Splunk Search Query – Apache Webserver Status (HTTP Status Code)

Let’s consider there are three web servers (www1, www2 & www3) in our environment and we want to know the stats of how many times the Web servers has processed successful HTTP requests (Status code of 200).

Below is the Search query that yield the events with successful HTTP request events i.e., Status Code of “200” for all three hosts.

index={value} source={value} host={value} status=“200” | stats count(eval(status=“200”)) as {xyz} by host

Note: Status Code is highlighted within the red box.

Explanation: In this case, the search is querying for events from index (main) along with proper source and filtering for hosts (www*) and status (200). We then count the no of Successful HTTP requests (status=200) using stats and display the results as HTTP_COUNT_200.

Corresponding Statistics table is as below (Counts of HTTP status code “200” for each web servers)

Corresponding Graphing is as below (Gives the counts of HTTP status code “200” for each web servers)

Additional understanding of events : Web server access log format

<address> – <user> [<time>] “<request>” <status> <response_size> “<referer>” “<user agent>” – <session_id> <duration>

address: This is the IP address of the client (remote host) which made the request to the server
: The “hyphen” in the output indicates that the requested piece of information is not available
user: The user, if any, making the request. System accesses on behalf of no particular user appear as “-“.
time: The time that the request was received
request: The HTTP request made by the client consisting of an action, a URL, and a protocol version
status: The HTTP status returned as part of the response
response_size: The size of the body of the response in bytes
duration: The time it took from the completion of reading the request to completely writing out the response. This value is logged explicitly in milliseconds
referer: The “Referer” HTTP request header. This gives the site that the client reports having been referred from
user agent: The User-Agent HTTP request header. This is the identifying information that the client browser reports about itself
session_id: This represents the session. Can be used to follow a stream of requests from a particular client

Leave a Reply

Your email address will not be published.