information to troubleshoot production issues for users and identify areas to improve navigation or performance.

You might need to find out which parts of your application are used most when monitoring web application performance.